search

C3S / redmine_openpgp

Redmine plugin for email encryption with the OpenPGP standard
GNU General Public License v3.0
19 stars 10 forks source link

Error importing key to user #2

Open ageis opened 9 years ago

ageis commented 9 years ago

Tried to add a key to my user profile and got the following error: Error importing the key (please try again or contact your administrator). The production.log is not very helpful since it just shows the UTF-8 POST data with the public key in it. I've tried this with both 2048-bit and 4096-bit keys and it does not work.

Running Redmine 3.1.0 on Debian 8.x with Ruby 2.1.2p95, Passenger 5.0.18. My bundle:

  * actionmailer (4.2.3)
  * actionpack (4.2.3)
  * actionpack-action_caching (1.1.1)
  * actionpack-xml_parser (1.0.2)
  * actionview (4.2.3)
  * activejob (4.2.3)
  * activemodel (4.2.3)
  * activerecord (4.2.3)
  * activesupport (4.2.3)
  * arel (6.0.3)
  * builder (3.2.2)
  * bundler (1.10.6)
  * capybara (2.5.0)
  * childprocess (0.5.6)
  * coderay (1.1.0)
  * docile (1.1.5)
  * erubis (2.7.0)
  * ffi (1.9.10)
  * globalid (0.3.6)
  * gpgme (2.0.10)
  * i18n (0.7.0)
  * jquery-rails (3.1.4)
  * json (1.8.3)
  * loofah (2.0.3)
  * mail (2.6.3)
  * mail-gpg (0.2.4)
  * metaclass (0.0.4)
  * mime-types (2.6.1)
  * mini_portile (0.6.2)
  * minitest (5.8.0)
  * mocha (1.1.0)
  * multi_json (1.11.2)
  * mysql2 (0.3.20)
  * net-ldap (0.3.1)
  * nokogiri (1.6.6.2)
  * protected_attributes (1.1.3)
  * rack (1.6.4)
  * rack-openid (1.4.2)
  * rack-test (0.6.3)
  * rails (4.2.3)
  * rails-deprecated_sanitizer (1.0.3)
  * rails-dom-testing (1.0.7)
  * rails-html-sanitizer (1.0.2)
  * railties (4.2.3)
  * rake (10.4.2)
  * rbpdf (1.18.6)
  * rdoc (4.2.0)
  * redcarpet (3.1.2)
  * request_store (1.0.5)
  * rmagick (2.15.4)
  * ruby-openid (2.3.0)
  * rubyzip (1.1.7)
  * selenium-webdriver (2.47.1)
  * simplecov (0.9.2)
  * simplecov-html (0.9.0)
  * sprockets (3.3.4)
  * sprockets-rails (2.3.3)
  * thor (0.19.1)
  * thread_safe (0.3.5)
  * tzinfo (1.2.2)
  * websocket (1.2.2)
  * xpath (2.0.0)
  * yard (0.8.7.6)
ageis commented 9 years ago

Ok, I figured out this was a permissions issue with the user owning the Redmine process (www-data) not being able to create or write to to /var/www/.gnupg. So this particular issue is resolved, but you may want to update the docs so users check for this.

garrettr commented 9 years ago

@ageis Did you run the rake task as root? I'd argue that the rake task should know how to Do the Right Thing (tm) if it's run as root. If not, then running sudo -u www-user rake or whatever that is apparently necessary to get this to work should be documented.

ageis commented 9 years ago

@garrettr Yeah I ran it as root. In my testing that results in the key being included in the Redmine database and its fingerprint being noted on the /pgp page, but not in www-data's local GPG keyring where it also needs to be.

There are typically lots of environment variables needed to get a working Rails environment, so sudo -u www-user rake may not suffice and you may need to pop a shell as www-user or at least export some stuff first (i.e. if you use Ruby Version Manager then run source /etc/profile.d/rvm.sh).

timegrid commented 9 years ago

@ageis Fine, I will add a note concerning the permissions for .gnupg

@garrettr I see your point, but I doubt that rake is able to know the user owning the redmine process. The problem arises, as the plugin depends on a system level command (gpg). I see three possible solutions:

  1. Prevent using root spawing an error message "use the user owning the redmine process"
  2. Ask for the user during the task, excecuting the next commands as this user
  3. It seems possible, to define the key ring. mail-gpg claims, that their tests use a different ring to keep the "production" ring clean.

I don't know rake enough, to approach the first two solutions. Maybe it's easy and someone could point me to another rake script doing something similar?

Looking into the tests, the change of the ring is handled by ENV['GNUPGHOME']. In the end, this solution would also require the redmine administrator to adjust some configuration. You may gain more flexibility, but it's not easier. Besides, there might still be the permission issue then, if root creates .gnupg.

I think, the easiest solution is still, to add a note to the readme, as done in 4cc43646e331fdf53e6b60f6efef739ca9f1b66b. If you have root, a su redmineuser is all you need. Maybe I should include that command, too.