keybase / keybase-issues

A single repo for managing publicly recognized issues with the keybase client, installer, and website.
899 stars 37 forks source link

Cannot update public key #2415

Open oliverklee opened 8 years ago

oliverklee commented 8 years ago

I'm currently having difficulties logging in on the command line on Ubuntu Linux:

klee@gonzales:~$ keybase login
Your keybase username or email address: oliverklee
▶ WARNING Skipping expired primary key 0D6E 837E 3CF5 7FE1 E1FC DFA5 10BF A4E2 14FE BC9E
▶ WARNING Skipping expired primary key E056 1231 E431 EF9A BD30 CF8D 33F8 5189 AEB2 6CAA
In order to authorize this installation, keybase needs to sign this installation
with your GPG secret key E23F5ADDCA379BFE.

You have two options.

(1) Keybase can use GPG commands to sign the installation.

(2) Keybase can export your secret key from GPG and save it to keybase's local encrypted
    keyring. This way, it can be used in 'keybase pgp sign' and 'keybase pgp decrypt' 
    going forward.
Which do you prefer?: 1
Enter a public name for this device: gonzales
▶ ERROR Could not open key: no valid primary key self-signature (error 905)

If I understood this correctly, this is related to the GPG key on Keybase being expired (I had added one year to the key expiry in the meantime, but not updated it at Keybase). So I logged in to the Keybase web front end and tried to update my GPG key:

  1. surf to https://keybase.io/oliverklee
  2. click on my key > Edit
  3. click on "Update my key (I edited it elsewhere)"
  4. copy'n'paste my ASCII-armored public key into the box and click on "Submit"
  5. select the option "command line with [bash + GPG + cURL]" (because "in the browser" is "unavailable for you", and "command line with keybase" does not work because I cannot log in to the command line (see above)
  6. in "Okay, hardcore mode", copy the command line command
  7. paste it in my command line (and ignore the warning about pasting 195.978 characters)
  8. press enter
  9. enter my GPG passphrase

Error message: bash: /usr/bin/curl: Die Argumentliste ist zu lang (the argument list is too long)

So I have a catch-22 here: I cannot update my key on keybase because I cannot log in, and I cannot log in because I cannot update my key on keybase.

What can I do? Please help.

maxtaco commented 8 years ago

We need to fix the bug with the curl upload path and big keys. I wonder if there are some shells in which this might work though?

On Tuesday, July 26, 2016, Oliver Klee notifications@github.com wrote:

I'm currently having difficulties logging in on the command line on Ubuntu Linux:

klee@gonzales:~$ keybase login Your keybase username or email address: oliverklee ▶ WARNING Skipping expired primary key 0D6E 837E 3CF5 7FE1 E1FC DFA5 10BF A4E2 14FE BC9E ▶ WARNING Skipping expired primary key E056 1231 E431 EF9A BD30 CF8D 33F8 5189 AEB2 6CAA In order to authorize this installation, keybase needs to sign this installation with your GPG secret key E23F5ADDCA379BFE.

You have two options.

(1) Keybase can use GPG commands to sign the installation.

(2) Keybase can export your secret key from GPG and save it to keybase's local encrypted keyring. This way, it can be used in 'keybase pgp sign' and 'keybase pgp decrypt' going forward. Which do you prefer?: 1 Enter a public name for this device: gonzales ▶ ERROR Could not open key: no valid primary key self-signature (error 905)

If I understood this correctly, this is related to the GPG key on Keybase being expired (I had added one year to the key expiry in the meantime, but not updated it at Keybase). So I logged in to the Keybase web front end and tried to update my GPG key:

  1. surf to https://keybase.io/oliverklee
  2. click on my key > Edit
  3. click on "Update my key (I edited it elsewhere)"
  4. copy'n'paste my ASCII-armored public key into the box and click on "Submit"
  5. select the option "command line with [bash + GPG + cURL]" (because "in the browser" is "unavailable for you", and "command line with keybase" does not work because I cannot log in to the command line (see above)
  6. in "Okay, hardcore mode", copy the command line command
  7. paste it in my command line (and ignore the warning about pasting 195.978 characters)
  8. press enter
  9. enter my GPG passphrase

Error message: bash: /usr/bin/curl: Die Argumentliste ist zu lang (the argument list is too long)

So I have a catch-22 here: I cannot update my key on keybase because I cannot log in, and I cannot log in because I cannot update my key on keybase.

What can I do? Please help.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2415, or mute the thread https://github.com/notifications/unsubscribe-auth/AA05__THiwpOIyjSBqG_f3QVWvqi8yyZks5qZehMgaJpZM4JVBsc .

oliverklee commented 8 years ago

Maybe it is possible to have only the public key without any third-party signatures in the snipped?

maxtaco commented 8 years ago

Here's an easier hack. Let's say our website gave you something like this:

curl \
  --data-urlencode sig="`\
   echo '{"body":{"key":{"eldest_kid":"0101e5f78a045abbbf4745552ff3fe727f4b8d574573c597ca6a2caa50cd320fa3ce0a","fingerprint":"36a9f360387a32f84d78c18d15d6c61451b20e13","full_hash":"a8c14f95c4f9d2846c9dce32994c28b9970422b63e75bf25e129a6ca3d2d2cd9","host":"keybase.io","key_id":"15d6c61451b20e13","kid":"0101e5f78a045abbbf4745552ff3fe727f4b8d574573c597ca6a2caa50cd320fa3ce0a","uid":"9d44f1d67e48e7fb350327d172ab7719","username":"max994"},"type":"eldest","version":1},"ctime":1469642654,"expire_in":157680000,"prev":null,"seqno":1,"tag":"signature"}' | \
   gpg -u '36a9f360387a32f84d78c18d15d6c61451b20e13' -a --sign`" \
  --data-urlencode type="eldest" \
  --data-urlencode session="lgHZIDlkNDRmMWQ2N2U0OGU3ZmIzNTAzMjdkMTcyYWI3NzE5zleY937OACTqANkgMTdiMThkMDI4ZjBlNjM3NzU3NmFhZTA3MzFjYzYzMDLEIBHve1tjfRQ/upfvo8HCSQvbrAARC8bS2SoM37xLKtCh" \
  --data-urlencode csrf_token="lgHZIDlkNDRmMWQ2N2U0OGU3ZmIzNTAzMjdkMTcyYWI3NzE5zleY937OAAFRgMDEIOzRxh/ubgqkhT55sXJqCWrAxV2y0fJ33JojzXv6RQKH" \
  --data-urlencode plain_out="1" \
  --data-urlencode signing_kid="0101e5f78a045abbbf4745552ff3fe727f4b8d574573c597ca6a2caa50cd320fa3ce0a" \
  --data-urlencode public_key="-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mI0EVr0A8wEEAOouu6kTiwMFfHJ2ZoTiEpOSPxMbUSPowGouDkVYBWCbzMXLMKbX
84YCQIihsaVvRUTBbdobhO8qD3CFsGWPodmmwjdYYDCGs+KVlH49QfHXjH5epItG
RG8lel+QpOmGQa1vhOdRorgXz0ROwzJzgAk3qUl/Fm8BUKuxQmXopTBHABEBAAG0
I1Rlc3QgNiBLZXkgPHRoZW1heCt0ZXN0NkBnbWFpbC5jb20+iLgEEwECACIFAla9
APMCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEBXWxhRRsg4T4I8D/2FV
YdhYXFGeSYDgQjyv/9Ne239usMojkme3qlj27r/U/ODOORGM6QRZiqHGAGlp2B8b
tAIz3NoljGjf1h2Srv+a3hO5n2mcZHZv4kJai4Km3nxIoRxbEXxA/S/t28HAxKU6
AXaHdNbUQQCfholtktSFHQvAuDyaPDiTst33c/GYuI0EVr0A8wEEAKeEhup41f4l
N3kG6Mps959rQturGGbsWD2fCXQ/ryoqkBuGcR7lnmR8UP3NIVIVBGh9kov59njH
+4D+/SJ0Oj4VgDW0rn4EYbenSrDSWaNf9I5mgA8+G/DsaICdsUYf8D2EUWDviKqh
h3mSRSoGjfqWVkxsTTd+E3CE1spjEDg3ABEBAAGInwQYAQIACQUCVr0A8wIbDAAK
CRAV1sYUUbIOE4XIA/0X2Cbi5DrqSYW4ZkR83mmCg80A0HSEHfdaPY3xCJUu9DLo
uNyijrcHllG9jeJe90hZGsXQ/nQSdsuj+mmFO2FFmFXAY6/nMklOh0EWkKlLt+kg
SIZRqSHZMfxN2XLkMSyYrpsy33FKaoWtA8pTEJMv+Y1KuizRioErxk6cYiezCbiN
BFa9AQABBACYwrQl6PrgFn5hK+Ue8a7ljXKgMPpk2HpF+cFIL0KM+/JphWrfsSN1
EUpVJOBDDTRAksSA1y+B4X3TuJb1qYey2lBnaB7gUtqrWYmrkottpygT7hZar8Jn
tRsQrvKFDjFdgJg+/NEi7doGYmkRVA/JIQSqroswgVxZEVPVlZvzZQARAQABiQE9
BBgBAgAJBQJWvQEAAhsCAKgJEBXWxhRRsg4TnSAEGQECAAYFAla9AQAACgkQ61X4
cPvT9Xt0cgP/S1DQA8aK6TItDr3E5i5lldc+Z6Zpz81bCcCXB2zcuLiDxiDvVumF
lF3vLkckXG/uRT6vNZShfRsg3kJprOD+GqmvCQedd5j/LjgNpoPdeKdhGWuEAuZI
vWRZmlxBei5KZsTAXXttYoFltzkY8LLlYJBPqo2isrdi3u2f1lUNTHBhqgQA6Ukn
dEqVzX3DP+OxVX4zzwrehTpjmZDDgKVpVrDDY/9nzp/zm67+1+IQk8u+ronCjYsS
e1UlVL6kF6KZSwSPobYOBMGdEMoa+C3xRp0J+sVRFYn1gV/ca4JeF44g+yEsfS+N
qmysBtKsap4bnyc9bCd2Uc4zFZt37xKh8RnqJ9g=
=vBe+
-----END PGP PUBLIC KEY BLOCK-----
" \
  --data-urlencode is_primary="true" \
  --data-urlencode sig_required="true" \
  http://localhost:3000/_/api/1.0/key/add.json

I would move your public key into a file foo.txt, and then do this:

curl \
  --data-urlencode sig="`\
   echo '{"body":{"key":{"eldest_kid":"0101e5f78a045abbbf4745552ff3fe727f4b8d574573c597ca6a2caa50cd320fa3ce0a","fingerprint":"36a9f360387a32f84d78c18d15d6c61451b20e13","full_hash":"a8c14f95c4f9d2846c9dce32994c28b9970422b63e75bf25e129a6ca3d2d2cd9","host":"keybase.io","key_id":"15d6c61451b20e13","kid":"0101e5f78a045abbbf4745552ff3fe727f4b8d574573c597ca6a2caa50cd320fa3ce0a","uid":"9d44f1d67e48e7fb350327d172ab7719","username":"max994"},"type":"eldest","version":1},"ctime":1469642654,"expire_in":157680000,"prev":null,"seqno":1,"tag":"signature"}' | \
   gpg -u '36a9f360387a32f84d78c18d15d6c61451b20e13' -a --sign`" \
  --data-urlencode type="eldest" \
  --data-urlencode session="lgHZIDlkNDRmMWQ2N2U0OGU3ZmIzNTAzMjdkMTcyYWI3NzE5zleY937OACTqANkgMTdiMThkMDI4ZjBlNjM3NzU3NmFhZTA3MzFjYzYzMDLEIBHve1tjfRQ/upfvo8HCSQvbrAARC8bS2SoM37xLKtCh" \
  --data-urlencode csrf_token="lgHZIDlkNDRmMWQ2N2U0OGU3ZmIzNTAzMjdkMTcyYWI3NzE5zleY937OAAFRgMDEIOzRxh/ubgqkhT55sXJqCWrAxV2y0fJ33JojzXv6RQKH" \
  --data-urlencode plain_out="1" \
  --data-urlencode signing_kid="0101e5f78a045abbbf4745552ff3fe727f4b8d574573c597ca6a2caa50cd320fa3ce0a" \
  --data-urlencode public_key@foo.txt \
  --data-urlencode is_primary="true" \
  --data-urlencode sig_required="true" \
  http://localhost:3000/_/api/1.0/key/add.json
maxtaco commented 8 years ago

(That is, if you give curl @foo.txt, it will slurp it in from a file)

maxtaco commented 8 years ago

(If this doesn't work, I think some variation of it will....)

oliverklee commented 8 years ago

Thanks! I'll give it a try!

ijc commented 8 years ago

I tripped over the same /usr/bin/curl: Argument list too long trying to register my public key via the manual/CLI (GPG+curl) method.

The reason was that my public key (produced with the recommended gpg --export -a incantation) included all of the signatures on my key (which is around 70).

I worked around this by using gpg --export --export-options export-minimal -a instead which excludes the signatures and makes the public key size manageable again.

I figure that if keybase wants/needs the signatures for something they are readily available on the keyservers or maybe there needs to be a separate UI step for that.