Keybase fails to poll smart card for key verification

[hon1nbo]

I just installed the app on my Linux machine (debian based distro) when logging in on the web said someone I followed sent me something (which that user says via other means he most certainly did not, and we are wanting to see what it is). The app fails to provision the device, saying it cannot find my private key. The private key for my account is on a Smart Card, and I do not extract keys (actually, I cannot extract keys once they are generated and having a flat file key defeats the purpose of a smart card) GPG has no issues using the card on this machine, and I have other applications that use it as well.

gpg -K

/home/XXXXXXXXXXXX/.gnupg/secring.gpg
-----------------------------
sec>  4096R/48590686 2015-07-12 [expires: 2025-07-09]
      Card serial no. = XXXX XXXXXXXX
uid                  Jimb0 Hon1nbo (Hon1nbo MFA GPG) <hon1nbo@hackingand.coffee>
ssb>  4096R/29F3F68B 2015-07-12
ssb>  4096R/D1184610 2015-07-12

my log id: adfcb3d11ad6cce3cdcf061c

Cheers, ~H

[maxtaco]

Your log shows this:

790 2017-03-15T12:34:41.394033-05:00 ▶ [DEBU keybase gpg_cli.go:353] 2f5 | running Gpg: /usr/bin/gpg2 --no-tty --with-colons --fingerprint -K
791 2017-03-15T12:34:41.400580-05:00 ▶ [DEBU keybase gpg_cli.go:332] 2f6 gpg: starting migration from earlier GnuPG versions
792 2017-03-15T12:34:42.404075-05:00 ▶ [DEBU keybase gpg_cli.go:332] 2f7 gpg: porting secret keys from '/home/xxxxxx/.gnupg/secring.gpg' to gpg-agent
793 2017-03-15T12:34:42.414971-05:00 ▶ [DEBU keybase gpg_cli.go:332] 2f8 gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
794 2017-03-15T12:34:42.415154-05:00 ▶ [DEBU keybase gpg_cli.go:332] 2f9 gpg: key 48590686: secret key imported
795 2017-03-15T12:34:42.415428-05:00 ▶ [DEBU keybase gpg_cli.go:332] 2fa gpg: migration succeeded
796 2017-03-15T12:34:42.415628-05:00 ▶ [DEBU keybase gpg_cli.go:332] 2fb gpg: checking the trustdb
797 2017-03-15T12:34:42.416165-05:00 ▶ [DEBU keybase gpg_cli.go:332] 2fc gpg: marginals needed: 3 completes needed: 1 trust model: PGP
798 2017-03-15T12:34:42.416336-05:00 ▶ [DEBU keybase gpg_cli.go:332] 2fd gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
799 2017-03-15T12:34:42.416557-05:00 ▶ [DEBU keybase gpg_cli.go:332] 2fe gpg: next trustdb check due at 2025-07-09

What does this show?

/usr/bin/gpg2 --no-tty --with-colons --fingerprint -K

[hon1nbo]

That command has no output, but when using gpg rather than gpg2 gives the following: /usr/bin/gpg --no-tty --with-colons --fingerprint -K

sec::4096:1:7F9E0FD048590686:2015-07-12:2025-07-09:::Jimb0 Hon1nbo (Hon1nbo MFA GPG) <hon1nbo@hackingand.coffee>:::
fpr:::::::::56033A399BB0778C0C123DA17F9E0FD048590686:
ssb::4096:1:F9EADE6129F3F68B:2015-07-12:::::::
ssb::4096:1:0CEB49F4D1184610:2015-07-12:::::::

gpg2 does see the keys and exists on this system. Not sure why it has no output when gpg goes. gpg2 --list-keys

/home/XXXXXXXXX/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/48590686 2015-07-12 [SC] [expires: 2025-07-09]
uid         [ultimate] Jimb0 Hon1nbo (Hon1nbo MFA GPG) <hon1nbo@hackingand.coffee>
sub   rsa4096/29F3F68B 2015-07-12 [A] [expires: 2025-07-09]
sub   rsa4096/D1184610 2015-07-12 [E] [expires: 2025-07-09]

However, looking through I see that scdaemon failed to be called via gpg2 --card-status. I don't normally use scdaemon, but since keybase is forcing gpg2 I went ahead and set it up. This allowed keybase to see that I have the secret key (should really be more verbose in the log output that it is trying to use gpg2 and failing, as debian distros by default tend to have both gpg and gpg2... however stupid that is).

Next up comes a different error though (and I send in fresh logs for it, my log id: 43d8acba6eb1fac1047f921c )

This time keybase fails with the card PIN. I am not sure what it is doing, but it says exit code 2. I don't know how it is trying to handle the pin under the hood. I am getting a GUI popup for pin entry rather than my usual Curses based when I call something from commandline. When it comes to pin entry there are sometimes quirks (especially on Debian systems where GNOME components are present). I may investigate this further, but if you can see a more useful log it might help speed things up.

Cheers, ~H

[maxtaco]

Oh! Your woes can likely be solved via:

keybase config set gpg.command gpg

[hon1nbo]

if I run that, then keybase goes back to not detecting a private key again...

Log send id: 3eafafcdfbb9df087b138d1c

Cheers, ~H

[maxtaco]

ok cc: @zapu

[linux-modder]

On 15.03.2017 21:23, Jimb0 Hon1nbo wrote:

if I run that, then keybase goes back to not detecting a private key again...

Log send id: 3eafafcdfbb9df087b138d1c

Cheers, ~H

-- You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub [1], or mute the thread [2].

try AFTER running:

gpg-connect-agent /bye

gpg-agent --daemon

gpg2 --card-status

--

Corey W Sheldon ph: +1 (310).909.7672 0x8B4E89435A88E539 0x59276298D2264944

Freelance IT Consultant, Multi-Discipline Tutor Fedora AmbaNA (linuxmodder) Ameridea LLC Founder, President

Find me elsewhere: https://gist.github.com/linux-modder/ac5dc6fa211315c633c9

"One must never underestimate the power of boredom...from which creativity and laziness are borne, which can spark great works of chaos and genius." --Anonymous

"Any man willing to retreat freedom for security is deserving of neither." (Pp) -- Benjamin Franklin.

This document, including attachments, is intended for the person or company named and contains confidential and/or legally privileged information. Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please destroy this message and notify the sender.

Links:

[1] https://github.com/keybase/client/issues/6259#issuecomment-286883715 [2] https://github.com/notifications/unsubscribe-auth/AFpb8N8u7MJHZxer7OkVVFtajcyMtOOrks5rmFa3gaJpZM4MeTb3

[hon1nbo]

@linux-modder no dice.

[freddyb]

I had a similar issue (but probaly not the same) and the steps here helped me. Maybe this should live in the docs?