有効期限切れになったGitLabのGPG鍵を更新する
Amazon Linux 2023へGitLabをリポジトリからインストールして利用しています。ですが、更新しようとしたところ以下のエラーになりました。
1 2 3 4 5 6 7 8 9 10 11 | |
今回は「GitLabのGPG鍵が有効期限切れになっていた」ことが原因でした。これを解消し、GPG鍵を更新する手順をメモしておきます。
検証環境¶
| 対象 | バージョン |
|---|---|
| Amazon Linux | 2023.10.20260216 |
gnupg2-fullへの差し替え¶
GNU プライバシーガード (GNUPG)に記載がありますが、Amazon Linux 2023はデフォルトでGPG鍵の操作に必要な最低限のパッケージであるgnupg2-minimalしかインストールされていません。
# dnf list installed | grep gnupg2
gnupg2-minimal.aarch64 2.3.7-1.amzn2023.0.7 @amazonlinux
その為、より高機能なgnupg2-fullに差し替えます。
dnf swap -y gnupg2-minimal gnupg2-full
これで必要なパッケージがインストールされました。
# dnf list installed | grep gnupg2
gnupg2.aarch64 2.3.7-1.amzn2023.0.7 @amazonlinux
gnupg2-smime.aarch64 2.3.7-1.amzn2023.0.7 @amazonlinux
GPG鍵の有効期限¶
Linux package signaturesのCurrent signing keyには以下の表が掲載されています。
| Key attribute | Value |
|---|---|
| Name | GitLab B.V. |
| packages@gitlab.com | |
| Comment | package repository signing key |
| Fingerprint | F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F |
| Expiry | 2028-02-06 |
同時に以下のコメントがあります。「この鍵の有効期限が2026/02/27から2028/02/06へ延長された」とあります。ですが、これは裏を返せば「同じ鍵でも延長前のものは2026/02/27で失効する」と理解できます。
This key is active from 2020-03-02.
The key’s expiry was extended from 2026-02-27 to 2028-02-06. If you encounter an expiration of 2026-02-27, follow the instructions below.
インストール済みGPG鍵の有効期限¶
実際にインストール済みGPG鍵の有効期限を確認します。確認用に以下のスクリプトを用意しました。
| check-pubring.sh | |
|---|---|
1 2 3 4 5 6 7 8 | |
検証環境で試してみたところ、以下の実行結果になりました。全ての鍵で「expired: 2026-02-27」と表示されており、失効してしまっていることが分かります。
# /bin/sh check-pubring.sh
--- Location: /var/cache/dnf/gitlab_gitlab-ee-a2beb8ac7c84e565/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/gitlab_gitlab-ee-a2beb8ac7c84e565/pubring'
gpg: /var/cache/dnf/gitlab_gitlab-ee-a2beb8ac7c84e565/pubring/trustdb.gpg: trustdb created
/var/cache/dnf/gitlab_gitlab-ee-a2beb8ac7c84e565/pubring/pubring.kbx
--------------------------------------------------------------------
pub rsa4096 2020-03-02 [SC] [expired: 2026-02-27]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ expired] GitLab B.V. (package repository signing key) <packages@gitlab.com>
pub rsa4096 2017-08-01 [SC] [expired: 2025-07-01]
DBEF 8977 4DDB 9EB3 7D9F C3A0 3CFC F9BA F27E AB47
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2025-02-14 [SC] [expired: 2026-02-14]
98BF DB87 FCF1 0076 416C 1E0B AD99 7ACC 82DD 593D
uid [ expired] GitLab, Inc. <support@gitlab.com>
--- Location: /var/cache/dnf/gitlab_gitlab-ee-source-7a8c343068f9e434/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/gitlab_gitlab-ee-source-7a8c343068f9e434/pubring'
gpg: /var/cache/dnf/gitlab_gitlab-ee-source-7a8c343068f9e434/pubring/trustdb.gpg: trustdb created
/var/cache/dnf/gitlab_gitlab-ee-source-7a8c343068f9e434/pubring/pubring.kbx
---------------------------------------------------------------------------
pub rsa4096 2020-03-02 [SC] [expired: 2026-02-27]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ expired] GitLab B.V. (package repository signing key) <packages@gitlab.com>
pub rsa4096 2017-08-01 [SC] [expired: 2025-07-01]
DBEF 8977 4DDB 9EB3 7D9F C3A0 3CFC F9BA F27E AB47
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2025-02-14 [SC] [expired: 2026-02-14]
98BF DB87 FCF1 0076 416C 1E0B AD99 7ACC 82DD 593D
uid [ expired] GitLab, Inc. <support@gitlab.com>
--- Location: /var/cache/dnf/runner_gitlab-runner-771b94957c5c5edc/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/runner_gitlab-runner-771b94957c5c5edc/pubring'
gpg: /var/cache/dnf/runner_gitlab-runner-771b94957c5c5edc/pubring/trustdb.gpg: trustdb created
/var/cache/dnf/runner_gitlab-runner-771b94957c5c5edc/pubring/pubring.kbx
------------------------------------------------------------------------
pub rsa4096 2020-03-02 [SC] [expired: 2026-02-27]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ expired] GitLab B.V. (package repository signing key) <packages@gitlab.com>
pub rsa4096 2021-06-04 [SC] [expired: 2023-06-04]
09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2023-04-26 [SC] [expires: 2026-04-28]
931D A69C FA3A FEBB C97D AA8C 6C57 C29C 6BA7 5A4E
uid [ unknown] GitLab, Inc. <support@gitlab.com>
sub rsa4096 2023-04-26 [E] [expires: 2026-04-28]
--- Location: /var/cache/dnf/runner_gitlab-runner-source-86f8aad6a13ecef0/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/runner_gitlab-runner-source-86f8aad6a13ecef0/pubring'
gpg: /var/cache/dnf/runner_gitlab-runner-source-86f8aad6a13ecef0/pubring/trustdb.gpg: trustdb created
/var/cache/dnf/runner_gitlab-runner-source-86f8aad6a13ecef0/pubring/pubring.kbx
-------------------------------------------------------------------------------
pub rsa4096 2020-03-02 [SC] [expired: 2026-02-27]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ expired] GitLab B.V. (package repository signing key) <packages@gitlab.com>
pub rsa4096 2021-06-04 [SC] [expired: 2023-06-04]
09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2023-04-26 [SC] [expires: 2026-04-28]
931D A69C FA3A FEBB C97D AA8C 6C57 C29C 6BA7 5A4E
uid [ unknown] GitLab, Inc. <support@gitlab.com>
sub rsa4096 2023-04-26 [E] [expires: 2026-04-28]
失効したGPG鍵の削除¶
GPG署名の検証エラー: 無効なGPG署名にはこの問題の解決手順として以下の記載があります。
- dnf clean allを実行します。
- 最新の署名キーをフェッチします。
- もう一度アップグレードを試みます。
この手順に従い、まずdnf clean allを実行します。
# dnf clean all
61 files removed
次に失効したGPG鍵を削除する為、以下のスクリプトを用意しました。
| delete-pubring.sh | |
|---|---|
1 2 3 4 5 6 7 8 | |
作成したスクリプトを実行します。
# /bin/sh delete-pubring.sh
--- Location: /var/cache/dnf/gitlab_gitlab-ee-a2beb8ac7c84e565/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/gitlab_gitlab-ee-a2beb8ac7c84e565/pubring'
--- Location: /var/cache/dnf/gitlab_gitlab-ee-source-7a8c343068f9e434/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/gitlab_gitlab-ee-source-7a8c343068f9e434/pubring'
--- Location: /var/cache/dnf/runner_gitlab-runner-771b94957c5c5edc/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/runner_gitlab-runner-771b94957c5c5edc/pubring'
--- Location: /var/cache/dnf/runner_gitlab-runner-source-86f8aad6a13ecef0/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/runner_gitlab-runner-source-86f8aad6a13ecef0/pubring'
期限の延長された、新しいGPG鍵をインストールします。
dnf install -y https://packages.gitlab.com/gpg.key
更新されたGPG鍵の確認¶
再度、確認スクリプトを実行します。「F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F」というフィンガープリントは変わらないのですが、有効期限が「2028-02-06」に更新されていることが確認できます。
# /bin/sh check-pubring.sh
--- Location: /var/cache/dnf/gitlab_gitlab-ee-a2beb8ac7c84e565/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/gitlab_gitlab-ee-a2beb8ac7c84e565/pubring'
/var/cache/dnf/gitlab_gitlab-ee-a2beb8ac7c84e565/pubring/pubring.kbx
--------------------------------------------------------------------
pub rsa4096 2017-08-01 [SC] [expired: 2025-07-01]
DBEF 8977 4DDB 9EB3 7D9F C3A0 3CFC F9BA F27E AB47
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2025-02-14 [SC] [expired: 2026-02-14]
98BF DB87 FCF1 0076 416C 1E0B AD99 7ACC 82DD 593D
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2020-03-02 [SC] [expires: 2028-02-06]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ unknown] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub rsa4096 2020-03-02 [E] [expires: 2028-02-06]
--- Location: /var/cache/dnf/gitlab_gitlab-ee-source-7a8c343068f9e434/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/gitlab_gitlab-ee-source-7a8c343068f9e434/pubring'
/var/cache/dnf/gitlab_gitlab-ee-source-7a8c343068f9e434/pubring/pubring.kbx
---------------------------------------------------------------------------
pub rsa4096 2017-08-01 [SC] [expired: 2025-07-01]
DBEF 8977 4DDB 9EB3 7D9F C3A0 3CFC F9BA F27E AB47
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2025-02-14 [SC] [expired: 2026-02-14]
98BF DB87 FCF1 0076 416C 1E0B AD99 7ACC 82DD 593D
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2020-03-02 [SC] [expires: 2028-02-06]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ unknown] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub rsa4096 2020-03-02 [E] [expires: 2028-02-06]
--- Location: /var/cache/dnf/runner_gitlab-runner-771b94957c5c5edc/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/runner_gitlab-runner-771b94957c5c5edc/pubring'
/var/cache/dnf/runner_gitlab-runner-771b94957c5c5edc/pubring/pubring.kbx
------------------------------------------------------------------------
pub rsa4096 2021-06-04 [SC] [expired: 2023-06-04]
09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2023-04-26 [SC] [expires: 2026-04-28]
931D A69C FA3A FEBB C97D AA8C 6C57 C29C 6BA7 5A4E
uid [ unknown] GitLab, Inc. <support@gitlab.com>
sub rsa4096 2023-04-26 [E] [expires: 2026-04-28]
pub rsa4096 2020-03-02 [SC] [expires: 2028-02-06]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ unknown] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub rsa4096 2020-03-02 [E] [expires: 2028-02-06]
--- Location: /var/cache/dnf/runner_gitlab-runner-source-86f8aad6a13ecef0/pubring ---
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/runner_gitlab-runner-source-86f8aad6a13ecef0/pubring'
/var/cache/dnf/runner_gitlab-runner-source-86f8aad6a13ecef0/pubring/pubring.kbx
-------------------------------------------------------------------------------
pub rsa4096 2021-06-04 [SC] [expired: 2023-06-04]
09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027
uid [ expired] GitLab, Inc. <support@gitlab.com>
pub rsa4096 2023-04-26 [SC] [expires: 2026-04-28]
931D A69C FA3A FEBB C97D AA8C 6C57 C29C 6BA7 5A4E
uid [ unknown] GitLab, Inc. <support@gitlab.com>
sub rsa4096 2023-04-26 [E] [expires: 2026-04-28]
pub rsa4096 2020-03-02 [SC] [expires: 2028-02-06]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ unknown] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub rsa4096 2020-03-02 [E] [expires: 2028-02-06]