Update signing keys to 4096bit (!180564) · Merge requests · GitLab.org / GitLab

Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

We increase the key length for ci_jwt_signing_key and ci_job_token_signing_key from 2048bit to 4096bit.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Example below:

Connect to Gitlab Database and check if the key is in the database

SELECT encrypted_ci_jwt_signing_key FROM application_settings; SELECT encrypted_ci_job_token_signing_key FROM application_settings;
You can update the exiting key as already described here https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#troubleshooting

   key = OpenSSL::PKey::RSA.new(4096).to_pem

  ApplicationSetting.find_each do |application_setting|
    application_setting.update(ci_jwt_signing_key: key)
  end

Edited Feb 06, 2025 by 🤖 GitLab Bot 🤖

Update signing keys to 4096bit

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports