As part of our standard security practices, GitLab is rotating the GNU Privacy Guard (GPG) key used to sign all Omnibus Linux packages on April 16, 2025. This key ensures the integrity of our packages, verifying that they have not been tampered with after creation in our CI pipelines. This key is distinct from the repository metadata signing key used by package managers and the GPG signing key for the GitLab Runner. GitLab is revoking the existing key and will begin signing upcoming packages using a new key with fingerprint 98BF DB87 FCF1 0076 416C 1E0B AD99 7ACC 82DD 593D.
What do I need to do?
If you currently validate the GPG signatures of GitLab Omnibus packages, you will need to update your copy of the package signing key. Packages published before this article will remain signed with the previous key.
The package signing key is separate from the repository metadata signing key used by your operating system’s package managers (like apt or yum). Unless you are specifically verifying package signatures or have configured your package manager to verify the package signatures, no action is required to continue installing GitLab Omnibus packages.
Where can I find the new key?
The new key can be downloaded from packages.gitlab.com using the URL:
https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-CB947AD886C8E8FD.pub.gpg
Please check the documentation for more information concerning verification of the package signatures.
What do I do if I still have problems?
Please open an issue in the omnibus-gitlab issue tracker.
