GitLab Announces New Omnibus Linux Package Signing Key
To enhance security and maintain the trust of its users, GitLab is rotating its Omnibus Linux package signing key. The current signing key that has been in use is set to expire in 2025, and the organisation is introducing a new key as part of its regular key rotation policy to ensure the continued integrity and authenticity of its distributed packages.
From April 22, 2025, GitLab Omnibus packages will be signed with a new signing key (4096R, fingerprint: EBF7 7FB9 51E9 5873 6A53 35E1 9B1A 7349 1FF7 4F43). This new key ensures all packages are cryptographically verified during installation, providing users with reliable and secure updates.
The existing key will continue to be supported until May 10, 2025, giving users adequate time to update their configurations. After this date, packages signed with the old key may no longer be verified successfully, which could result in installation failures or warnings from package managers.
GitLab recommends all users update their trusted keys by following the instructions documented on their update guide page. To ensure seamless continuation of package updates, users should import the new key as soon as possible and confirm its fingerprint.
A complete guide on verifying and setting up the new key can be found on GitLab's official packaging documentation.
For enterprises using GitLab across teams and deployments in production environments, timely rotation of the signing key is crucial. Our team at IDEA GitLab Solutions offers professional consulting, implementation, and licensing services across Czech Republic, Slovakia, Croatia, Serbia, Slovenia, Macedonia, United Kingdom, and globally through remote teams based in Israel, South Africa, and Paraguay. If you need assistance with key rotation, automation updates, or enterprise GitLab setup, contact us today.
Thank you for ensuring the security of your DevSecOps processes with GitLab.