GPG key used to sign GitLab package repositories' metadata has been extended
Source: GitLab Blog
Why are we extending the deadline?
The repository metadata signing key’s expiration is extended periodically to comply with GitLab security policies and to limit exposure should the key become compromised. Extending the expiration is less disruptive for users than rotating to a new key, which would require all users to replace their trusted key.
What do I need to do?
-
Existing users (configured GitLab repositories before Feb 17 2026):
Check the official documentation for how to fetch and add the new key to your machine. -
New users:
Follow the standard GitLab installation page or the GitLab Runner installation docs; no additional steps are required.
For more information on verifying repository metadata signatures, see the Omnibus documentation. To refresh a copy of the public key, you can:
- Search for
support@gitlab.comor the key IDF640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3Fon any GPG keyserver. - Download it directly from packages.gitlab.com:
https://packages.gitlab.com/gpg.keyWhat if I need additional help?
Please open an issue in the omnibus-gitlab issue tracker.