Package repository signing keys
We use GPG keys to sign our package repositories. The singing key is automatically installed when our repository setup script for deb based or rpm based distributions is used.
Singing keys are not valid indefinitely. If they expire, the old key must be replaced with a new one.
Our current signing key has the following attributes:
|Name||Thincast Technologies GmbH (package signing key 2023)|
|Comment||package signing key 2023|
|Fingerprint||EEF7 5B95 96CC 1F95 042A 3846 72B8 A0EB 44E7 6B45|
Update expired keys on deb based distributions
On March 22th 2023 we updated our signing key before our old key has expired. If you get an error message similar to the following, our current signing key isn't used or available on your system:
Err:1 https://packages.thincast.com/deb/stable/jammy thincast InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 72B8A0EB44E76B45
The quickest way to fix this problem is to remove the old key(s) and run the following commands as root:
# remove the signing key(s) from apt-key apt-key del "E1E04F8F502B2CA28D7793E275222FB36C5F1A80" # old expired signing key apt-key del "EEF75B9596CC1F95042A384672B8A0EB44E76B45" # new signing key # remove the old soruces lists. rm /etc/apt/sources.list.d/thincast-*.list apt update # run the install script curl https://packages.thincast.com/deb/install.sh | sudo bash apt update
Technical notes on apt repository signing keys
The use of
apt-key is deprecated and it's recommended to use the
signed-by option in sources lists.
Our install script has already been updated accordingly.