Can't use Android App

Thanks for the reply,

I’m using version 1.1.0 of the Android App.
Looking forward to test the new release.

I installed the latest version, but unfortunately no change.

Then I cloned the project from github and debugged the Passbolt App in Android Studio on my phone. When I hit the “Sign In” button:

The app did a GET https://server/auth/verify.json which returned a PGP PUBLIC KEY BLOCK.
Next: GetPrivateKeyUseCase: Getting private key. Filename: user_key…
Followed by an exception:

2021-12-27 17:05:24.672 9341-9341/com.passbolt.mobile.android.debug E/OpenPgp: There was an error during encryptSignMessageArmored
go.Universe$proxyerror: gopenpgp: unable to parse public key: gopenpgp: the key contains too many entities
at com.proton.Gopenpgp.helper.Helper.encryptSignMessageArmored(Native Method)
at com.passbolt.mobile.android.gopenpgp.OpenPgp$encryptSignMessageArmored$2.invokeSuspend(OpenPgp.kt:48)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)

Kind Regards.

Hi !

Sorry to report that I also updated the app to 1.2.0 and still have the same issue.
However, the dark mode looks really nice on that new release. I cannot wait to use it on a daily basis.

Best regards,
John

Hi guys,

Sorry to hear it, we are working hard to have logs accessible within the passbolt App, and we are also increasing the verbosity of the logs during the auth phase. Of course without any data leak.

We will keep you posted, thank you so much for the feedbacks.

Best,
Max

@1voud in the public key do you see any extra new line at the end of the key?
If so can you remove any new line at the end of your JWT public key and try the sign in again?

The key layout (JWT and GPG) look fine fine to me. I did some digging and debugging.
The error: “gopenpgp: the key contains too many entities” seems from gopenpgp:

func (key *Key) readFrom(r io.Reader, armored bool) error {

When trying to read the server public PGP key.

When I inspect the server PGP key I see 2 entries with: uid Passbolt default user passbolt@yourdomain.com
Since I’m not familiar with GPG I’m not sure, but could it be the issue?

what you can do is to query with postman or other tool
https://yourdomain/auth/jwt/rsa.json
Then in the key data looks for double \n after the BEGIN PUBLIC KEY or before END PUBLIC KEY
We notice that some keys badly interpreted by gopenpgp

Hi !

When I try https:///auth/verify.json, I receive the fingerprint & keydata.
When I try https:///auth/jwt/rsa.json, I receive a 500 error with message “The key pair for JWT Authentication is not complete.”

@1voud, Is it the same for you ?

@johndi89 and the healthcheck command indicate that all is green in the JWT section?

Yep :sob:

 JWT Authentication                                                                                                                                         
                                                                                                                                                            
 [PASS] The JWT Authentication plugin is enabled                                                                                                            
 [PASS] The /etc/passbolt/jwt/ directory is not writable.                                                                                                   
 [PASS] A valid JWT key pair was found                                                                                                                      
                                                                                                                                                            
 [PASS] No error found. Nice one sparky!

I realized I didn’t provide begin and end of public key (from /auth/verify.json) :

"-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nm##########
#################################################
##==\n=9AAr\n-----END PGP PUBLIC KEY BLOCK-----\n"

I’m not sure if it’s normal or not…

No double newlines (\n) in the public key /auth/jwt/rsa.json.
The key looks perfectly fine.

But during my debugging session it seems to fail on parsing the server public key (GPG), not the JWT key. (Or I missed something as I’m not an expert)

@1voud I unlocked @johndi89 in a call it was an issue with the jwt keys permissions.
So first you need to check the ownership of the jwt folder:

sudo chown -Rf root:www-data /etc/passbolt/jwt
sudo chmod 750 /etc/passbolt/jwt
sudo chmod 640 /etc/passbolt/jwt/jwt.key
sudo chmod 640 /etc/passbolt/jwt/jwt.pem

Then logout from your account
Login again
Try to transfert the key again on mobile
If there is still an issue we can try:

sudo /usr/share/php/passbolt/bin/cake passbolt create_jwt_keys -v -f

Then like before, logout, login, transfert on mobile

Let me know

1 Like

Thanks for your reply.

I followed the instructions, the ownership was correct (www-data www-data).

/etc/passbolt/jwt had 750 --> changed to 755
/etc/passbolt/jwt/jwt.key had 640 --> changed to 600
/etc/passbolt/jwt/jwt.pem had 644

Logged in, transferred keys, no change.

runuser -u www-data -- /usr/share/php/passbolt/bin/cake passbolt create_jwt_keys -v -f

Logged out, logged in, transferred keys, no change.

Have you apache web server or nginx?
You may check this post, I could solve that problem with Apache and there are some users trying to do the same on Nginx

A short summary as the information is bit scattered through the thread.

The mobile App throws an exception in the com.passbolt.mobile.android.feature.authentication.auth.challenge.ChallengeProvider.kt when calling:

val encryptedChallenge = openPgp.encryptSignMessageArmored(
    publicKey = serverPublicKey,
    privateKey = privateKey,
    passphrase = passphraseCopy,
    message = challengeJson
)

When I inspect the the serverPublicKey variable it holds the public GPG key from the server.

The Exception is:
com.passbolt.mobile.android.gopenpgp.exception.OpenPgpException: gopenpgp: unable to parse public key: gopenpgp: the key contains too many entities.

Please let me know if I need to collect some more info.

@1voud
The fact that you have 2 entry for uid passbolt@yourdomain.com is an issue indeed.

You need to identify which key is used on your server
if you have a passbolt.php (/var/www/passbolt/config/passbolt.php or /etc/passbolt/passbolt.php)

exec the following command to identify your public key fingerprint
cat passbolt.php | grep fingerprint
you should get
'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67E',

Then looks for the location of your gpg keyring
sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck --gpg" www-data
or
sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt healthcheck --gpg" www-data
you will see this line
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.

Then you need to list list the keys associated with passbolt@yourdomain.com
sudo su -s /bin/bash -c "gpg --home /home/www-data/.gnupg --list-keys | grep -i -B 2 'passbolt@yourdomain.com'" www-data
You should see two keys identify the one (let say 1183899100E52F0047BBBDF617AE53A5D9F11253 for ex) that is not related listed in your passbolt.php file and do
sudo su -s /bin/bash -c "gpg --home /home/www-data/.gnupg --delete-keys 1183899100E52F0047BBBDF617AE53A5D9F11253" www-data

Then tell us the result

Best,
Max

1 Like

I had some issues running the gpg commands in the docker container, the list-keys worked fine. The keyring being writable check PASS-ed.
The GPG keys are being imported during container startup each time, but I was not able to remove the public key from the keyring since there was a private key. The deletion of the private key failed (no permission).

That’s why I took a different route. I exported both keypairs and replaced the GPG files which get imported at container startup so that only one would be imported at a time on container startup.
The first key(pair) got me one step further while the second key(pair) made the Android App work!!

Thanks so much for all the support !!

Passbolt Rocks!

1 Like

Superb @1voud

Enjoy the app and thanks for choosing passbolt :wink:

Best,
Max

P.S: @johndi89 Since your started the thread, could it be possible to close it?

(am closing thread after solution has been reached)