APT update fails: EXPKEYSIG 3F01618A51312F3F

Error message

The following error message occurs when updating an unmanaged GitLab instance:

apt update

# Output

The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V.
(package repository signing key) <packages@gitlab.com>

<br>

W: An error occurred while verifying the signature. The repository has not been updated
and the previous index files are used.
GPG error: https://packages.gitlab.com/gitlab/gitlab-ce/debian bookworm InRelease:
The following signatures were invalid:
EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>

W: Failed to fetch
https://packages.gitlab.com/gitlab/gitlab-ce/debian/dists/bookworm/InRelease
The following signatures were invalid:
EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>

W: Some index files could not be downloaded.
They were ignored or old ones were used in their place.

The problem arises because the previous key for signing updates expired on 01.03.2024.

Solution

The problem can be solved by updating the current GPG-Archive-Keyrings.

Show current key:

# GitLab CE
gpg --keyring /usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg --list-keys

# GitLab EE
gpg --keyring /usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg --list-keys

# GitLab Runner
gpg --keyring /usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg --list-keys

# Output

/usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg
--------------------------------------------------------
pub rsa4096 2020-03-02 [SC] [expired: 2024-03-01]
      F6403F6544A38863DAA0B6E03F01618A51312F3F
uid [ expired ] GitLab B.V. (package repository signing key) <packages@gitlab.com>

In this example, the archive keyring expired on 01.03.2024.

The following command can be used to update the keyring for the respective installation:

# GitLab CE
wget -qO- https://packages.gitlab.com/gpg.key | \
    gpg --no-default-keyring --keyring /usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg --import

# GitLab EE
wget -qO- https://packages.gitlab.com/gpg.key | \
    gpg --no-default-keyring --keyring /usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg --import

# GitLab Runner
wget -qO- https://packages.gitlab.com/gpg.key | \
    gpg --no-default-keyring --keyring /usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg --import

# Output

gpg: Key 3F01618A51312F3F: "GitLab B.V. (package repository signing key) <packages@gitlab.com>" 2 new signatures
gpg: Total number of edited keys: 1
gpg: new signatures: 2

The GitLab update can then be carried out without errors.

On this page

APT update fails: EXPKEYSIG 3F01618A51312F3F
- Error message
- Solution

Questions? Contact us.
Already a customer? Create support ticket.

Emergency?

In urgent cases, our emergency hotline is available around the clock at +49 2507 900 80 - 34.

Data Protection · Imprint