Upgrade from 3.5.0-2 to 3.5.0-3 fails on Debian 10 Buster

I am trying to upgrade from Passbolt 3.5.0-2 to 3.5.0-3; as stated in the docs [0] since repo GPG key is expired I proceeded to install the new one and remove the expired one manually.
If I run “apt-keys list” the key shows up, “apt update” is executed normally and everything seems fine.
“apt upgrade” fails with two interesting errors:

  1. key 0x<key_fingerprint> not found.
  2. GPG keyserver connection timedout.

The even more interesting thing is that, after running “apt upgrade” if I execute “apt-keys list” the key is not there anymore, almost like if the installer is actually removing it and then trying to get the supposedly new key, even if was still there imported by me manually, from a keyserver on the interwebz.
My passbolt install is residing in a restricted network where access to the internet is mediated by a HTTP/HTTPS proxy.
apt is configured to use the above mentioned HTTP/HTTPS proxy to reach the internet but passbolt isn’t, which I assume is causing that “GPG keyserver connection timedout” error.

Do you have any idea how I can solve this?

[0] Passbolt Help | Wide Open

Hi @fandro :wave: and welcome to passbolt community forum :people_holding_hands:

We have some customers who faced the same issue than yours, when running passbolt in a restricted network and a proxy.

The 3.5.0-3 Debian package contains some additional postinstall tasks:

  • It remove our key from apt-keys default keyring
  • It download the new key from one of these GPG servers, using HKPS protocol on 11371/TCP protocol (firewall FAQ page)
  • It removes the old /etc/apt/sources.list.d/passbolt.list and creates a new /etc/apt/sources.list.d/passbolt.sources, using the new DEB822 format.

If you have problems as you are using a restricted network and proxy, here is how to upgrade your passbolt-ce-server package:

Download the new gpg key from download.passbolt.com:

wget -qO- https://download.passbolt.com/pub.key | gpg --dearmor | sudo tee /usr/share/keyrings/passbolt-repository.gpg > /dev/null

Ensure the downloaded key has correct rights:

sudo chmod 644 /usr/share/keyrings/passbolt-repository.gpg

Ensure there is no more passbolt.list file:

sudo rm -f /etc/apt/sources.list.d/passbolt.list

Create /etc/apt/sources.list.d/passbolt.sources file with this content:

Types: deb
URIs: https://download.passbolt.com/ce/debian
Suites: buster
Components: stable
Signed-By: /usr/share/keyrings/passbolt-repository.gpg

From there, you should be able to run:

  • apt update
  • apt-get -f install
  • apt upgrade

If you are unable to finish the package update because of firewall / proxy blocking the 11371/TCP port, you can edit passbolt-ce-server package post-installation script /var/lib/dpkg/info/passbolt-ce-server.postinst at line 331 and comment or remove the pull_updated_pub_key function.

After this action, you will be able to proceed to the package update with the apt-get -f install command.

Let me know if it fixes your issue.

Best regards,

Hi @_jc, your solution worked perfectly!!
Have a nice day

Hi @fandro ,

You had to comment the pull_updated_pub_key function in the postinst script ?


Yes, I had to do that.

Thank you for the feedback, I guess it will help other users.