Use separate file to APT key

https://docs.gitlab.com/omnibus/update/package_signatures#package-repository-metadata-signing-keys

Instead of importing the GitLab key into the apt keyring you should write it into a separate file directly:

sudo curl https://gitlab-org.gitlab.io/omnibus-gitlab/gitlab_new_gpg.key -o /etc/apt/trusted.gpg.d/gitlab2.asc

Make sure to use the file suffix .asc as the key is ASCII-armored; a binary PGP key must use the file extension .pgp.

Using separate files is easier to manage with tools like Ansible. This also makes it possible for the gitlab-ce package to include that file itself so it automatically can be updated.

See https://manpages.debian.org/unstable/apt/apt-key.8.en.html

Edited Aug 14, 2025 by Philipp Hahn