Skip to content

PackageCloud misconfigures new Debian / Ubuntu installs with wrong GPG location

Installation of GitLab Omnibus on all supported Debian and Ubuntu versions fails during apt-get update due to a path mismatch between where the GPG keyring is installed and where the APT sources list references it:

apt-get update
Hit:1 http://deb.debian.org/debian trixie InRelease
Hit:2 http://deb.debian.org/debian trixie-updates InRelease
Hit:3 http://deb.debian.org/debian-security trixie-security InRelease
Get:4 https://packages.gitlab.com/gitlab/gitlab-ee/debian trixie InRelease [23.3 kB]
Err:4 https://packages.gitlab.com/gitlab/gitlab-ee/debian trixie InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg"  Caused by:     0: Reading "/usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg": No such file or directory (os error 2)     1: No such file or directory (os error 2)
Reading package lists... Done
W: OpenPGP signature verification failed: https://packages.gitlab.com/gitlab/gitlab-ee/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg"  Caused by:     0: Reading "/usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg": No such file or directory (os error 2)     1: No such file or directory (os error 2)
E: The repository 'https://packages.gitlab.com/gitlab/gitlab-ee/debian trixie InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

On investigation this is due to a mismatch between the installation script and the sources list.

The installation script installs the keyring to /etc/apt/keyrings/:

Importing packagecloud gpg key... Packagecloud gpg key imported to /etc/apt/keyrings/gitlab_gitlab-ee-archive-keyring.gpg

While the sources list configuration references it at /usr/share/keyrings/:

# this file was generated by packages.gitlab.com for
# the repository at https://packages.gitlab.com/gitlab/gitlab-ee
deb [signed-by=/usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg] https://packages.gitlab.com/gitlab/gitlab-ee/debian/ trixie main
deb-src [signed-by=/usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg] https://packages.gitlab.com/gitlab/gitlab-ee/debian/ trixie main

This appears to have been introduced in the latest PackageCloud Enterprise release, where the installation script was updated to use /etc/apt/keyrings/ (the modern Debian standard) but the generated sources list was not updated accordingly.

Workaround

  1. Open the file /etc/apt/sources.list.d/gitlab_gitlab-ce.list (or gitlab_gitlab-ee.list depending on your installation).
  2. Replace the text /usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg with /etc/apt/keyrings/gitlab_gitlab-ce-archive-keyring.gpg (change ce to ee if you are installing gitlab-ee package) in the file.
  3. Run sudo apt-get update
  4. Installation should now work.
Edited by Grant Young