search

keybase / client

Keybase Go Library, Client, Service, OS X, iOS, Android, Electron
BSD 3-Clause "New" or "Revised" License
8.9k stars 1.23k forks source link

Installation process can't find gpg if it's in a non-standard place #4803

Open nxg opened 7 years ago

nxg commented 7 years ago

When I log in, I get an error

There was an error provisioning
Unknown error: GPG is unavailable on this device.

This is and isn't true. gpg is on the machine, but not in a standard place (I have a couple of different versions installed, and none of them are in /usr/bin). It might be necessary to add a ‘where is gpg located?’ step to the login or first-install process.

my log id: b4895dd17b860cd3c0b01d1c

maxtaco commented 7 years ago

Try

keybase config set gpg.command /path/to/your/gpg
nxg commented 7 years ago

Thanks – that got me further. See the sequence of commands below.

I then started the Keybase.app (1.0.18-20161101165331+a862115 on OS X 10.11.6), was prompted for my username and password, and then chose the 'One-time shell to GPG' option. I typed a public name for the device (specifically ‘coricopat’, in case you can see that in any logs), and then got an error:

There was an error provisioning
Unknown error: GPG error: exit status 2

I'm not able to do anything at that point other than quit the app.

Incidentally (and tangentially to this current issue, so feel free to start a separate issue on this, if that'd be useful), I didn't realise until I started this process that Keybase starts a persistent service /Library/PrivilegedHelperTools/keybase.Helper. I think it would be good if the installation process was a bit more up-front with an explanation of what it's installing, where, and why. I don't think you're up to anything (!), but with a security-related product, which might potentially have access to my GPG keys, I'm naturally going to have a nasty suspicious mind, and be on the look-out for anything odd. While I appreciate that part of the goal of Keybase is to hide GPG complication (good luck with that!), and that starting up a dynamic filesystem in /keybase will very probably require some admin access, it's still important to be very open (possibly optionally) about what you're installing.

Thanks for your help so far!

% which keybase
/Data/LocalApplications/Keybase.app/Contents/SharedSupport/bin/keybase
% keybase config set gpg.command /Data/tools/gpg-1.4.16/bin/gpg

There are no Keybase services installed, you might try running: keybase install

▶ ERROR There were multiple errors: dial unix /Users/norman/Library/Group Containers/keybase/Library/Caches/Keybase/keybased.sock: connect: no such file or directory; dial unix /Users/norman/Library/Caches/Keybase/keybased.sock: connect: no such file or directory
% ps aux|grep keybase
root             3929   0.0  0.0  2527316    700   ??  Ss    9:48pm   0:00.04 /Library/PrivilegedHelperTools/keybase.Helper
norman           6741   0.0  0.0  2423376    248 s007  R+    6:57pm   0:00.00 grep keybase
% keybase install
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.updater.plist
▶ INFO Starting keybase.updater
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.service.plist
▶ INFO Starting keybase.service
▶ ERROR stat /keybase: no such file or directory (kbfs) (ERROR/1804)
% open /Data/LocalApplications/Keybase.app 
% keybase install                         
▶ INFO Removing /Users/norman/Library/LaunchAgents/keybase.updater.plist
▶ INFO Stopped keybase.updater (wait=20s)
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.updater.plist
▶ INFO Starting keybase.updater
▶ INFO Removing /Users/norman/Library/LaunchAgents/keybase.service.plist
▶ INFO Stopped keybase.service (wait=20s)
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.service.plist
▶ INFO Starting keybase.service
▶ INFO Removing /Users/norman/Library/LaunchAgents/keybase.kbfs.plist
▶ INFO Stopped keybase.kbfs (wait=20s)
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.kbfs.plist
▶ INFO Starting keybase.kbfs
% keybase config set gpg.command /Data/tools/gpg-1.4.16/bin/gpg
%
maxtaco commented 7 years ago

Can you do keybase log send? I'm guessing this is a problem of gpg pinentry being misconfigured.

nxg commented 7 years ago

Done. See below:

▶ INFO ignoring error getting keybase status: There were multiple errors: dial unix /Users/norman/Library/Group Containers/keybase/Library/Caches/Keybase/keybased.sock: connect: no such file or directory; dial unix /Users/norman/Library/Caches/Keybase/keybased.sock: connect: no such file or directory

------------
Success! Your log ID is:

  1ed95b920ce64935ffd7721c
maxtaco commented 7 years ago

Yeah, looks like it's a pinentry problem:

1634 2016-11-06T18:59:28.322950 ▶ [DEBU keybase gpg_cli.go:353] 1ee | running Gpg: /Data/tools/gpg-1.4.16/bin/gpg --no-tty --armor --sign -u XXXXXXXXXXXXXdc68
1635 2016-11-06T18:59:28.341903 ▶ [DEBU keybase gpg_cli.go:332] 1ef gpg: Sorry, no terminal at all requested - can't get input

Looks like your gpg can't connect to pinentry (via gpg-agent) to get your passphrase to unlock your key.

nxg commented 7 years ago

The gpg binary I generally use is built by hand:

% which gpg
/Data/tools/gpg-1.4.16/bin/gpg
% gpg --version             
gpg (GnuPG) 1.4.16
[...]
% ls /Data/tools/gpg-1.4.16/bin
gpg*        gpg-zip*    gpgsplit*   gpgv*

(hmm – I've just noticed that's a couple of releases out of date, but 1.4.21 doesn't have anything different).

The GPG installed by homebrew is:

% /Data/tools/homebrew/bin/gpg --version 
gpg (GnuPG) 1.4.20
% ls /Data/tools/homebrew/bin/gpg*
/Data/tools/homebrew/bin/gpg@       /Data/tools/homebrew/bin/gpgsplit@
/Data/tools/homebrew/bin/gpg-zip@   /Data/tools/homebrew/bin/gpgv@

So neither of these have gpg-agent.

Building gpg 2.x by hand is a pain in the neck, so I've been carrying on quite happily with gpg 1.x for a while now.

Might you perhaps have to do the passphrase-getting within your app, perhaps using --with-colons? (hmm: I can see the security anxiety about that...!)

nxg commented 7 years ago

There's a possibly interesting thread at http://www.gossamer-threads.com/lists/gnupg/devel/44465

I notice that it ends with a remark from one of the developers that ‘There is nothing wrong with using gpg1. We approve fully. ’

maxtaco commented 7 years ago

We fully support GPG 1.x, and in most cases it works. There's something not quite right with your pinentry setup then (independent of gpg-agent).

nxg commented 7 years ago

I don't think I have pinentry installed at all. The only mentions of pinentry I can find on my machine are in rather random places (see the spotlight-equivalent search results below: homebrew and macports are OS X package management systems; the gnupg-2013-01-17 install is I think an abortive attempt at a gpg2 install). Despite the various versions and alternatives here, kept carefully separate from each other, the only one currently in my path is the one at /Data/tools/gpg-1.4.16/bin, which has the contents noted above.

I notice that pinentry is a separate download/install from gnupg, at both https://gnupg.org/download/index.html and at https://gnupg.org/ftp/gcrypt/ Is it possible that distro-managed ‘gnupg’ packages generally install pinentry alongside gpg, even though they're regarded as separate items by gnupg.org? That would explain why I, building stuff directly from gnupg.org downloads, wouldn't have it.

I've just tried to download and install pinentry and – sigh – just like the gpg2 download it seems to have an aggravating network of dependencies, and so smells as anomalously hard to build.

I don't, by the way, claim any particular virtue, or hardcore cred, to building these by hand rather than using a package manager. It just (i) fits in with my long-term habit, and additionally (ii) seems to mesh with the general security-consciousness around gnupg.

If the resolution to this problem is ‘the keybase application requires a fairly complete install of gpg and its auxiliary tools’, than that's that, and is probably an adequate reason to break my habit for the sake of this tool.

If there's any other information I can supply, keep on asking!

% mdfind pinentry
/Users/norman/Library/Caches/Metadata/Safari/History/https:%2F%2Fgnupg.org%2Fftp%2Fgcrypt%2Fpinentry%2F.webhistory
/Users/norman/Library/Application Support/MailMate/Messages/IMAP/astro%40nxg.name@secure.emailsrvr.com/INBOX.mailbox/Messages/237056.eml
/Data/tools/gnupg-1.4.21/share/man/man1/gpg.1
/Users/norman/Library/Application Support/MailMate/Messages/IMAP/astro%40nxg.name@secure.emailsrvr.com/INBOX.mailbox/Messages/236955.eml
/Users/norman/Library/Application Support/MailMate/Messages/IMAP/astro%40nxg.name@secure.emailsrvr.com/INBOX.mailbox/Messages/236696.eml
/clouds/Tresorit/personal/Home/Notes/Howto/gpg
/Users/norman/Library/Application Support/uk.me.nxg.brownie/unison/unison-backup-data.log
/Data/tools/homebrew/Library/Taps/homebrew/homebrew-core/Formula/pinentry.rb
/Data/tools/homebrew/Library/Taps/homebrew/homebrew-core/Formula/pinentry-mac.rb
/Data/tools/homebrew/Library/Taps/homebrew/homebrew-core/Formula/lastpass-cli.rb
/Data/tools/homebrew/Library/Taps/homebrew/homebrew-core/Formula/gpg-agent.rb
/Data/tools/homebrew/Library/Taps/homebrew/homebrew-core/Formula/gnupg2.rb
/Data/tools/homebrew/Cellar/gnupg/1.4.20/share/man/man1/gpg.1
/clouds/Tresorit/personal/Home/Notes/Howto/000-formatted/gpg.html
/Junk/Caches/com.apple.Safari/fsCachedData/2D40CFF3-82A9-458C-AF02-02753F7CEA05
/Junk/Caches/com.apple.Safari/fsCachedData/A7C7F567-0F5A-4103-BD09-368CE4C48750
/Junk/Caches/com.apple.Safari/fsCachedData/6240F4CC-CCEF-4F0B-B13B-1DF9A0BD6B65
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/PortIndex
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/pinentry/Portfile
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/pinentry
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/pinentry-mac
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/lastpass-cli/Portfile
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/gpg-agent/files/patch-agent_gpg-agent.c-launchd.diff
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/gpg-agent/Portfile
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports.tar
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/PortIndex.quick
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/PortIndex
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/aqua/pinentry-mac/Portfile
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/aqua/pinentry-mac
/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/devel/libgpg-error/Portfile
/Data/tools/gpg-1.4.16/share/man/man1/gpg.1
/Data/tools/homebrew/Cellar/gnupg/1.4.12/share/man/man1/gpg.1
/Data/tools/gnupg-2013-01-17/bin/pinentry-curses
/Data/tools/gnupg-2013-01-17/share/doc/gnupg/README
/Data/tools/gnupg-2013-01-17/share/man/man1/gpg-agent.1
/Data/tools/gnupg-2013-01-17/share/man/man1/gpg2.1
/Data/tools/gnupg-2013-01-17/share/gnupg/help.de.txt
/Data/tools/gnupg-2013-01-17/share/gnupg/help.txt
/Data/tools/gnupg-2013-01-17/share/common-lisp/source/gpg-error/gpg-error-codes.lisp
/Data/tools/gnupg-2013-01-17/share/common-lisp/source/gpg-error/gpg-error.lisp
/Data/tools/gnupg-2013-01-17/include/gpg-error.h
/Data/tools/gnupg-2013-01-17/share/info/pinentry.info
nxg commented 7 years ago

An update...

I've now installed gpg2 via homebrew

% keybase config set gpg.command $T/homebrew/bin/gpg2

There are no Keybase services installed, you might try running: keybase install

▶ ERROR There were multiple errors: dial unix /Users/norman/Library/Group Containers/keybase/Library/Caches/Keybase/keybased.sock: connect: no such file or directory; dial unix /Users/norman/Library/Caches/Keybase/keybased.sock: connect: no such file or directory
% keybase install
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.updater.plist
▶ INFO Starting keybase.updater
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.service.plist
▶ INFO Starting keybase.service
▶ ERROR stat /keybase: no such file or directory (kbfs) (ERROR/1804)
% open /Data/LocalApplications/Keybase.app 
% keybase install                         
▶ INFO Removing /Users/norman/Library/LaunchAgents/keybase.updater.plist
▶ INFO Stopped keybase.updater (wait=20s)
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.updater.plist
▶ INFO Starting keybase.updater
▶ INFO Removing /Users/norman/Library/LaunchAgents/keybase.service.plist
▶ INFO Stopped keybase.service (wait=20s)
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.service.plist
▶ INFO Starting keybase.service
▶ INFO Removing /Users/norman/Library/LaunchAgents/keybase.kbfs.plist
▶ INFO Stopped keybase.kbfs (wait=20s)
▶ INFO Saving /Users/norman/Library/LaunchAgents/keybase.kbfs.plist
▶ INFO Starting keybase.kbfs
% keybase config set gpg.command /Data/tools/homebrew/bin/gpg2
%

I then tried to log in again using the now-running Keybase app, but again got the error:

There was an error provisioning
Unknown error: GPG error: exit status 2

I did keybase log send, which produced ID a380756c66f143ab233fe21c

nicnilov commented 7 years ago

I had a similar issue with the UI showing this message:

There was an error provisioning
Unknown error: GPG error: exit status 2

I use gpg 1.4.8 installed at /usr/local/bin/gpg. I'm on OS X 10.11.6. What worked for me is using CLI as mentioned in Issue 3591:

keybase login

This performed a similar flow in the terminal and the UI became logged in.