👩💻 Join our community of thousands of amazing developers!
GitLab uses a GPG key to sign official Gitlab Runner packages. We recently became aware of an instance where this key and other tokens used to distribute official Gitlab Runner packages and binaries were not secured according to GitLab’s security policies. We have not found any evidence of unauthorized modification of the packages or access to the services storing them. Our team has audited and investigated integrity hashes, bucket logs and versioning, and pipeline history and concluded that the...