"Your private key appears corrupted (no valid primary key self-signature or key(s) have expired)"

[dltj]

I can't seem to log into keybase from the command line or the MacOS client. I suspect it is because a subkey has expired, but I can't find a way to get the updated subkey to be recognized. The specific error is:

$ keybase login
Your keybase username or email address: dltj
Enter a public name for this device: Walkabout
▶ ERROR openpgp: invalid argument: no valid signing keys

If I try to update my key on the keybase.io website (using the 'Update my key -- I edited it elsewhere' link), I'm asked to sign the updated public key. Two of the three options give an error and the third option appears to have no effect:

1. in the browser: "Error: Your private key appears corrupted (no valid primary key self-signature or key(s) have expired)"
2. command line with keybase: "▶ ERROR Login required" on the command line
3. command line with [bash + GPG + cURL]: This says "Success" but doesn't seem to have any effect.

In fact, if I try to upload the new public key again and verify it with bash+GPG+cURL, I get the message:

Code: 921
Name: KEY_DUPLICATE_UPDATE
Description: The updated PGP key had no changes

It seems like I'm stuck in a catch-22 where I can't log in because I can't update the expiration date of the subkey in keybase.io's server because I can't login.

Details

$ keybase --version
keybase version 1.0.18-20170209165653+17b641d

They gpg --list-packets and the ascii-armored key are here: https://gist.github.com/dltj/489688942a82ca7e5108a670e123fcec

[dltj]

I'm not sure if this helps, but I was able to use the bash + GPG + cURL option to successfully follow someone. The in-the-browser and command-line-with-keybase options to approve that follow give the same error message that I'm getting for logging into Keybase.

[dltj]

@maxtaco - Apologies for naming you explicitly in the ticket; you seem to be answering other questions related to the keybase.io keystore, so I'm hoping you can help here.

[maxtaco]

Try to login via the command line, and when it fails, issue keybase log send. Can't guarantee when we can look into it, but we'll try.

[dltj]

Done. my log ID: 923f9ced44c4c63cfdb5b91c

Thanks for the reply.

[maxtaco]

Which provisioning option did you pick?

[dltj]

I haven't been offered a provisioning option, but I was asked for a device name:

$ keybase login
Your keybase username or email address: dltj
Enter a public name for this device: walkabout
▶ ERROR openpgp: invalid argument: no valid signing keys

(The keybase.app application prompts for a password.)

My keybase key is fairly old -- dating back to the early days of the project in 2014 -- and so I haven't gone through the steps of provisioning a device. They key has been sitting idle until recently when I noticed a pick-up of my colleagues announcing proofs on Twitter.

[maxtaco]

Thanks for all the help -- one last question --- did you use keybase to generate your key, or did you bring your own?

[dltj]

This is a keybase-generated key, but I found it had expired so I updated the expiration dates locally using GPG Keychain.app (MacOS).

[maxtaco]

Ok thanks. I see the bug, we'll work on it!

[dltj]

Much, much appreciated.

[dltj]

@maxtaco - I just tried this on the website and the error is still there. Is the bug being tracked on another ticket?

[zapu]

@dltj Sorry for being unable to help before, we are just now going through some backlog of PGP issues. If I'm looking at things correctly, you managed to update your PGP key. I recall testing this scenario lately and I've been able to update expired PGP key using the website, but I admit it's a convoluted and non-obvious thing to do.

Let me know if you have any troubles.

[dltj]

Hi @zapu -- I'm seeing the same symptoms, I'm afraid. I updated the key using GPG on my local machine and used the "Update my key (I edited it elsewhere)" option in the web interface to upload the updated public key. I tried all three signing options and only the "command line with [bash + GPG + cURL]" gives a "Success" message. I'm still not able to log into the MacOS keybase client or sign a follow request on the website.

[dltj]

@zapu: Gist with updated public key and gpg --export --armor 304f1344 | gpg --list-packets output:

https://gist.github.com/dltj/cfb9c85d6022248db5cf32b2ca602b4a

Also, I received a PGP key updated: "2DA0 8D60 69D2 483D E5E5 37F3 48E5 203C 304F 1344" email with the first line that says "Congratulations! This is your first Keybase key."

keybase version 1.0.23-20170522181119+8a8aea0 on MacOS.

[Habmala]

I don't know if it helps but I'm having (what seems like) the same issue. I reported it here https://github.com/keybase/client/issues/4083 a while back. I also updated my key locally and uploaded after it expired. Happy to helt test or trouble shoot if needed. I'm on linux if it makes a difference.

[zapu]

@dltj are you dltj on keybase? Because when I fetch your key using curl https://keybase.io/dltj/pgp_keys.asc | gpg --import it doesn't seem to be expired anymore

/tmp/tmp.ZJRlBeoYQa/.gnupg/pubring.kbx
--------------------------------------
pub   rsa4096 2014-12-23 [SC] [expires: 2017-08-05]
      2DA08D6069D2483DE5E537F348E5203C304F1344
uid           [ unknown] Peter Murray (Professional) <jester@dltj.org>
uid           [ unknown] [jpeg image of size 14347]
uid           [ unknown] keybase.io/dltj <dltj@keybase.io>
uid           [ unknown] Peter Murray (Personal) <peter@pandc.org>

What's the error after you try to do keybase login ? Can you try to do keybase log send afterwards? Thank you.

[dltj]

@zapu: Yes, I updated the expiration date using GPG Keychain.app then upload the updated public key to Keybase using the website. I tried all three signing options and only the "command line with [bash + GPG + cURL]" gives a "Success" message. This is what I see on the command line trying to login:

$ keybase login
Your keybase username or email address: dltj

************************************************************
* Final step: name your new device!                        *
************************************************************

Enter a public name for this device: Walkabout
▶ ERROR openpgp: invalid argument: no valid signing keys

I've submitted the logs -- the log id is fbdba211fbbe0c25c53b3f1c

Thank you for your help.

[dltj]

As an aside, I just found out that I can successfully follow someone on keybase.io if I use the "command line with [bash + GPG + cURL]" signing option. (Keybase log ID f1b1b18da3009f297077201c.) If I use the other two options, I see the same error messages as display in the original description of the ticket above.

[zapu]

Got the log, thank you. One more question - do you store encrypted secret key on Keybase.io?

[dltj]

@zapu: Hmmm -- good question. I don't think so -- that doesn't sound like something I would do -- but I set up Keybase so long ago I can't remember. I don't know how to find out if I do.

[dltj]

Thanks for taking a look at this earlier, @zapu -- any thoughts on this now? I just tried it again on the website and the MacOSX client and still see the no valid signing key errors.

[zapu]

Hello, sorry for not getting back to you. We are working on simplifying key updating process serverside, I should have more news soon.

You can check if you are hosting encryped private key by logging on the website and clicking edit on the PGP key and seeing if you have an option to delete or export it.

[dltj]

Ah, yes -- my private key is hosted on keybase.io. Would things be better or worse if I deleted my private key from the Keybase server? Also, is there an issue to track the server-side key updating process?

[zapu]

You could try to remove it, since it's expired anyway (sorry for not offering an option to extend it! it's been in backlog forever), and then host the new one if you want to.

[dltj]

Ah, okay -- deleted from the website, and the practical effect is that the "in the browser" signing function is no longer available. keybase login on the command line still gives a no valid signing keys error, so I think I'm no worse off than I was before.

[zapu]

Can you do keybase log send after trying keybase login ?

[dltj]

Done! Log id is dea2af4838568c64f46bc81c

[zapu]

Would you mind checking if you have ~/.config/keybase.devel/secretkeys.* file? We are trying to figure out if the expired encrypted private key got cached somehow.

[dltj]

I didn't have a secretkeys file there, but did at ~/Library/Application\ Support/Keybase/secretkeys.dltj.mpack (this is on MacOSX). I removed that (rm ./Library/Application\ Support/Keybase/secretkeys.dltj.mpack) and tried keybase login again:

$ keybase login
 Your keybase username or email address: dltj

 ************************************************************
 * Final step: name your new device!                        *
 ************************************************************

 Enter a public name for this device: Walkabout
 ▶ ERROR openpgp: invalid argument: no valid signing keys

So I tried moving the entire "Application\ Support/Keybase" directory out of the way and start from scratch. Success!

$ mv ~/Library/Application\ Support/Keybase ~/Library-Application_Support-Keybase
$ keybase login
 Your keybase username or email address: dltj
 In order to authorize this installation, keybase needs to sign this installation
 with your GPG secret key 48E5203C304F1344.

 You have two options.

 (1) Keybase can use GPG commands to sign the installation.

 (2) Keybase can export your secret key from GPG and save it to keybase's local encrypted
     keyring. This way, it can be used in 'keybase pgp sign' and 'keybase pgp decrypt'
     going forward.
 Which do you prefer?: 1

 ************************************************************
 * Final step: name your new device!                        *
 ************************************************************

 Enter a public name for this device: Walkabout

 You need a passphrase to unlock the secret key for
 user: "Peter Murray (Professional) <jester@dltj.org>"
 4096-bit RSA key, ID 304F1344, created 2014-12-23

 ✔ Success! You provisioned your device Walkabout.

 You are logged in as dltj
   - type `keybase help` for more info.

For what it's worth, the contents of the old "Application\ Support/Keybase" directory is:

$ ls -la  ~/Library-Application_Support-Keybase
 total 104
 drwxr-xr-x   22 peter  staff   748 Jun 22 16:25 ./
 drwx------  269 peter  staff  9146 Jun 22 10:14 ../
 drwx------    8 peter  staff   272 Feb 23 14:20 Cache/
 -rw-r--r--    1 peter  staff  7168 Feb 23 14:20 Cookies
 -rw-r--r--    1 peter  staff     0 Feb 23 14:20 Cookies-journal
 drwx------    7 peter  staff   238 Jul 13  2016 GPUCache/
 lrwxr-xr-x    1 peter  staff     8 Feb 20 09:23 Keybase@ -> /keybase
 drwx------    2 peter  staff    68 Feb 20 09:23 Local Storage/
 -rw-------    1 peter  staff    69 Jun 19 15:17 Preferences
 lrwxr-xr-x    1 peter  staff    76 Jun 19 15:16 SS@ -> /var/folders/nm/jnnxmb5941j9fz3tsp6dw14c0000gn/T/.keybase.Electron.zQySUf/SS
 lrwxr-xr-x    1 peter  staff    20 Jun 19 15:16 SingletonCookie@ -> 17560018492918117867
 lrwxr-xr-x    1 peter  staff    19 Jun 19 15:16 SingletonLock@ -> Walkabout.lan-73547
 -rw-r--r--    1 peter  staff   213 Jun 22 15:55 app-state.json
 -rw-------    1 peter  staff   245 Apr 17 09:15 config.json
 -rw-r--r--    1 peter  staff     2 Jun 19 15:16 finder_position.config
 drwx------    4 peter  staff   136 Apr 28 16:01 kbfs_block_cache/
 drwx------    2 peter  staff    68 Feb 23 16:52 kbfs_journal/
 drwxr-xr-x    7 peter  staff   238 Jun 19 15:17 keybase.chat.leveldb/
 drwxr-xr-x   12 peter  staff   408 Jun 22 01:17 keybase.leveldb/
 -rw-------    1 peter  staff   692 Jun 22 16:28 secretkeys.dltj.mpack
 -rw-r--r--    1 peter  staff    46 Feb 20 09:23 started.txt
 -rw-------    1 peter  staff   104 Feb 23 16:51 updater.json

I'm happy! Feel free to close the issue or, if I can help with further debugging, I'll keep the old settings directory around for a while and you can let me know what you'd like me to try.

[zapu]

Oh, wow, thank you for digging deeper into it! So there is some unwanted secret key caching. Thank you, this helped a lot!

[zapu]

Caching bug has been fixed server-side and will be live soon. Thanks