search

keybase / client

Keybase Go Library, Client, Service, OS X, iOS, Android, Electron
BSD 3-Clause "New" or "Revised" License
8.89k stars 1.23k forks source link

openpgp: invalid argument: no valid signing keys after "pgp select" #2014

Closed 140am closed 8 years ago

140am commented 8 years ago

For daily use my keyring has the original signing subkey removed and I only physically mount that master key whenever I need to sign/revoke/cert etc (one of the pain points keybase is solving so nicely). While trying to link my PGP key to keybase i mounted the master keypair and set the GNUPGHOME env variable to the directory containing the master key which has the signing key included. Running gpg -K afterwards confirms the key status as "sec" instead of "sec#" with a flag of "SC". I then run keybase pgp select which prompts me for my key (no "Created" displayed) and my passphrase which I confirm. This process then fails with error: ERROR key generation error: openpgp: invalid argument: no valid signing key. I suspect something wrong on my side but would appreciate any insight on getting this to work.

keybase -d debug output shortly before the error but after the key and passphrase confirmation:

Failure in intermediate SignJson()
Delegator.Run() -> ERROR: openpgp: invalid argument: no valid signing keys
PGPKeyImportEngine::Run
RunEngine(PGPKeyImportEngine) -> ERROR: openpgp: invalid argument: no valid signing keys
RunEngine(GPGImportKeyEngine) -> ERROR: key generation error: openpgp: invalid argument: no valid signing keys
maxtaco commented 8 years ago

It could be your signing subkey is expired. Can you post me your public key? Also, gpg --export-secret-key | gpg --list-packets might be helpful too, though that's slightly more revealing --- it describes how your secret keys are layed out, but obviously doesn't display any secret data.

140am commented 8 years ago

Thank you for the prompt response. My signing key was expired before i started using keybase but during the process i updated the expiration dates (as far i understood) and published the new key.

The public key can be found at 5C558AAC.

gpg --export-secret-key | gpg --list-packets

:secret key packet:
    version 4, algo 1, created 1389889369, expires 0
    skey[0]: [2048 bits]
    skey[1]: [17 bits]
    iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: 6dc46084f6de5e35
    protect count: 8912896 (209)
    protect IV:  9b ec 61 b8 0b a2 77 f7
    encrypted stuff follows
    keyid: 276B98015C558AAC
:user ID packet: "Manuel Kreutz <manuel@140.am>"
:signature packet: algo 1, keyid 276B98015C558AAC
    version 4, created 1455099351, md5len 0, sigclass 0x13
    digest algo 10, begin of digest 17 c0
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (key server preferences: 80)
    hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
    hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
    hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
    hashed subpkt 25 len 1 (primary user ID)
    hashed subpkt 2 len 4 (sig created 2016-02-10)
    hashed subpkt 9 len 4 (key expires after 3y24d17h53m)
    subpkt 16 len 8 (issuer key ID 276B98015C558AAC)
    data: [2046 bits]
:secret sub key packet:
    version 4, algo 1, created 1392320497, expires 0
    skey[0]: [4096 bits]
    skey[1]: [17 bits]
    iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: 6efdb788b7c348d4
    protect count: 8388608 (208)
    protect IV:  2d 28 59 65 b8 4c 44 45
    encrypted stuff follows
    keyid: 5BA9C90518F7709D
:signature packet: algo 1, keyid 276B98015C558AAC
    version 4, created 1455101652, md5len 0, sigclass 0x18
    digest algo 10, begin of digest 36 07
    hashed subpkt 27 len 1 (key flags: 0C)
    hashed subpkt 2 len 4 (sig created 2016-02-10)
    hashed subpkt 9 len 4 (key expires after 2y361d14h13m)
    subpkt 16 len 8 (issuer key ID 276B98015C558AAC)
    data: [2047 bits]
:secret sub key packet:
    version 4, algo 1, created 1392324028, expires 0
    skey[0]: [4096 bits]
    skey[1]: [17 bits]
    iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: 319fa01a3931767d
    protect count: 8388608 (208)
    protect IV:  be be a9 30 02 75 74 a1
    encrypted stuff follows
    keyid: 159DD63FD1CD3CD1
:signature packet: algo 1, keyid 276B98015C558AAC
    version 4, created 1392324028, md5len 0, sigclass 0x18
    digest algo 10, begin of digest 71 66
    hashed subpkt 2 len 4 (sig created 2014-02-13)
    hashed subpkt 27 len 1 (key flags: 0C)
    hashed subpkt 9 len 4 (key expires after 321d0h0m)
    subpkt 16 len 8 (issuer key ID 276B98015C558AAC)
    data: [2044 bits]
maxtaco commented 8 years ago

So my best guess is that the forked background service didn't get the setting for GNUPGHOME, which we do respect. Maybe try:

keybase ctl stop                                      # stop the background process
GNUPGHOME=/blarg/foo keybase --standalone pgp select  # run in standalone mode

I haven't tried this before, so it may or may not work.

Thanks for this well-documented bug report!

140am commented 8 years ago

That worked perfectly :+1: Thank you!