Invalid GPG key format after debian update

Hi all,

After upgrading my passbolt CE server from debian bookworm to trixie and it looks like GPG format changed for the repository keys.

apt update returns now

Failed to parse keyring "/usr/share/keyrings/passbolt-repository.gpg"  Caused by:     0: Reading "/usr/share/keyrings/passbolt-repository.gpg": EOF     1: EOF

I found a similar issue on this post: https://github.com/qgis/QGIS/issues/60340 where someone said

Apparently a format issue. The keyring was converted from "GPG keybox database version 1" to "PGP/GPG key public ring (v4)"

Could you please update the key to the new format?

Many thanks for your help

Hi @darxmurf,

This issue is (was) caused by the fact that we used the gpg --no-default-keyring --keyring ${PASSBOLT_KEYRING_FILE} command to download Passbolt’s packaging public signing key, as it can be seen on our GitHub repository.
This lead to the signing key being downloaded and saved as a GPG keybox database version 1 file, instead of a classic public key format.
This format was accepted on Debian 12 but isn’t anymore on Debian 13, which expects a public key and not a keyring file.

In order to fix this issue, the following command will download our packaging public signing key from keyserver.ubuntu.com and replace the existing key file with a new one saved as an OpenPGP Public Key Version 4 (the same one being used by Debian for their public keys):

curl -sS "https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0x3D1A0346C8E1802F774AEF21DE8B853FC155581D" | sudo gpg --dearmor --output /usr/share/keyrings/passbolt-repository.gpg

When running this command, you should get prompted if you want to overwrite the current file on disk, to which you need to reply yes:

File '/usr/share/keyrings/passbolt-repository.gpg' exists. Overwrite? (y/N)

Once this has been done you should be able to just run apt update and you shouldn’t have any more errors about our signing key

Lovely! thanks @louis for this fast answer, problem solved!