Closed hborchardt closed 2 years ago
Hi @hborchardt and thank you for your feedback 👍
I will check on my side and will update the documentation accordingly.
I will keep you posted on this.
Cheers,
Hi @hborchardt ,
I would like to check something. If you remove the PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "theKeyFingerprintFromTheOldConfig"
environment variable from your docker-compose.yaml file, and restart the stack, do you still have the issue ?
Thanks and regards,
I just now commented that line and then did docker-compose up -d
, which recreated the container.
The error appeared again -- let me give more details on what the problem is:
I tried to get to the bottom of this and when the extension service worker reacts to the passbolt.recover.import-key
message, it makes a request of POST /auth/verify.json?api-version=2
to passbolt including the credentials: https://github.com/passbolt/passbolt_browser_extension/blob/264a2e35efd998826fec87c1dae3108b65ded4eb/src/all/background_page/model/gpgauth.js#L97
In PHP, it entered this branch, because $fingerprint was empty: https://github.com/passbolt/passbolt_api/blob/beb4b528f2760f24cfc8221d22a4ccac76bcec9b/src/Authenticator/GpgAuthenticator.php#L305
Hence I was guessing that the fingerprint is what is missing, and it can be set using the environment variable, and it was set in the previous config (passbolt.php).
I am happy to help with further questions :)
Hi @hborchardt 👋
Sorry for this late reply. I took some time this morning to dig into this issue, tried to understand why PASSBOLT_GPG_SERVER_KEY_FINGERPRINT
was needed in the scope of a migration to docker and I found it.
In the docker-entrypoint.sh script at lines 124 to 127, if PASSBOLT_GPG_SERVER_KEY_FINGERPRINT
is not set, we try to guess it with the PASSBOLT_KEY_EMAIL
:
if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f "$passbolt_config/passbolt.php" ]; then
gpg_auto_fingerprint="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint
fi
By default on docker, PASSBOLT_KEY_EMAIL
is set to passbolt@yourdomain.com
so if it is not your server key email address, you won't be able to use your keys to authenticate.
I will update the documentation accordingly.
Hi, thanks a lot for looking into this. I was actually wondering why the fingerprint needed to be part of the config, as it seemed to be easily obtainable. This answers it.
Maybe the docker-entrypoint should output a helpful error and fail if the gpg command did not return any key?
But I acknowledge that this might be just happening in rare cases like mine (migrating to docker), so documenting it is okay as well.
Thanks again!
Hi,
Thank you for reporting this and make us build a better documentation. We updated it.
Cheers,
Hi 👋
Today I was attempting an upgrade of passbolt from source to docker with this guide: https://help.passbolt.com/hosting/upgrade/ce/migrate-existing-ce-to-docker.html
I spent a lot of time figuring out that I also need to put the server public key fingerprint into the
docker-compose.yml
file as an environment variable:Would be nice to see this integrated into the guide 😃