Hacker News verification succeeds on keybase.io but fails with CLI.

[karanlyons]

My HN account (13 karma) has the keybase proof string, as required:

[ my public key: https://keybase.io/karanlyons; my proof: https://keybase.io/karanlyons/sigs/AKcTFtVA5RkCb0y1ELulZGf8Iu-yZtYTbYYiwf1Bw3Q ]

keybase.io correctly verifies the hash, but the CLI fails:

$ keybase id karanlyons
✖ "karanlyons" on hackernews: https://news.ycombinator.com/user?id=karanlyons
(failed with code null: check url failed for
{"api_url":"https://news.ycombinator.com/user?id=karanlyons","signature":"
-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v2\n\nowF9kns4VGkcx8coZVU7CWFVmqL
FpHOfc9jctRWJrbbNbjt7Lu8wqRnmjGJQsRLd\nt6J6CsuyqabaC9PtKQ+rNrpIRWkltqWdfWQrUh
L2jN2ebf/Zv97z/s7n933f7/f3\n7hpvKRJbNGTtKwstGy+yuGJiREvacialSBkNlyz1SZGyq1VAr
TN/qek1QOojjQPJ\nDM0Db5XGVa3hgPcq3vUfRiZdC7S8SqMWKMgb84YxaZrMzJu7lSp1DNDGa1Vm
MSmM\nMxAH4wjGUCQBGCUHkwjLYLCwEpScJjGcJiEOggTNWA2v+8+x0hFNhYoTqiEjfKDA\nB5JQy
AifOPIDxThGycgpHKVIHMDCOaiShmFUKacAAv0N8kD7xhOtpdWrkzVq3nzj\nNUAbtxootBrNiG9W
pzJDMAbJEQQlSVi4E83HCm0IyzEYjTAAhgFB4CwBsSxG0jRH\nQixF4AgCA0QOKQGHARwSfAIlC8k
5gGIkBTAWZWAIIRiSpghUjkIwAstRAkeVLA1D\nKKLkaILiUATGOAqDGUBDMCQ0caQSRlFUTqE4Qw
smeJCg1kh9UBQh0TTzVrtWxYK3\nxhVLs3GCT7CO/z/LuuR4c3EdYE4q/tFQMCo1Jwzt7bHCAvqfO
DCIoGRSkBSv0gKF\nykzgcoIU8oVk0ngtWGsOiaNYBqAwgSsROQ0J0xBGAQghI0gwIUdwVKgxNISx
GCaH\nIY6iSJJACYLFORpiSeZfk4iQvI6OETR5VYya1iVqgTQtZ5TLKJGFWGQ1Wmx+uKJ3\nrCVvX
nO4YdprG98c3ovscMoa2PL+zp6MbRersG1NRxvnPyn1rsPHLnu9habLJPfp\nsez84Or0LfE7CzKK
kj2Ao/3m5uy8fmz6rHR9yFfbn514kll76nrk3u3Q+jsT+8LL\nbqTnw6GtM+pTEh2tUmwcFvQmPNC
nysh83H+m/7UVEVznpG8TZjn6dqW7XojU7JDt\nYqz0x7bxVT/gH0gIcRCWmr31QaxdWvThR0dCnC
N/vLZhe3dnQtS9+9bxDoq4sAa/\nmSdf268bDjIcrb4UHxb12x8Eci//+jd7d+un13bV93hdeifyj
i3UVWIU0R5/Gl8g\nE8qfBZ8aTnDPalk0i0+/6KAL+LIuqSP4YZH7tXNn3T//MPX4H9rF/d1tgeu2
2Gd+\nKZlrGBhoyC22+OTFbo/HE77V1VjELt23v2WJ6a4pf8pTsqJS9tpSmZchMV285St6\nzytw8
fOq6K93LWwtPhObczaV6u+0/KZls9OmH8qoZ11V7+4/a59gt9Qo/nhRGZeS\n2zfqI+aYkszY9+n0
rMJjl060jfMu/JoODT+6seRKgVv2Fzcvs2vuBtvUi6dkOaT4\neLx3UO1atKPUq85gBT20vV1THGF
srE6cvHpT2OTGNps+T31zywUKT/Yq1RA37j08\nN9YCqQn/pbKRPL2hb+40NRH6il4pmdsVncolzt
Hl7b1t8fKX9eHT2vMOfQrcZO6B\nyU9rmnbkhj53G3dGY3X9SOCmsBsbc6JN19hqg3VN01D9TL/W4
117mpWnF1lqEyWP\nOzZ09JSXTNB5FhhFeb83GbvqrXuCbNOmtrqEp8fc9DnvEnxyWSQxL2z8LfXP
mdSd\noYlR6ef3SNM0UXd0u58MWfjOD/hpr15S3bfRxzFIG8GvYE6eUaKr/GqgipZAq+64\nYbjf3
zSjcGvQZ9GvCu5vPgsNivu7+TENJb10BJZ9d0/z4XJf3eWh8/rBBw+yVp67\nvDvRb9KS9ts/Ok91
a3XsnB3aEzy57uWMMUlPiz7JNKw16uctXa64/cQuOtKr+HRl\ne9JljUuI/7JqUtd4YOyM0uYrlRX
2xX4G26u+9kiDH+LC/x5f/rxwVEkVNTvOoyOg\n8kJ+d/Aq4/qaqY8mLkmwgWKG+pfrar094bqr3e
WjnZOKWpsPPTrVF5Hm/33dysJK\nhbFau9WprH2xXe+COYtcdzkZel/lyVHbsrYXaMlzl3f3fac/f
KVz3oGOjgi3bIf2\nYFPF+OHlpQPjHH89ciDX3U/00vqQoSiHH2i/qD5dlbPGO111K6p2ULqzb7n6
8OD6\nFVWz72f8VCGDf06qD71rjPzNRjJu46Dd+487brkOl4sO7s99aurNWTjF0zZSXJTo\nWRAxV
am7qhMrEmY6H7jp0lo7J8nShDg1/OrTFFD9Xf7mVNNk5xaf0QELHztnvvgL\n=J7tF\n-----END
PGP MESSAGE-----","proof_text_check":"AKcTFtVA5RkCb0y1ELulZGf8Iu-yZtYTbYYiwf1
Bw3Q","remote_id":"karanlyons","human_url":"https://news.ycombinator.com/user
?id=karanlyons","name":"hackernews","username":"karanlyons"})

This doesn’t seem to be the case for some other keybase accounts I’ve tried, but I’m flummoxed as to what the difference between those accounts and mine are. Note that all other verifications for my identity succeed in both the web interface and CLI.

[maxtaco]

Seems to work fine now in both the CLI and the Web site. We've had a lot of trouble with the HN API giving inconsistent or slow updates. Might that account for your woes?

[maxtaco]

(But btw this error message is buggy, which is an issue I haven't seen before).

[karanlyons]

Perhaps this is just an issue with my machine, then? I’m running keybase 0.7.7 with gpg 2.0.26 and node 0.10.36. I’m not sure what other dependencies there are.

Again, this only seems to happen with my account (at least, that I’ve found). iding you, for example, works completely fine (✔ "maxtaco" on hackernews: https://news.ycombinator.com/user?id=maxtaco).

Manually piping the signature into keybase decrypt works just fine, and manually hashing that signature (base64.b64encode(hashlib.sha256(base64.b64decode(sig)).digest())) matches the proof_text_check in my HN bio. The only difference is the lack of padding in the latter, but I assume that’s accounted for and intentional: for example, your proof_text_check also lacks padding, and the CLI has no issues with it.

I think the issue resides somewhere in the initial fetching of data from the HN api.

[karanlyons]

Okay, I’ve figured it out!

The hackernews _check_api_url function is returning an error, because api_url does not match @api_url(username). For example (apologies for the scrolling):

Keybase User	api_url	@api_url(username)	_check_api_url(api_url, username)
max	https://hacker-news.firebaseio.com/v0/user/maxtaco/about.json	https://hacker-news.firebaseio.com/v0/user/maxtaco/about.json	true
karanlyons	https://news.ycombinator.com/user?id=karanlyons	https://hacker-news.firebaseio.com/v0/user/karanlyons/about.json	false

Here’s what I think is happening: My proof was generated before you got access to the firebase API for HN, so it’s designed for the old style scraping. However, the keybase client no longer supports that version of validation. So we fail at the first step of checking that the URL I signed(?) matches the URL the client expects.

Firstly, I’d say that error message could be improved by at least noting that the issue is that the expected URL and the signed(?) URL do not match.

Secondly, the client should really support both methods of validation (old school site scraping in addition to the API) if it’s not possible to automatically use the new API. I’m not sure how easy that is to mesh with the BaseScraper class.

Finally, I can obviously (I think) just revoke and reprove my HN account. I don’t know how many other users would need to do this as well, and you obviously (I hope) can’t automatically reprove them with the new API, but you could shoot out an email to the subset of users with the older proof version letting them know they should revoke and reprove themselves. Or, and I might be wrong about this, if the actual API URL isn’t signed it might just be a quick update in keybase’s database.

@maxtaco: Shall I keep my old proof around to help you test things out, and/or is there anything more I can do to help? I just barely understand the source code for the CLI so I’m not really comfortable issuing a pull request there, and it really seems like just notifying the affected users or updating the URL (if possible) would be the kindest solution both in terms of simplicity for the CLI and kindness to HN’s servers.

[karanlyons]

Okay, further inspection seems to show that just altering _check_api_url in hackernews.iced so that it returns whether or not api_url matches either @api_url(username) or @human_url(username) fixed the problem, but it was a hack.

What I couldn’t understand was where that incorrect api_url was coming from. It’s not in the signed payload, it’s not in user/lookup.json, it’s not sig/get.json, and I honestly couldn’t think of another place to check.

The command line client has a cache. It was pulling stale data from there, and gaslighting me as a result. I had no idea that it did that. Manually clearing out ~/.keybase/keybase.idb fixed everything. I don’t honestly know if that counts as “fixed”, but I’m closing this issue and leaving the chain intact as a record of my personal insanity. In retrospect I should have realized there was a debug flag and used it: the debug logs make it very clear what was going on.

I guess my only question now is: How is cache invalidation handled by the command line client? Does it not handle the case of API responses changing independent of signatures/user data?