Automatic GPG fingerprint extraction not working when passbolt.php present

[a-ts]

Hi, I have the following challenge: in my ansible automation, I need to create a passbolt.php to define the CA-file for the communication with a mail server (local CA):

    'EmailTransport' => [
   ...
            'context' => [
                'ssl' => [
                    'cafile' => '/usr/local/share/ca-certificates/my_root_certificate.crt'
                ],
            ],
   ...
   ];

By definining the passbolt.php the fingerprint of the automatically generated certificates is no longer extracted because of these lines:

https://github.com/passbolt/passbolt_docker/blob/e51a518db14d0254d4a4747084eee124fcb1bdbc/scripts/entrypoint/passbolt/entrypoint.sh#L96-L98

Now, I had to implement a GPG key generation process and the fingerprint extraction in ansible, which is basically already present in your code. Would it be possible to extend the if clause in the code snippet by some kind of flag that enables the automatic fingerprint handling even if a passbolt.php file is present? Is there maybe a different way of achieving my goal?

[dlen]

Hi @a-ts !

So if I understood it correctly you are running a fresh passbolt docker with the passbolt.php injected but you don't want to provide the GPG fingerprint on the passbolt.php file is that right?

[a-ts]

That is absolutely right because (from my understanding) I either need to generate the GPG keys (with very similar commands as you do) and mount them so that I can calculate the fingerprint before templating the passbolt.php or I need to inject the fingerprint after the keys have been generated in the container, which means touching either the container or the passbolt.php a second time.

[dlen]

We added a new environment variable named PASSBOLT_GPG_SERVER_KEY_FINGERPRINT_FORCE you can re-pull the 3.12.0-3-ce or 3.12.0-pro to test it. hope this solves your issue.