Nfo's picture

Hi, my turnkey gitlab dont update... when i check the webmin updates, dont apear the new updates on gitlab.

 

How can i update new versions from webmin?

 

Thanx

 

Forum: 
Jeremy Davis's picture

It is important to be aware that the "terminal" within Webmin is NOT a "proper" interactive terminal. It only supports running commands that don't require any input. As such, I do not recommend that you use it. My recommendation would be to use SSH, although another option is to use Webshell (aka "Shell in a box"). You can find that on port 12320 (i.e. same URL as Webmin, but port 12320 instead of Webmin's 12321).

When logged in via SSH (either via a SSH client or Webshell) then the following commands should do the trick:

apt update
apt install gitlab-ce # IIRC that's the right package name?

Please double check that's the right package name before you proceed. Plus be sure to double check the GitLab release notes before doing the update as you may need to update in stages (shouldn't be as painful as when you did the original updates). There may also be other steps that need to be taken and/or info you may need to share with other users.

I hope that helps. If you still have troubles, please post back with error messages and/or other info.

Also be sure to double check

Nfo's picture

This is the error:

Get:6 https://packages.gitlab.com/gitlab/gitlab-ce/debian stretch InRelease [23.3 kB]
Err:6 https://packages.gitlab.com/gitlab/gitlab-ce/debian stretch InRelease
  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>

If I check the version that I have installed with the one available, it tells me that I have the same one:

apt-cache policy gitlab-ce | head -3
gitlab-ce:
  Installed: 14.8.2-ce.0
  Candidate: 14.8.2-ce.0

 

I need update key to the new, but dont work: https://forum.gitlab.com/t/omnibus-gitlab-packages-gpg-key-expired/66241/10

 

any idea? Thanx for your help!

Jeremy Davis's picture

Yep, it looks like the GitLab GPG signing key has expired.

So you were on the right track. That thread looks relevant, but the specific post you link to looks like GPG keys for GitLab runners (rather than for apt). You may need to run that too (I know almost nothing about GitLab itself) but on face value, I'm not sure it's related

Anyway, before i answer your questions, it's worth noting that by default, we follow best practice for third party apt repos. So the key is stored outside the "normal" /etc/apt/trusted.gpg (or /etc/apt/trusted.gpg.d), in a root-owned location (so only root can change it) /usr/share/keyrings.

. I recall that you migrated from a really old (pre-omnibus GitLab install) TurnKey GitLab, so I'm not 100% sure whether your is configured like that or not?

If you have a look at our default GitLab sources.list file (gitlab-ce.list) you'll see that the lines that matter (start with 'deb') it includes a bit that looks like this: '[signed-by=/usr/share/keyrings/gitlab-ce.gpg]'. That is the part that locks the GitLab repo to only use that key (and no other repos can use that key). It's an additional security measure. It's probably unlikely that GitLab will get hacked and/or push malicious packages, but it's not that much extra work, so IMO it's worth doing. Please note though that it doesn't protect against an actual malicious GitLab package, but it removes any opportunity for the GitLab key top be used to authenticate packages from somewhere else (or some other key to authenticate GitLab packages). So it's not really necessary, but is best practice.

So how you proceed from here will depend on how your GitLab apt config is set up and/or how you want it set up. If your install doesn't store it's key in /usr/share/keyrings (and include the 'signed-by' bit) then it's super easy to update the key. If you have a keypath specified with 'signed-by' it's a little different, but not really that hard. And if you don't already have it set up, you can if you wish. FWIW it looks like GitLab have updated their instructions to also cover the more secure use of keys.

So if you aren't already using the more secure method, and want to, then hopefully I've already provided enough hints to get you going (if not, please ask). If you just want to get it working, here is a code snippet that should update the key for you:

# search source.list files for lines that include 'packages.gitlab.com', then extracts the key path (if specified)
key=$(sed -En "/packages.gitlab.com/ s|^.*\[.*signed-by=([-/a-z]*).gpg.*|\1.gpg|p" /etc/apt/sources.list.d/* | head -1)
if [[ -f "$key" ]]; then
    # if the key file exists download it and overwirte the old key
    curl -s "https://packages.gitlab.com/gpg.key" | gpg --dearmor > $key
else
    # if there is no key file, just delete the key from the main keyring and add the new one
    apt-key del 3F01618A51312F3F
    curl -s "https://packages.gitlab.com/gpg.key" | apt-key add -
    apt-key list 3F01618A51312F3F
fi

Hopefully that should do the trick and now apt update should work...! If it doesn't please share the output of these:

grep -R packages.gitlab.com /etc/apt/sources.list*
ls -la /usr/share/keyrings

For what it's worth, it does look like you already have the latest Gitlab package installed. You just need to update the key so that you can get future updates.

Nfo's picture

Sorry for not answering you earlier but I'm busy with work. In the end I have solved it by executing this command and restarting the server.

apt-key list 3F01618A51312F3F
apt-key del 3F01618A51312F3F
curl -s https://packages.gitlab.com/gpg.key | apt-key add -
apt-key list 3F01618A51312F3F


Now I can update it without problems as I did until now.

You are always very helpful. Thank you very much Jeremy!

Jeremy Davis's picture

You're most welcome. Glad to hear you're up and running again! :)

Add new comment