diff --git a/src/applications/diffusion/controller/DiffusionRepositoryEditMainController.php b/src/applications/diffusion/controller/DiffusionRepositoryEditMainController.php
index c9b3969539..de72ce394b 100644
--- a/src/applications/diffusion/controller/DiffusionRepositoryEditMainController.php
+++ b/src/applications/diffusion/controller/DiffusionRepositoryEditMainController.php
@@ -963,11 +963,34 @@ final class DiffusionRepositoryEditMainController
     if ($message) {
       switch ($message->getStatusCode()) {
         case PhabricatorRepositoryStatusMessage::CODE_ERROR:
+          $message = $message->getParameter('message');
+
+          $suggestion = null;
+          if (preg_match('/Permission denied \(publickey\)./', $message)) {
+            $suggestion = pht(
+              'Public Key Error: This error usually indicates that the '.
+              'keypair you have configured does not have permission to '.
+              'access the repository.');
+          }
+
+          $message = phutil_escape_html_newlines($message);
+
+          if ($suggestion !== null) {
+            $message = array(
+              phutil_tag('strong', array(), $suggestion),
+              phutil_tag('br'),
+              phutil_tag('br'),
+              phutil_tag('em', array(), pht('Raw Error')),
+              phutil_tag('br'),
+              $message,
+            );
+          }
+
           $view->addItem(
             id(new PHUIStatusItemView())
               ->setIcon(PHUIStatusItemView::ICON_WARNING, 'red')
               ->setTarget(pht('Update Error'))
-              ->setNote($message->getParameter('message')));
+              ->setNote($message));
           return $view;
         case PhabricatorRepositoryStatusMessage::CODE_OKAY:
           $ago = (PhabricatorTime::getNow() - $message->getEpoch());
diff --git a/src/applications/repository/management/PhabricatorRepositoryManagementUpdateWorkflow.php b/src/applications/repository/management/PhabricatorRepositoryManagementUpdateWorkflow.php
index 587263a1f4..ba57873eac 100644
--- a/src/applications/repository/management/PhabricatorRepositoryManagementUpdateWorkflow.php
+++ b/src/applications/repository/management/PhabricatorRepositoryManagementUpdateWorkflow.php
@@ -53,27 +53,28 @@ final class PhabricatorRepositoryManagementUpdateWorkflow
     $repository = head($repos);
     $callsign = $repository->getCallsign();
 
-    $no_discovery = $args->getArg('no-discovery');
-
-    id(new PhabricatorRepositoryPullEngine())
-      ->setRepository($repository)
-      ->setVerbose($this->getVerbose())
-      ->pullRepository();
-
-    if ($no_discovery) {
-      return;
-    }
-
-    // TODO: It would be nice to discover only if we pulled something, but this
-    // isn't totally trivial. It's slightly more complicated with hosted
-    // repositories, too.
-
-    $lock_name = get_class($this).':'.$callsign;
-    $lock = PhabricatorGlobalLock::newLock($lock_name);
-
-    $lock->lock();
-
     try {
+      $lock_name = get_class($this).':'.$callsign;
+      $lock = PhabricatorGlobalLock::newLock($lock_name);
+
+      $lock->lock();
+
+      $no_discovery = $args->getArg('no-discovery');
+
+      id(new PhabricatorRepositoryPullEngine())
+        ->setRepository($repository)
+        ->setVerbose($this->getVerbose())
+        ->pullRepository();
+
+      if ($no_discovery) {
+        $lock->unlock();
+        return;
+      }
+
+      // TODO: It would be nice to discover only if we pulled something, but
+      // this isn't totally trivial. It's slightly more complicated with hosted
+      // repositories, too.
+
       $repository->writeStatusMessage(
         PhabricatorRepositoryStatusMessage::TYPE_NEEDS_UPDATE,
         null);