Upgrade from 3.5.0-2 to 3.5.0-3 fails on Debian 10 Buster

fandro · May 23, 2022, 4:58pm

Hello,
I am trying to upgrade from Passbolt 3.5.0-2 to 3.5.0-3; as stated in the docs [0] since repo GPG key is expired I proceeded to install the new one and remove the expired one manually.
If I run “apt-keys list” the key shows up, “apt update” is executed normally and everything seems fine.
“apt upgrade” fails with two interesting errors:

key 0x<key_fingerprint> not found.
GPG keyserver connection timedout.

The even more interesting thing is that, after running “apt upgrade” if I execute “apt-keys list” the key is not there anymore, almost like if the installer is actually removing it and then trying to get the supposedly new key, even if was still there imported by me manually, from a keyserver on the interwebz.
My passbolt install is residing in a restricted network where access to the internet is mediated by a HTTP/HTTPS proxy.
apt is configured to use the above mentioned HTTP/HTTPS proxy to reach the internet but passbolt isn’t, which I assume is causing that “GPG keyserver connection timedout” error.

Do you have any idea how I can solve this?
Thanks

[0] Passbolt Help | Wide Open

AnatomicJC · May 23, 2022, 5:34pm

Hi @fandro and welcome to passbolt community forum

We have some customers who faced the same issue than yours, when running passbolt in a restricted network and a proxy.

The 3.5.0-3 Debian package contains some additional postinstall tasks:

It remove our key from apt-keys default keyring
It download the new key from one of these GPG servers, using HKPS protocol on 11371/TCP protocol (firewall FAQ page)
It removes the old /etc/apt/sources.list.d/passbolt.list and creates a new /etc/apt/sources.list.d/passbolt.sources, using the new DEB822 format.

If you have problems as you are using a restricted network and proxy, here is how to upgrade your passbolt-ce-server package:

Download the new gpg key from download.passbolt.com:

wget -qO- https://download.passbolt.com/pub.key | gpg --dearmor | sudo tee /usr/share/keyrings/passbolt-repository.gpg > /dev/null

Ensure the downloaded key has correct rights:

sudo chmod 644 /usr/share/keyrings/passbolt-repository.gpg

Ensure there is no more passbolt.list file:

sudo rm -f /etc/apt/sources.list.d/passbolt.list

Create /etc/apt/sources.list.d/passbolt.sources file with this content:

Types: deb
URIs: https://download.passbolt.com/ce/debian
Suites: buster
Components: stable
Signed-By: /usr/share/keyrings/passbolt-repository.gpg

From there, you should be able to run:

apt update
apt-get -f install
apt upgrade

If you are unable to finish the package update because of firewall / proxy blocking the 11371/TCP port, you can edit passbolt-ce-server package post-installation script /var/lib/dpkg/info/passbolt-ce-server.postinst at line 331 and comment or remove the pull_updated_pub_key function.

After this action, you will be able to proceed to the package update with the apt-get -f install command.

Let me know if it fixes your issue.

Best regards,

fandro · May 24, 2022, 7:19am

Hi @AnatomicJC, your solution worked perfectly!!
Thanks
Have a nice day

AnatomicJC · May 24, 2022, 7:35am

Hi @fandro ,

You had to comment the pull_updated_pub_key function in the postinst script ?

Thanks,

fandro · May 24, 2022, 7:46am

Yes, I had to do that.

AnatomicJC · May 24, 2022, 7:57am

Thank you for the feedback, I guess it will help other users.

Best,

Topic		Replies	Views
Repository Issues when hitting apt update Installation Issues	13	2349	January 5, 2022
Unable to Restore after updating server key expiry Installation Issues	4	1134	May 27, 2020
[Action Needed] Update of the package signing key Announcements	1	1837	April 19, 2022
Why can't I update passbolt from 3.8.1 to 3.8.2 Installation Issues	3	286	November 30, 2022
Failed to update to 3.5.0-3 from 2.12.1 on Ubuntu 18.04 Installation Issues	1	335	May 13, 2022

Upgrade from 3.5.0-2 to 3.5.0-3 fails on Debian 10 Buster

Related topics