GPG key used to sign GitLab package repositories' metadata has been extended

GitLab uses GPG key to sign the metadata of the various apt and yum repositories that are used to distribute official Linux packages and GitLab Runner packages, to ensure integrity of packages, in addition to the packages themselves being signed by a separate key.

The current key used for the metadata signing, with the fingerprint F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F, is set to expire on February 27, 2026, and has been extended to expire on Feb 6, 2028.

Why are we extending the deadline?

The repository metadata signing key's expiration is extended periodically to comply with GitLab security policies and to limit the exposure should the key become compromised. The key's expiration is extended instead of rotating to a new key to be less disruptive for users, as rotating would require all users to replace their trusted key.

What do I need to do?

If you have already configured GitLab repositories on your machine before February 27, 2026, please check out the official documentation on how to fetch and add the new key to your machine.

If you are a new user, there is nothing specific for you to do other than follow the GitLab installation page or the GitLab Runner installation documentation.

More information concerning verification of the repository metadata signatures is available in the Linux package documentation. If you just need to refresh a copy of the public key, then you can find it on any of the GPG keyservers by searching for [email protected] or using the key ID of F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F.

Alternatively, you could download it directly from packages.gitlab.com using the URL: https://packages.gitlab.com/gpg.key.

What if I need additional help?

Please open an issue in the omnibus-gitlab issue tracker.