[Action Needed] Update of the package signing key

The package signing key was updated

As some of you may have noticed, the public key we are currently using to verify the signature of the package expires on the 18th of May 2022. We needed to update it to remove the expiry date.

The fingerprint stays the same: 3D1A 0346 C8E1 802F 774A EF21 DE8b 853F C155 581D.

Debian and Ubuntu Packages

In order to make this change as smooth as possible, we released a new version of our debian package on the 13th of April 2022 containing the mechanism to pull the new key and replace the old one with it.

This is why we recommend all debian/ubuntu passbolt package users to apply this update by following the regular documentations:

As usual, do not forget to make a backup of your passbolt instance. You can check the documentation that will guide you through this process:

What if I don’t update on time?

If you don’t do this update, you might encounter this error next time you will try to update your passbolt instance:

Err:1 https://download.passbolt.com/pro/ubuntu focal InRelease
The following signatures were invalid: EXPKEYSIG DE8B853FC155581D

You will then have to do pull the new key manually by using this command:

curl -s https://download.passbolt.com/pub.key |\
gpg --dearmor | tee /usr/share/keyrings/passbolt-repository.gpg > /dev/null
chmod 644 /usr/share/keyrings/passbolt-repository.gpg

If you didn’t use the one liner to install (e.g. you installed passbolt before 2022) you will need to delete the old key from apt-key also:

if [ -f "/etc/apt/trusted.gpg" ]; then sudo gpg --no-default-keyring --keyring="/etc/apt/trusted.gpg" --batch --yes --delete-key "3D1A0346C8E1802F774AEF21DE8B853FC155581D"; fi

Centos, RedHat and RPM Packages

For the RPM users, we didn’t publish this fix as the checking of the expiration date on the package signature keys isn’t implemented on RPM distros. In any case you should still pull the updated key.

You can use this one-line command that will do it for you:

rpm -e $(rpm -q gpg-pubkey --qf ‘%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n’ | awk ‘/contact@passbolt.com/ {print $1}’) && yum clean expire-cache

This command will erase the current key and next time you will update your passbolt instance RPM will automatically pull the new key. It will prompt you this message:

Public key for passbolt-pro-server-*.noarch.rpm is not installed
passbolt-pro-server-*.noarch.rpm    | 9.8 MB  00:00:00
Retrieving key from https://download.passbolt.com/pub.key
Importing GPG key 0xC155581D:
Userid     : "Passbolt SA package signing key <contact@passbolt.com>"
Fingerprint: 3d1a 0346 c8e1 802f 774a ef21 de8b 853f c155 581d
From       : https://download.passbolt.com/pub.key
Is this ok [y/N]:

You will just have to accept this change and it will import the new key in the RPM database for you.

That’s it. Thank you for your understanding and for your continued support!
Feel free to get in touch with us on the community forum or,
if you are a customer, at support@passbolt.com.

1 Like