Package repository signing keys

We use GPG keys to sign our package repositories. The singing key is automatically installed when our repository setup script for deb based or rpm based distributions is used.

Singing keys are not valid indefinitely. If they expire, the old key must be replaced with a new one.

Our current signing key has the following attributes:

Attribute Value
Name Thincast Technologies GmbH (package signing key 2023)
E-Mail builder@thincast.com
Comment package signing key 2023
Fingerprint EEF7 5B95 96CC 1F95 042A 3846 72B8 A0EB 44E7 6B45
Expiry 2027-01-19

Update expired keys on deb based distributions

On March 22th 2023 we updated our signing key before our old key has expired. If you get an error message similar to the following, our current signing key isn't used or available on your system:

Err:1 https://packages.thincast.com/deb/stable/jammy thincast InRelease
  The following signatures couldn't be verified because the public key is not available:
   NO_PUBKEY 72B8A0EB44E76B45

The quickest way to fix this problem is to remove the old key(s) and run the following commands as root:

# remove the signing key(s) from apt-key
apt-key del "E1E04F8F502B2CA28D7793E275222FB36C5F1A80" # old expired signing key
apt-key del "EEF75B9596CC1F95042A384672B8A0EB44E76B45" # new signing key 
# remove the old soruces lists.
rm /etc/apt/sources.list.d/thincast-*.list
apt update 

# run the install script
curl https://packages.thincast.com/deb/install.sh | sudo bash
apt update

Technical notes on apt repository signing keys

The use of apt-key is deprecated and it's recommended to use the signed-by option in sources lists. Our install script has already been updated accordingly.

Think security first.
© 2024 by Thincast Technologies GmbH.
All rights reserved.