GitLab 升级时签名验证失败
Gitlab Upgrade An error occurred during the signature verification
原文链接:https://forum.gitlab.com/t/gitlab-upgrade-an-error-occurred-during-the-signature-verification/66894
1. 问题
在使用 Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-97-generic x86_64) 系统中, 使用 sudo apt update 时, GitLab 相关内容会提示警告
W: https://mirrors.cloud.tencent.com/gitlab-ce/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
或是提示以下警告
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu 7 focal InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: Failed to fetch https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu/dists/focal/InRelease 3 The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: Some index files failed to download. They have been ignored, or old ones used instead.
2. 解决方法
分别执行以下俩条命令
curl -s https://packages.gitlab.com/gpg.key | apt-key add -
apt-get update
注意! 上面这是俩条分开的命令. 或是直接使用下面一行命令代替:
curl -s https://packages.gitlab.com/gpg.key | apt-key add - ; apt-get update
上面的命令会重新下载签名文件, 并添加到apt-key中. 然后执行apt-get update.
若上面的命令执行完成后, 没有其他警告并且成功了.就不需要下面的步骤了.
在最新版本的 Ubuntu 系统中.可能执行完上面的命令后. 会出现下面的警告:
Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
下面是该警告的解决办法.
3. 解决警告
在最新版本的 Ubuntu 系统中.可能执行完上面的命令后. 会出现下面的警告:
Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
3.1 找到警告的相关源的 key
使用 apt-key list 命令列出所有 keyring 的信息, 然后找出该 keyring 的 fingerprint, 具体方法是找关键字.
apt-key list
下面是返回的结果, 不同的机器上结果会有不同.
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2020-03-02 [SC] [expires: 2026-02-27]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ unknown] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub rsa4096 2020-03-02 [E] [expires: 2026-02-27]
/etc/apt/trusted.gpg.d/git-core-ubuntu-ppa.gpg
----------------------------------------------
pub rsa1024 2009-01-22 [SC]
E1DD 2702 88B4 E603 0699 E45F A171 5D88 E1DF 1F24
uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers
/etc/apt/trusted.gpg.d/gitlab-ce-key.gpg
----------------------------------------
pub rsa4096 2020-03-02 [SC] [expires: 2026-02-27]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ unknown] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub rsa4096 2020-03-02 [E] [expires: 2026-02-27]
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>
上面第一个块中就是我们要找的Gitlab相关的key信息(因为写了GitLab B.V.). 其中F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F这行就是这个key的指纹. 在使用这个指纹时, 可以只需要指定最后8位即可(即:51312F3F).
3.2 导出key到指定目录
在导出命令中, 只需要指纹的最后8位, 即上面的51312F3F.
将/etc/apt/trusted.gpg.d/git-core-ubuntu-ppa.gpg 中的 git-core-ubuntu-ppa.gpg, 保存在 /etc/apt/trusted.gpg.d 这个路径下即可,
其中git-core-ubuntu-ppa.gpg这个名字是可以自定义随便取的. 在这里我使用gitlab-ce-key.gpg. 具体命令如下
sudo apt-key export 51312F3F | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/gitlab-ce-key.gpg
执行完上面的命令后, 会在/etc/apt/trusted.gpg.d/路径下多出一个gitlab-ce-key.gpg文件.
可以使用下面的命令查看:
ll /etc/apt/trusted.gpg.d
3.3 修改 gitlab-ce 源中的key的加载路径
执行以下命令, 打开 gitlab-ce.list 文件.
vim /etc/apt/sources.list.d/gitlab-ce.list
现在的文件内容应该是类似下面的内容:
deb https://mirrors.cloud.tencent.com/gitlab-ce/ubuntu jammy main
将内容修改为下面的内容(vim中按i进行编辑):
deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/gitlab-ce-key.gpg] https://mirrors.cloud.tencent.com/gitlab-ce/ubuntu jammy main
即: 在deb后面插入下面的内容, 注意前后有空格.
[arch=amd64 signed-by=/etc/apt/trusted.gpg.d/gitlab-ce-key.gpg]
然后按Esc键退出编辑模式, 再输入:w(冒号和w)回车保存文件, 再输入:q(冒号和q)回车退出vim.
再次使用命令 sudo apt update 和 sudo apt upgrade 时就不会再提示警告了.