Could not enroll user on Android app

gewurzt · July 21, 2022, 10:15pm

Thanks to @garrett advices in another thread, I figured the keys in the files used by the server were expired :

root@server:~# gpg --list-packets /var/www/passbolt/config/gpg/serverkey.asc
# off=0 ctb=99 tag=6 hlen=3 plen=397
:public key packet:
version 4, algo 1, created 1569702234, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: xx
# off=400 ctb=b4 tag=13 hlen=2 plen=21
:user ID packet: xx
# off=423 ctb=89 tag=2 hlen=3 plen=468
:signature packet: algo 1, keyid xx
version 4, created 1569702234, md5len 0, sigclass 0x13
digest algo 10, begin of digest 74 b0
hashed subpkt 33 len 21 (issuer fpr v4 xx)
hashed subpkt 2 len 4 (sig created 2019-09-28)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID xx)
data: [3072 bits]
# off=894 ctb=b9 tag=14 hlen=3 plen=397
:public sub key packet:
version 4, algo 1, created 1569702234, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: xx
# off=1294 ctb=89 tag=2 hlen=3 plen=444
:signature packet: algo 1, keyid xx
version 4, created 1569702234, md5len 0, sigclass 0x18
digest algo 10, begin of digest ca e4
hashed subpkt 33 len 21 (issuer fpr v4 xx)
hashed subpkt 2 len 4 (sig created 2019-09-28)
hashed subpkt 27 len 1 (key flags: 0C)
hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
subpkt 16 len 8 (issuer key ID 1DAEC1CA17F6EC88)
data: [3072 bits]

I re-exported them from the www-data user keyring (since there is no expiration date in there) :

sudo -H -u www-data bash -c "gpg --export --armor --output /var/www/passbolt/config/gpg/serverkey.asc <keyid>"
sudo -H -u www-data bash -c "gpg --export-secret-key --armor --output /var/www/passbolt/config/gpg/serverkey_private.asc <keyid>"

The first time I returned to the web page of Passbolt, I got a notice :

Sorry, the server key has changed.

For security reasons please check with your administrator that this is a change that they initiated. The new fingerprint:

Since I know I’ve just changed it, it is safe to confirm and accept the new key.
Btw, the server key should be the same as before, so there is nothing to change in passbolt.php