Merge branch 'feature/PB-44718_Use-PGP-public-key-format-for-the-Packaging-signing-key' into 'main'

dlen · dlen · commit ca8358018e4d · 2025-08-22T14:10:10.000Z
PB-44718 - download Passbolt's signing key as an OpenPGP public key instead of a keyring and use responsive keyservers

See merge request passbolt/passbolt-ops/passbolt-dep-scripts!45
diff --git a/.gitlab-ci/test.yml b/.gitlab-ci/test.yml
@@ -1,5 +1,5 @@
 .test-deb:
-  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/debian:bullseye-slim
+  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/debian:bookworm-slim
   variables:
     PASSBOLT_FLAVOUR: ""
     PACKAGE_MANAGER: "apt"
@@ -60,13 +60,13 @@ Debian 12 PRO:
 
 Raspbian CE:
   extends: .test-deb-ce
-  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/debian:bullseye-slim
+  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/debian:bookworm-slim
   before_script:
     - sed -i "s/ID=debian/ID=raspbian/" /etc/os-release
 
 Raspbian PRO:
   extends: .test-deb-pro
-  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/debian:bullseye-slim
+  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/debian:bookworm-slim
   before_script:
     - sed -i "s/ID=debian/ID=raspbian/" /etc/os-release
 
diff --git a/passbolt-repo-setup.ce.sh b/passbolt-repo-setup.ce.sh
@@ -236,7 +236,7 @@ EOF
 }
 
 pull_updated_pub_key() {
-  declare -a serverlist=("keys.mailvelope.com" "keys.openpgp.org" "pgp.mit.edu")
+  declare -a serverlist=("keys.openpgp.org" "keyserver.ubuntu.com")
   for serverin in "${serverlist[@]}"
   do
     if [ ! -d /root/.gnupg ]
@@ -246,7 +246,7 @@ pull_updated_pub_key() {
     # Handle gpg error in case of a server key failure
     # Without this check, and because we are using set -euo pipefail
     # The script fail in case of failure
-    if gpg --no-default-keyring --keyring ${PASSBOLT_KEYRING_FILE} --keyserver hkps://"${serverin}" --recv-keys ${PASSBOLT_FINGERPRINT}; then
+    if curl -sS "https://${serverin}/pks/lookup?op=get&options=mr&search=0x${PASSBOLT_FINGERPRINT}" | gpg --dearmor --yes --output ${PASSBOLT_KEYRING_FILE}; then
       break
     fi
   done
diff --git a/passbolt-repo-setup.pro.sh b/passbolt-repo-setup.pro.sh
@@ -236,7 +236,7 @@ EOF
 }
 
 pull_updated_pub_key() {
-  declare -a serverlist=("keys.mailvelope.com" "keys.openpgp.org" "pgp.mit.edu")
+  declare -a serverlist=("keys.openpgp.org" "keyserver.ubuntu.com")
   for serverin in "${serverlist[@]}"
   do
     if [ ! -d /root/.gnupg ]
@@ -246,7 +246,7 @@ pull_updated_pub_key() {
     # Handle gpg error in case of a server key failure
     # Without this check, and because we are using set -euo pipefail
     # The script fail in case of failure
-    if gpg --no-default-keyring --keyring ${PASSBOLT_KEYRING_FILE} --keyserver hkps://"${serverin}" --recv-keys ${PASSBOLT_FINGERPRINT}; then
+    if curl -sS "https://${serverin}/pks/lookup?op=get&options=mr&search=0x${PASSBOLT_FINGERPRINT}" | gpg --dearmor --yes --output ${PASSBOLT_KEYRING_FILE}; then
       break
     fi
   done
