v3.5.0-2 ~ Wide Open (pro)

Release date: April 13th, 2022.

This release contains some important changes to the packages for Passbolt API. If you installed passbolt from source or using docker, you are not affected.

If you use the DEB (Debian, Ubuntu) or RPM (Centos, RedHat, Rocky, etc.) packages keep reading.

The package signing key was updated

As some of you may have noticed, the public key we are currently using to verify the signature of the package expires on the 18th of May 2022. We needed to update it to remove the expiry date.

The fingerprint stays the same: 3D1A 0346 C8E1 802F 774A EF21 DE8b 853F C155 581D.

Debian and Ubuntu Packages

In order to make this change as smooth as possible, we released a new version of our debian package on the 13th of April 2022 containing the mechanism to pull the new key and replace the old one with it.

This is why we recommend all debian/ubuntu passbolt package users to apply this update by following the regular documentations:

• Update passbolt on debian
• Update passbolt on ubuntu.

As usual, do not forget to make a backup of your passbolt instance. You can check the documentation that will guide you through this process:

• Backing up a passbolt package installation.

What if I don’t update on time?

If you don’t do this update, you might encounter this error next time you will try to update your passbolt instance:

Err:1 https://download.passbolt.com/pro/ubuntu focal InRelease
The following signatures were invalid: EXPKEYSIG DE8B853FC155581D

You will then have to do pull the new key manually by using this command:

wget -qO- https://download.passbolt.com/pub.key |\
    gpg --dearmor | sudo tee /usr/share/keyrings/passbolt-repository.gpg > /dev/null

Ensure the downloaded key has correct rights:

chmod 644 /usr/share/keyrings/passbolt-repository.gpg

If you didn’t use the one liner to install (e.g. you installed passbolt before 2022) you will need to delete the old key from apt-key also:

if [ -f "/etc/apt/trusted.gpg" ]; then sudo gpg --no-default-keyring --keyring="/etc/apt/trusted.gpg" --batch --yes --delete-key "3D1A0346C8E1802F774AEF21DE8B853FC155581D"; fi

Remove the old /etc/apt/sources.list.d/passbolt.list file:

sudo rm -f /etc/apt/sources.list.d/passbolt.list

And create a new /etc/apt/sources.list.d/passbolt.sources with the below content.

If you are running passbolt CE on Debian 10 / 11:

Types: deb
URIs: https://download.passbolt.com/ce/debian
Suites: buster
Components: stable
Signed-By: /usr/share/keyrings/passbolt-repository.gpg

If you are running passbolt PRO on Debian 10 / 11:

Types: deb
URIs: https://download.passbolt.com/pro/debian
Suites: buster
Components: stable
Signed-By: /usr/share/keyrings/passbolt-repository.gpg

If you are running passbolt CE on Ubuntu 20.04:

Types: deb
URIs: https://download.passbolt.com/ce/ubuntu
Suites: focal
Components: stable
Signed-By: /usr/share/keyrings/passbolt-repository.gpg

If you are running passbolt PRO on Ubuntu 20.04:

Types: deb
URIs: https://download.passbolt.com/pro/ubuntu
Suites: focal
Components: stable
Signed-By: /usr/share/keyrings/passbolt-repository.gpg

You should be able then to refresh your package list and upgrade your system:

sudo apt update && sudo apt upgrade

Centos, RedHat and RPM Packages

For the RPM users, we didn’t publish this fix as the checking of the expiration date on the package signature keys isn’t implemented on RPM distros. In any case you should still pull the updated key.

You can use this one-line command that will do it for you:

rpm -e $(rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | awk '/[email protected]/ {print $1}') && yum clean expire-cache

This command will erase the current key and next time you will update your passbolt instance RPM will automatically pull the new key. It will prompt you this message:

Public key for passbolt-pro-server-*.noarch.rpm is not installed
passbolt-pro-server-*.noarch.rpm    | 9.8 MB  00:00:00
Retrieving key from https://download.passbolt.com/pub.key
Importing GPG key 0xC155581D:
Userid     : "Passbolt SA package signing key <[email protected]>"
Fingerprint: 3d1a 0346 c8e1 802f 774a ef21 de8b 853f c155 581d
From       : https://download.passbolt.com/pub.key
Is this ok [y/N]:

You will just have to accept this change and it will import the new key in the RPM database for you.

That’s it. Thank you for your understanding and for your continued support! Feel free to get in touch with us on the community forum or, if you are a customer, at [email protected].

Changelog

• PB-13923 Update the repository key to sign packages
• PB-13749 Update firewalld install check
• PB-13743 Fix bad condition logic to setup firewalld
• PB-13650 Delete jwt folder only while uninstalling
• PB-13783 Update selinux policy RPM package