Hi all,
I’ve imported my private key into GPGFrontend / OpenPGP on my Windows 11 machine.
Trying to decrypt the PGP message I receive from Passbolt when I change a secret I do get a “no data” error. It seems the message isn’t recognized as a valid PGP message. I copy&paste the PGP message into GPGFrontend or Kleopatra but it doesn’t work.
To my understanding, this should work.
Anybody has an idea as to why it maybe doesn’t?
Thanks!
Frank
Nobody? Can anybody confirm that the e-mail with the PGP message he/she receives contains a valid PGP message? I wonder if it is a problem resulting from the e-mail handling of passbolt server?
Hello @cyfrax
Sorry for the delay there!
I investigated the issues, unfortunately I am not able to reproduce it. I am able to decrypt the PGP message included in emails as you can see below:
After censoring any sensitive data, can you share the output of the status report?
# for Debian||Ubuntu: sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/status-report" www-data
# for RPM: sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/status-report" nginx
# for Docker: su -s /bin/bash -c "source /etc/environment && /usr/share/php/passbolt/bin/status-report" www-data
Also, have you tried to manually decript it using PowerShell ? Do you also ensure that the PGP message is properly formatted? e.g., no empty line at the beginning?
hi Antony,
thanks very much for looking into this.
After trying my local GPG installations on Windows I have tried several online services which offer decoding of PGP messages, there seems to be a problem in the formatting for the PGP message.
I’ve tried cleaning it up in an editor, erasing new lines and spaces etc. but couldn’t find the issue.
Can I switch on a debug log to those PGP messages somewhere on the server to check if something has garbled up during the e-mail sending process?
Here is a sample PGP message I just created with a new / unused account.
-----BEGIN PGP MESSAGE----- wcDMA4T4UFgwbVqAAQv/cLqWwaYxUtsoStA2j7uD0QVO2wbQkBWaB7kg5ljs v5tD1tfn7bQ5Qyw5KqNR+E6RCNja3wHj8zHNBGi2LA4arjL3xbBgFSnVUxiT aV+j7hyfG5dx6ZemvC+6Ac8adY0Rdx0u+gfM5ExZqYYA5dgzKBkDq2uz1Yg3 Zlr2hipHeDo3+GeGwizsjW9zlezH6l5SV5kQgm3i+s+1VmC13n2FYdEG/t+v jRD72YooRQnJutlZVOxPliqwY/uAkqYqOoh6Uf+yCdXmUm/XwZu+6lWigdfg EXWuQf/01uHXTKX08RiAE8bIBFWM1de4doqIkzdFoqLJQBy1OTfyiuk8HpgR PMYPD6ItUsugAOWditai+bHjshTwc4g8Ui5TtF7z125qGjDaWOD8D0bcOs5o RGiUeUZ0cU4X+068fXlrQOXfCC29dDGjwCvW/i48ztVQOWUKnwuaWyGh1Rda UEShfIKAtEs4QGpW0otJM3S2INLc3iN/708eS0rQN8+eE1iDpY760sFeAUOn Gl/1UBLkukws02pTwRElNPN3mfikqllrr4NeAiQBcHqBYnFhAZb1FaieiAUO dQV/6XIkjw5+fkI3qxYaZvJrT1OW1AHN1TUaE7LcDV/bITYZTqq+5Vp9Ivl+ +N7/6Axm9Ydyu7fpAZ5yDEDTB7XmK1G6d472T4X1sNAEDbEySoKfy2yTqxwv qJreJAmoVzaIek21QUBaxhB7oDCS3vlewgnyQKnjCGNvPxDKBphF0PeX7yS7 cfWQzetlyXz+bR4cik1pCvOu36AEbY9U7W+Pteq1+XNATO0WCKOlC60FmI3G BYlXRnQpYWbaTl6sErBIdjgiGSmvS3eMuVJX7YWOrmfmlJNm+DZ++eIL8kJa 3ZegL8HY3jNTZuMSnTye5vZqcPTEY8t11lsvB1v6wgerFNzR9ybjZQqZRkzs J52gZzxpEvNslRV4Q4gDUm/ah3d0eX/E0MAL97jRMoSOSIrwBAy4EODYgA5A VZ0V8jk5E3YigMBq00ZElimdYrvRQYbvxxruR0yuvVvXq5sPfq772sStwp80 A4yoOqQsMvTkjineJJTu621zFOI/wS8S3iGmQDkLeSl/YUJ16ER26MBX5aIc J2UCcC5sbYSKsxvDGpVcu4ibKGPUpDSJ0sPsaUci9w7m+yBK5AbCheO/86eH NbX+9BwjWz67DQRXdR26oM+aIugs4PH4w+ync20jtoHbSoaogEr9geeYhOs= =puOu -----END PGP MESSAGE-----
Attached health check report (please note server is behind reverse proxy, thus no SSL).
____ __ ____
/ __ ____ _____ / / ____ / / /
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/
Passbolt CE 4.10.1
Cakephp 4.5.7
Linux server.domain.com 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
PHP 8.1.2-1ubuntu2.20 (cli) (built: Dec 3 2024 20:14:35) (NTS)
mysql Ver 15.1 Distrib 10.6.18-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/
Environment
[INFO] Linux server.domain.com 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
[PASS] PHP version 8.1.2-1ubuntu2.20.
[PASS] PHP version is 8.1 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.2.27 / libgcrypt 1.9.4
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] System clock is synchronized and NTP service is active.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://pb.domain.com
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
[HELP] Check the network settings
SSL Certificate
[WARN] SSL peer certificate does not validate.
[WARN] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate.
[HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[PASS] Using latest passbolt version (4.10.1).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 34 tables found.
[PASS] Some default content is present.
[FAIL] 3 error(s) found. Hang in there!
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/
No issue found, data looks squeaky clean!
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/
Data check shell
[PASS] Data integrity for AuthenticationTokens.
[PASS] Can validate: 1143/1143
[PASS] Data integrity for Comments.
[PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
[PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
[PASS] Can encrypt: 8/8
[PASS] Pass validation service checks: 8/8
[PASS] Entity data and armored key data matches: 8/8
[PASS] Is not expired: 8/8
[PASS] Is armored key format valid: 8/8
[PASS] Data integrity for Groups.
[PASS] Can validate: 0/0
[PASS] Data integrity for Profiles.
[PASS] Can validate: 9/9
[PASS] Data integrity for Resources.
[PASS] Can validate: 2615/2615
[PASS] Data integrity for Secrets.
[PASS] Can validate: 1498/1498
[PASS] Data integrity for Users.
[PASS] Can validate: 9/9
I have just again tried several things, and found a problem in the PGP header / footer.
If I remove all characters before and after the content and add a PGP header manually using “add PGP header” it decodes.
So there is a problem in the header/footer which I couldn’t identify yet. Also it might be Windows specific?