KBFS Issue on re-keying of account

[rminnick]

Due to a compromised private key, I re-set my KB account and added a new key and re-added my computer/etc. Now I find that I cannot open or add to my public folder in KBFS. I'm not sure if my private folder is affected.

I re-started the Keybase app, though I have not tried a re-boot of my Mac system.

my log id: 7c2b7c4330dffd14fbd0791c

[cjb]

@rminnick: we don't currently support automatically fixing up your folders when you reset your keys. (We are actively working on it though!) We can manually nuke your single-writer folders if you want to get back to using KBFS, but the data will be lost.

If you want that, we need to have a public, signed request from you. Please run the following command on one of your devices, and substitute the current date and time as indicated:

keybase sign -m "<DATE_AND_TIME>: Please completely reset folders /keybase/private/ryanminnick and /keybase/public/ryanminnick because I reset my Keybase account." and post the output here. Thanks!

[rminnick]

BEGIN KEYBASE SALTPACK SIGNED MESSAGE. kXR7VktZdyH7rvq v5wcIkHbsIA6sd6 C747sYUk8fvSw1C r7oZcC0JVTRXK11 1L2t4Uea9qDdqBn TImc8cqSfrgQZGs i44jgDcAKuDk0Km psBjteOXDoYgrnc rMI32ZjJwZD1ASV 10iOQuTbTt4cU3U cLb2s0lwu54kas8 74BoYNk9UIQhdBh Gfgj1tJJCqJ535G Cza8YP84avFRtC5 vzTMHRMY7NyoqHk X5oUMrb6abx6keV aXODe9qlitR76pP VXNNKP0Ss2D3ic4 AgfQZ8yty57i4LD Movd3qQv0DbNbQw 9SmbWfBwEksIc3L 8Rg6lT8YB6WoNaK Tc1HvS6tC1F4EP7 efMeaqgA8dddj3S 5WzApS5cK36Q9oM BTyT92eYwiKncX5 MonqvPY2W4W0WwE NsIQJuWLYRMgZXs R9Yr87BSu0a9CLG KHxOvxvDggzuxTr 7ZtT8prZgtx2Irk chU3Xkiy00. END KEYBASE SALTPACK SIGNED MESSAGE.

[rminnick]

Just followed your directions per the above - let me know if that is sufficient to get things re-set.

[strib]

Your public and private folders should be reset now. Let us know if everything seems cool.

[rminnick]

It looks like the folders are behaving properly, but the keybase.pub site is still serving my old public folder, not my updated/reset one.

[cjb]

@rminnick Should be good now -- I restarted keybase.pub, it had the old one cached.

[rminnick]

Thanks! How do I verify the signed docs/files in the Public folder (mine or anyone else's)?

Also, I'm happy to ask questions in a more appropriate environment (IRC, Slack, Email, etc.). Otherwise this issue is resolved.

[strib]

If you view the files with your local client (via /keybase/public/<name>), your client is automatically verifying the signatures, using the public keys available through Keybase (and verifying the public proofs for those keys).

Are you asking about some manual way to do verification? We don't currently expose the signatures themselves anywhere, but if there's enough interest we might be able to work something out.

[rminnick]

The only reason that I ask is that I just verified the VPN software in the /public/ryanminnick/software/ folder and provided the web link to someone for download. They reported back that they couldn't verify my signature.

The obvious solution is for me to get them into Keybase and for them to request access to the FS, but I do like the idea of the files that are downloadable from the keybase.pub site to have some sort of verification built into them.

[strib]

At the moment they have to trust that the keybase.pub server is doing the verification on their behalf (which it is).

Under the covers, we don't actually have per-file signatures for performance reasons -- there's only one signature for the entire folder, over all the data in that folder (arranged in a Merkle hash tree, where only the root needs to be signed). We have discussed tools that let you verify that a specific file was signed over at a given time by a given user, but those probably wouldn't work on the web either.

So, if this is an important use case for you, maybe the right short-term solution is to use keybase sign on the file, and keep the output of that in a sigfile next to the file itself?

[cjb]

The obvious solution is for me to get them into Keybase and for them to request access to the FS

Just a quick note -- the FS is no longer restricted, anyone with a Keybase account gets it by default now. So just sending a Keybase invite to someone is sufficient.

[rminnick]

That's what I'll do for now. I actually don't mind trusting the .pub site, but every now and then I'm sure I'll run into someone that it won't be good enough for. Of course, in the case of applications, they can just get it from the source and verify themselves if it's that important.

@cjb that's good to know - you guys should be putting short updates out on the site (or pushing through the app) so we can be excited about these things.

You guys are doing an A+ job. Thank you!