Missing step for migration from source to docker

[hborchardt]

Hi 👋

Today I was attempting an upgrade of passbolt from source to docker with this guide: https://help.passbolt.com/hosting/upgrade/ce/migrate-existing-ce-to-docker.html

I spent a lot of time figuring out that I also need to put the server public key fingerprint into the docker-compose.yml file as an environment variable:

services:
  passbolt:
    environment:
      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "theKeyFingerprintFromTheOldConfig"

Would be nice to see this integrated into the guide 😃

[AnatomicJC]

Hi @hborchardt and thank you for your feedback 👍

I will check on my side and will update the documentation accordingly.

I will keep you posted on this.

Cheers,

[AnatomicJC]

Hi @hborchardt ,

I would like to check something. If you remove the PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "theKeyFingerprintFromTheOldConfig" environment variable from your docker-compose.yaml file, and restart the stack, do you still have the issue ?

Thanks and regards,

[hborchardt]

I just now commented that line and then did docker-compose up -d, which recreated the container. The error appeared again -- let me give more details on what the problem is:

• I try to login to the new instance, and start the user recovery flow (it is running on a different url currently).
• Click the link in the email.
• Select my private key.
• Click Next.
• Then it says "This key does not match any account."

I tried to get to the bottom of this and when the extension service worker reacts to the passbolt.recover.import-key message, it makes a request of POST /auth/verify.json?api-version=2 to passbolt including the credentials: https://github.com/passbolt/passbolt_browser_extension/blob/264a2e35efd998826fec87c1dae3108b65ded4eb/src/all/background_page/model/gpgauth.js#L97

In PHP, it entered this branch, because $fingerprint was empty: https://github.com/passbolt/passbolt_api/blob/beb4b528f2760f24cfc8221d22a4ccac76bcec9b/src/Authenticator/GpgAuthenticator.php#L305

Hence I was guessing that the fingerprint is what is missing, and it can be set using the environment variable, and it was set in the previous config (passbolt.php).

I am happy to help with further questions :)

[AnatomicJC]

Hi @hborchardt 👋

Sorry for this late reply. I took some time this morning to dig into this issue, tried to understand why PASSBOLT_GPG_SERVER_KEY_FINGERPRINT was needed in the scope of a migration to docker and I found it.

In the docker-entrypoint.sh script at lines 124 to 127, if PASSBOLT_GPG_SERVER_KEY_FINGERPRINT is not set, we try to guess it with the PASSBOLT_KEY_EMAIL:

  if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f  "$passbolt_config/passbolt.php" ]; then
    gpg_auto_fingerprint="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
    export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint
  fi

By default on docker, PASSBOLT_KEY_EMAIL is set to passbolt@yourdomain.com so if it is not your server key email address, you won't be able to use your keys to authenticate.

I will update the documentation accordingly.

[hborchardt]

Hi, thanks a lot for looking into this. I was actually wondering why the fingerprint needed to be part of the config, as it seemed to be easily obtainable. This answers it.

Maybe the docker-entrypoint should output a helpful error and fail if the gpg command did not return any key?

But I acknowledge that this might be just happening in rare cases like mine (migrating to docker), so documenting it is okay as well.

Thanks again!

[AnatomicJC]

Hi,

Thank you for reporting this and make us build a better documentation. We updated it.

• https://github.com/passbolt/passbolt_help/commit/4637367115ef15834507feb021054e8759202d27
• https://help.passbolt.com/hosting/upgrade/ce/migrate-existing-ce-to-docker.html

Cheers,