GitLab extends Omnibus package signing key expiration to 2028
Source: GitLab Blog
GitLab uses a GNU Privacy Guard (GPG) key to sign all Omnibus packages created within the CI pipelines to ensure that the packages have not been tampered with. This key is separate from the repository metadata signing key used by package managers and the GPG signing key for the GitLab Runner. The Omnibus package signing key, which was set to expire on Feb. 14, 2026, has been extended to expire on Feb 16, 2028.
Why are we extending the deadline?
The package signing key’s expiration is extended periodically to comply with GitLab security policies and to limit exposure should the key become compromised. Extending the expiration, rather than rotating to a new key, is less disruptive for users because rotating would require all users to replace their trusted key.
What do I need to do?
- If you validate the signatures on the Omnibus packages that GitLab distributes, update your copy of the package signing key.
- The package signing key is not the key that signs the repository metadata used by OS package managers like
aptoryum. - Unless you are specifically verifying the package signatures or have configured your package manager to do so, no action is needed to continue installing Omnibus packages.
More information on verifying package signatures is available in the Omnibus documentation. To refresh a copy of the public key, you can:
- Search for
support@gitlab.comon any GPG keyserver, or use the key ID:
98BF DB87 FCF1 0076 416C 1E0B AD99 7ACC 82DD 593D- Download it directly from packages.gitlab.com:
https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-CB947AD886C8E8FD.pub.gpgNeed additional help?
Please open an issue in the omnibus-gitlab issue tracker.