Package Signing Key update guide to reflect the apt-key deprecation and to be consistent
Problem to solve
There are 3 places in the GitLab documents that explain how to update the package Signing key in each own inconsistent way.
Some still guide to use the apt-key, which has been deprecated due to security concerns.
-
- Still guides to use the
apt-key
and no mention about its deprecation.
- Still guides to use the
-
https://docs.gitlab.com/omnibus/update/package_signatures.html#update-keys-after-expiry-extension
- Most appropriate in the three here, IMHO.
- Still allows keep using
apt-key
if the current configuration is using it. - Only updates gitlab-?e's (not update runner's).
-
https://docs.gitlab.com/runner/install/linux-repository.html#deb-based-distributions
- Guides to use the
dpkg-sig
, which (might be?) incompatible with the installation script.
- Guides to use the
Proposal
- Consolidate all guides to (or point to) the current Omnibus's guide except for the
apt-key
usage part. - Add a guide to update the Runner's signing key in the above Omnibus way.
- Add a guide to replace the existing
apt-key
configuration with thesigned-by
configuration.
Other links/references
related to: #364673 (closed)
Edited by Taisuke 'Jeff' Inoue