The Keygen-Signature header's signature param is empty in Keygen CE

[Halecoder]

Why is the signature null when the API response is self-deployed and the version CE is used? When I use api.keygen.sh, it is not empty, is it because of the settings or the need to use the EE version？

[ezekg]

What request are you making? What version of Keygen CE? Not all requests return a signature header, e.g. GET /v1/ping or when the requested account is not found (since we don't have a keypair without an account).

In a console, what does Account.sole.ed25519_public_key return?

Is the Keygen-Signature header missing, or empty?

[Halecoder]

你有什么要求？什么版本的 Keygen CE？并非所有请求都返回签名标头，例如 或者当找不到请求的帐户时（因为我们没有没有帐户的密钥对）。GET /v1/ping

在控制台中，返回什么？Account.sole.ed25519_public_key

标头_是缺失_还是空？Keygen-Signature

Hello, thank you for your prompt and patient reply, according to what you said, I did the following troubleshooting, first of all, Account.sole.ed25519_public_key, I used the following command:

docker exec -u root -it keygen-ce bash 
bundle exec rails console
Account.sole.ed25519_public_key

Then there's Keygen-Signature, which isn't missing, but the signature inside is an empty string

[Halecoder]

By the way, due to personal reasons, I didn't use the api.keygen.sh domain format, but the ip+port format for testing, and then forced to turn off SSL verification, could it be related to this situation?

Here's how I turned off SSL:

docker exec -u root -it keygen-ce bash

  apk add --update vim

  vim ./config/environments/production.rb

Change the config.force_ssl to false

[ezekg]

I don't think that's related. But using an IP+port may cause routing issues since Keygen expects a domain name host.

Regardless, check your server logs. There should be an error logged in case of an issue with OpenSSL or another cryptography lib.

You may be missing a library. Are you using the official Docker image?

[Halecoder]

我不认为这有关系。但是使用 IP + 端口可能会导致路由问题，因为 Keygen 需要域名主机.

无论如何，请检查您的服务器日志。如果OpenSSL或其他加密库出现问题，则应记录错误。

您可能缺少一个库。你使用的是官方的 Docker 镜像吗？

Yes, the official image I use, below are my logs

I, [2024-05-04T02:37:25.880475 #9] INFO -- : [RailsAutoscale] Sidekiq enabled
I, [2024-05-04T02:37:25.882105 #9] INFO -- : [RailsAutoscale] Reporter not started: RAILS_AUTOSCALE_URL is not set
I, [2024-05-04T02:37:25.882850 #9] INFO -- : [9affa86e-e0be-4661-ad48-b969f0ddb146] source=rack-timeout id=9affa86e-e0be-4661-ad48-b969f0ddb146 timeout=15000ms state=ready
I, [2024-05-04T02:37:29.821908 #9] INFO -- : [9affa86e-e0be-4661-ad48-b969f0ddb146] [license.validate-key] account_id=557438cc-17aa-4866-860e-2ec0a9c04b52 license_id= validation_valid=false validation_detail=does not exist validation_code=NOT_FOUND validation_scope={:fingerprint=>"4257e7437dd894a49c0526ec9172ed65cb7d1747167a90d4b7e01bd641481f45"} validation_nonce=
E, [2024-05-04T02:37:29.824228 #9] ERROR -- : [9affa86e-e0be-4661-ad48-b969f0ddb146] expected 32-byte String, got 89
E, [2024-05-04T02:37:29.824339 #9] ERROR -- : [9affa86e-e0be-4661-ad48-b969f0ddb146] /usr/local/bundle/ruby/3.2.0/gems/ed25519-1.3.0/lib/ed25519.rb:44:in `validate_key_bytes'
/usr/local/bundle/ruby/3.2.0/gems/ed25519-1.3.0/lib/ed25519/signing_key.rb:31:in `initialize'
/app/app/controllers/concerns/signature_methods.rb:95:in `new'
/app/app/controllers/concerns/signature_methods.rb:95:in `sign_with_ed25519'
/app/app/controllers/concerns/signature_methods.rb:56:in `sign_response_data'
/app/app/controllers/concerns/signature_methods.rb:42:in `generate_signature_header'
/app/app/controllers/concerns/signature_headers.rb:82:in `generate_signature_headers'
/app/app/controllers/concerns/signature_headers.rb:35:in `add_signature_headers'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/callbacks.rb:127:in `block in run_callbacks'
/app/app/controllers/concerns/request_counter.rb:14:in `count_request!'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/callbacks.rb:127:in `block in run_callbacks'
/app/app/controllers/concerns/request_logger.rb:59:in `log_request!'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/callbacks.rb:127:in `block in run_callbacks'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/callbacks.rb:138:in `run_callbacks'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/abstract_controller/callbacks.rb:233:in `process_action'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_controller/metal/rescue.rb:23:in `process_action'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_controller/metal/instrumentation.rb:67:in `block in process_action'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/notifications.rb:206:in `block in instrument'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/notifications/instrumenter.rb:24:in `instrument'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/notifications.rb:206:in `instrument'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_controller/metal/instrumentation.rb:66:in `process_action'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_controller/metal/params_wrapper.rb:259:in `process_action'
/usr/local/bundle/ruby/3.2.0/gems/activerecord-7.0.7.1/lib/active_record/railties/controller_runtime.rb:27:in `process_action'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/abstract_controller/base.rb:151:in `process'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_controller/metal.rb:188:in `dispatch'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_controller/metal.rb:251:in `dispatch'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/routing/route_set.rb:49:in `dispatch'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/routing/route_set.rb:32:in `serve'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/routing/mapper.rb:18:in `block in <class:Constraints>'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/routing/mapper.rb:48:in `serve'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/journey/router.rb:50:in `block in serve'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/journey/router.rb:32:in `each'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/journey/router.rb:32:in `serve'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/routing/route_set.rb:852:in `call'
/usr/local/bundle/ruby/3.2.0/gems/rack-attack-6.6.0/lib/rack/attack.rb:103:in `call'
/app/lib/keygen/middleware.rb:16:in `call'
/usr/local/bundle/ruby/3.2.0/gems/rack-attack-6.6.0/lib/rack/attack.rb:127:in `call'
/usr/local/bundle/ruby/3.2.0/gems/rack-timeout-0.6.0/lib/rack/timeout/core.rb:151:in `block in call'
/usr/local/bundle/ruby/3.2.0/gems/rack-timeout-0.6.0/lib/rack/timeout/support/timeout.rb:19:in `timeout'
/usr/local/bundle/ruby/3.2.0/gems/rack-timeout-0.6.0/lib/rack/timeout/core.rb:150:in `call'
/app/lib/keygen/middleware.rb:250:in `call'
/usr/local/bundle/ruby/3.2.0/gems/rack-2.2.6.4/lib/rack/head.rb:12:in `call'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/callbacks.rb:99:in `run_callbacks'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/middleware/debug_exceptions.rb:28:in `call'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/middleware/show_exceptions.rb:29:in `call'
/usr/local/bundle/ruby/3.2.0/gems/lograge-0.12.0/lib/lograge/rails_ext/rack/logger.rb:18:in `call_app'
/usr/local/bundle/ruby/3.2.0/gems/railties-7.0.7.1/lib/rails/rack/logger.rb:25:in `block in call'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/tagged_logging.rb:99:in `block in tagged'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/tagged_logging.rb:37:in `tagged'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/tagged_logging.rb:99:in `tagged'
/usr/local/bundle/ruby/3.2.0/gems/railties-7.0.7.1/lib/rails/rack/logger.rb:25:in `call'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/middleware/remote_ip.rb:93:in `call'
/usr/local/bundle/ruby/3.2.0/gems/request_store-1.5.1/lib/request_store/middleware.rb:19:in `call'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/middleware/request_id.rb:26:in `call'
/usr/local/bundle/ruby/3.2.0/gems/rails_autoscale_agent-0.11.0/lib/rails_autoscale_agent/middleware.rb:27:in `call'
/usr/local/bundle/ruby/3.2.0/gems/activesupport-7.0.7.1/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/middleware/executor.rb:14:in `call'
/usr/local/bundle/ruby/3.2.0/gems/actionpack-7.0.7.1/lib/action_dispatch/middleware/host_authorization.rb:137:in `call'
/app/lib/keygen/middleware.rb:273:in `call'
/app/lib/keygen/middleware.rb:16:in `call'
/usr/local/bundle/ruby/3.2.0/gems/rack-cors-1.1.1/lib/rack/cors.rb:100:in `call'
/usr/local/bundle/ruby/3.2.0/gems/railties-7.0.7.1/lib/rails/engine.rb:530:in `call'
/usr/local/bundle/ruby/3.2.0/gems/puma-6.4.0/lib/puma/configuration.rb:272:in `call'
/usr/local/bundle/ruby/3.2.0/gems/puma-6.4.0/lib/puma/request.rb:100:in `block in handle_request'
/usr/local/bundle/ruby/3.2.0/gems/puma-6.4.0/lib/puma/thread_pool.rb:378:in `with_force_shutdown'
/usr/local/bundle/ruby/3.2.0/gems/puma-6.4.0/lib/puma/request.rb:99:in `handle_request'
/usr/local/bundle/ruby/3.2.0/gems/puma-6.4.0/lib/puma/server.rb:443:in `process_client'
/usr/local/bundle/ruby/3.2.0/gems/puma-6.4.0/lib/puma/server.rb:241:in `block in run'
/usr/local/bundle/ruby/3.2.0/gems/puma-6.4.0/lib/puma/thread_pool.rb:155:in `block in spawn_thread'
I, [2024-05-04T02:37:29.998056 #9] INFO -- : [9affa86e-e0be-4661-ad48-b969f0ddb146] method=POST path=/v1/licenses/actions/validate-key format=jsonapi controller=Api::V1::Licenses::Actions::ValidationsController action=validate_by_key status=200 duration=2868.16 view=0.84 db=1829.35 host=117.**.**.**  request_id=8aaeab0b-f808-4696-8921-37b3d66ca7a7 api_version=1.5 query_params=N/A account_id=557438cc-17aa-4866-860e-2ec0a9c04b52 account_slug=lhan5068 env_id=N/A env_code=N/A bearer_type=N/A bearer_id=N/A token_id=N/A authn=N/A authz=N/A ip=172.17.0.1 user_agent=electron-fetch/1.0 electron (+https://github.com/arantes555/electron-fetch) origin=N/A time=2024-05-04 02:37:29 UTC code=N/A encoded_response=N/A req_exceeded=false req_count=2 req_limit=N/A rate_limited=false rate_reset=2024-05-04 02:37:30 +0000 rate_window=30 rate_count=1 rate_limit=60 rate_remaining=59
I, [2024-05-04T02:37:29.998390 #9] INFO -- : [9affa86e-e0be-4661-ad48-b969f0ddb146] source=rack-timeout id=9affa86e-e0be-4661-ad48-b969f0ddb146 timeout=15000ms service=4116ms state=completed

[ezekg]

Your account's Ed25519 private key is failing to decrypt. This means that your encryption keys were changed after the account was created. During keygen setup, you should have configured a series of encryption keys via the ENCRYPTION_* environment variables. At some point after you ran the setup, the environment variables changed. This means all previously encrypted values are lost, and the result is that gibberish, i.e. random data, is now returned in its place.

If you run Account.sole.ed25519_private_key in a console, you'll see that it doesn't contain a valid Ed25519 keypair, but rather an encrypted payload that looks like the below, which signals your encryption keys changed:

{"p":"15nbLTfKKZ9VsD1x/x6nsz8Kx8qlTUHmeI9GrynuE6to7yoDZiLaQ9HNkouprs6Ws3WjcxtvHWMVY91tCIGmtw==","h":{"iv":"/RwfE6mKLiK46jTe","at":"z2dQks2M5oXTL6QBG1cN8w==","e":"VVMtQVNDSUk="}}

This is bad. To fix this, you will need to regenerate your account's keypairs:

a = Account.sole
a.update!(secret_key: nil, private_key: nil, public_key: nil, ed25519_private_key: nil, ed25519_public_key: nil)
a.send(:generate_secret_key!)
a.send(:generate_rsa_keys!)
a.send(:generate_ed25519_keys!)
a.save!

This also means that all license keys are lost. So you will need to clear them out, because their encrypted keys are no longer able to be read. Please keep your encryption secrets safe. Back them up somewhere safe in case you lose them again.

Instead of doing all of this, you could also wipe the database and run the setup again, making sure to back up the secrets.

[Halecoder]

Oh, my God, thank you very much. Now it's working very well and the signature has been generated (^_^)

[Halecoder]

您帐户的 Ed25519 私钥无法解密。这意味着您的加密密钥在创建帐户后已更改。在 期间，您应该已通过环境变量配置了一系列加密密钥。在运行安装程序后的某个时间点，环境变量发生了变化。这意味着所有以前加密的值都将丢失，结果是乱码（即随机数据）现在被返回。keygen setup``ENCRYPTION_*

如果您在控制台中运行，您将看到它不包含有效的 Ed25519 密钥对，而是包含如下所示的加密有效负载，这表示您的加密密钥已更改：Account.sole.ed25519_private_key

{"p":"15nbLTfKKZ9VsD1x/x6nsz8Kx8qlTUHmeI9GrynuE6to7yoDZiLaQ9HNkouprs6Ws3WjcxtvHWMVY91tCIGmtw==","h":{"iv":"/RwfE6mKLiK46jTe","at":"z2dQks2M5oXTL6QBG1cN8w==","e":"VVMtQVNDSUk="}}

这很糟糕。要解决此问题，您需要重新生成帐户的密钥对：

a = Account.sole
a.update!(secret_key: nil, private_key: nil, public_key: nil, ed25519_private_key: nil, ed25519_public_key: nil)
a.send(:generate_secret_key!)
a.send(:generate_rsa_keys!)
a.send(:generate_ed25519_keys!)
a.save!

这也意味着所有许可证密钥都将丢失。因此，您需要清除它们，因为它们的加密密钥不再能够被读取。请妥善保管您的加密机密。将它们备份到安全的地方，以防您再次丢失它们。

除了执行所有这些操作外，还可以擦除数据库并再次运行安装程序，确保备份机密。

I'm so sorry, how does Ed25519 generate a key in base64 DER format?

a.send(:generate_ed25519_keys!) ,This command is generated in hex format, causing my following code to fail to execute, I don't know these related commands, very embarrassing sorry, can you tell me

  const verifyKey = crypto.createPublicKey({
    key: Buffer.from(keygen_verify_key,"base64"),
    format: "der",
    type: "spki",
  });

[ezekg]

This may be helpful: https://keygen.sh/blog/how-to-use-hexadecimal-ed25519-keys-in-node/