Help Search

v3.5.0-2 ~ Wide Open (ce)

Release date: April 13th, 2022.

This release contains some important package changes that needs to be done before the 18th of May 2022. Make sure your follow the guide below.

This release contains some important changes to the packages for Passbolt API. If you installed passbolt from source or using docker, you are not affected.

If you use the DEB (Debian, Ubuntu) or RPM (Centos, RedHat, Rocky, etc.) packages keep reading.

The package signing key was updated

As some of you may have noticed, the public key we are currently using to verify the signature of the package expires on the 18th of May 2022. We needed to update it to remove the expiry date.

The fingerprint stays the same: 3D1A 0346 C8E1 802F 774A EF21 DE8b 853F C155 581D.

Debian and Ubuntu Packages

In order to make this change as smooth as possible, we released a new version of our debian package on the 13th of April 2022 containing the mechanism to pull the new key and replace the old one with it.

This is why we recommend all debian/ubuntu passbolt package users to apply this update by following the regular documentations:

As usual, do not forget to make a backup of your passbolt instance. You can check the documentation that will guide you through this process:

What if I don’t update on time?

If you don’t do this update, you might encounter this error next time you will try to update your passbolt instance:

Err:1 focal InRelease
The following signatures were invalid: EXPKEYSIG DE8B853FC155581D

You will then have to do pull the new key manually by using this command:

curl -s |\
gpg --dearmor | tee /usr/share/keyrings/passbolt-repository.gpg > /dev/null
chmod 644 /usr/share/keyrings/passbolt-repository.gpg

If you didn’t use the one liner to install (e.g. you installed passbolt before 2022) you will need to delete the old key from apt-key also:

if [ -f "/etc/apt/trusted.gpg" ]; then sudo gpg --no-default-keyring --keyring="/etc/apt/trusted.gpg" --batch --yes --delete-key "3D1A0346C8E1802F774AEF21DE8B853FC155581D"; fi

Centos, RedHat and RPM Packages

For the RPM users, we didn’t publish this fix as the checking of the expiration date on the package signature keys isn’t implemented on RPM distros. In any case you should still pull the updated key.

You can use this one-line command that will do it for you:

rpm -e $(rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | awk '/[email protected]/ {print $1}') && yum clean expire-cache

This command will erase the current key and next time you will update your passbolt instance RPM will automatically pull the new key. It will prompt you this message:

Public key for passbolt-pro-server-*.noarch.rpm is not installed
passbolt-pro-server-*.noarch.rpm    | 9.8 MB  00:00:00
Retrieving key from
Importing GPG key 0xC155581D:
Userid     : "Passbolt SA package signing key <[email protected]>"
Fingerprint: 3d1a 0346 c8e1 802f 774a ef21 de8b 853f c155 581d
From       :
Is this ok [y/N]:

You will just have to accept this change and it will import the new key in the RPM database for you.

That’s it. Thank you for your understanding and for your continued support! Feel free to get in touch with us on the community forum or, if you are a customer, at [email protected].


  • PB-13923 Update the repository key to sign packages
  • PB-13749 Update firewalld install check
  • PB-13743 Fix bad condition logic to setup firewalld
  • PB-13650 Delete jwt folder only while uninstalling
  • PB-13783 Update selinux policy RPM package
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!