Could not verify server key. The OpenPGP server key defined in the config could not be found in the GnuPG keyring

mzanetti · July 23, 2018, 1:33pm

Hello Kevin,
thank you for your reply!

This is the output of the first command

/var/www/.gnupg/pubring.gpg
---------------------------
pub   2048R/08750EFE 2018-07-17
uid                  Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
sub   2048R/88638305 2018-07-17

pub   2048R/5335C8B5 2018-07-18
uid                  Company Testing (Company Testing key) <company.testing@gmail.com>
sub   2048R/F23A5957 2018-07-18

and this is the output of the second one

/var/www/.gnupg/secring.gpg
---------------------------
sec   2048R/08750EFE 2018-07-17
uid                  Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
ssb   2048R/88638305 2018-07-17

sec   2048R/5335C8B5 2018-07-18
uid                  Company Testing (Company Testing key) <company.testing@gmail.com>
ssb   2048R/F23A5957 2018-07-18

I don’t really know what I should see. The only thing I can tell you is that the key generated with marco.zanetti@company.com was the first one I generated. Then, since I got errors, I created a new one with the company.testing@gmail.com address. That does not work either.

the output of gpg --version is the following

gpg (GnuPG) 1.4.20
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

kevin · July 23, 2018, 1:39pm

Alright.

The fact that you are using GPG V1.x could be the cause of your issue, but it’s not certain. If possible, try to upgrade to GPG V2, delete your keyring completely (rm -fr /var/www/.gnupg) , and import your keys again.

Otherwise, could you add the --fingerprint parameter to the 2 commands and update the output given in your previous post? What I am trying to figure is whether the fingerprint provided in your configuration file is also in your keyring for both the public and private server key.

mzanetti · July 23, 2018, 1:55pm

In Ubuntu gpg and gpg2 are two separate commands. Should I perform everything with gpg2 and not gpg?

If so, please notice that the first command output would be

/var/www/.gnupg/pubring.gpg
---------------------------
pub   rsa2048/08750EFE 2018-07-17 [SC]
uid         [ unknown] Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
sub   rsa2048/88638305 2018-07-17 [E]

pub   rsa2048/5335C8B5 2018-07-18 [SC]
uid         [ unknown] Company Testing (Company Testing key) <company.testing@gmail.com>
sub   rsa2048/F23A5957 2018-07-18 [E]

and the second

/var/www/.gnupg/pubring.gpg
---------------------------
sec   rsa2048/08750EFE 2018-07-17 [SC]
uid         [ unknown] Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
ssb   rsa2048/88638305 2018-07-17 [E]

I can’t help but noticing that the second key is absent from the “secrets” keyring

mzanetti · July 23, 2018, 1:57pm

Also, this is the output of the plain gpg commands (not gpg2) with the --fingerprint flag

/var/www/.gnupg/pubring.gpg
---------------------------
pub   2048R/08750EFE 2018-07-17
      Key fingerprint = 879D 5094 6E51 18B3 E675  682F 6F7F 2E33 0875 0EFE
uid                  Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
sub   2048R/88638305 2018-07-17

pub   2048R/5335C8B5 2018-07-18
      Key fingerprint = EB8D CF29 1ED1 E680 91E3  8F69 A6DA 4E2D 5335 C8B5
uid                  company Testing (company Testing key) <company.testing@gmail.com>
sub   2048R/F23A5957 2018-07-18

and

/var/www/.gnupg/secring.gpg
---------------------------
sec   2048R/08750EFE 2018-07-17
      Key fingerprint = 879D 5094 6E51 18B3 E675  682F 6F7F 2E33 0875 0EFE
uid                  Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
ssb   2048R/88638305 2018-07-17

sec   2048R/5335C8B5 2018-07-18
      Key fingerprint = EB8D CF29 1ED1 E680 91E3  8F69 A6DA 4E2D 5335 C8B5
uid                  company Testing (company Testing key) <company.testing@gmail.com>
ssb   2048R/F23A5957 2018-07-18

Fingerprints look pretty the same to me

mzanetti · July 23, 2018, 1:58pm

I would delete the keyring and import them again but… with which command(s) then?

kevin · July 23, 2018, 2:04pm

Alright. Then indeed it’s best to delete the keyring and start fresh again. There might be some conflicts between GPGv1 and GPGv2, as we have already seen in the past.

The keyring will be created automatically when you import your keys. So:
sudo su -s /bin/bash -c "gpg2 --import name_of_your_secret_key" www-data

The imported key must be the same as the one defined in your passbolt.php file. (same file, same fingerprint)

Then you can run the healthcheck again to see if it’s working.

mzanetti · July 23, 2018, 2:36pm

Thank you Kevin.

I performed
rm -fr /var/www/.gnupg
and then
sudo su -s /bin/bash -c "gpg2 --import /var/www/passbolt_api/config/gpg/serverkey_private.asc" www-data

now if I look at the keys I see

mzanetti@localhost:~$ sudo su -s /bin/bash -c "gpg2 --list-keys --fingerprint" www-data
/var/www/.gnupg/pubring.kbx
---------------------------
pub   rsa2048/5335C8B5 2018-07-18 [SC]
      Key fingerprint = EB8D CF29 1ED1 E680 91E3  8F69 A6DA 4E2D 5335 C8B5
uid         [ unknown] company Testing (company Testing key) <company.testing@gmail.com>
sub   rsa2048/F23A5957 2018-07-18 [E]

mzanetti@localhost:~$ sudo su -s /bin/bash -c "gpg2 --list-secret-keys --fingerprint" www-data
/var/www/.gnupg/pubring.kbx
---------------------------
sec   rsa2048/5335C8B5 2018-07-18 [SC]
      Key fingerprint = EB8D CF29 1ED1 E680 91E3  8F69 A6DA 4E2D 5335 C8B5
uid         [ unknown] company Testing (company Testing key) <company.testing@gmail.com>
ssb   rsa2048/F23A5957 2018-07-18 [E]

It looks all VERY fine to me. The keys are the same, I just have one issue…

Selection_077

The error is always there!!! -.-

remy · July 23, 2018, 2:40pm

You need to perform a user account recover (or create a new user and follow the setup) for the new server key to be taken into account by the user browser extension.

mzanetti · July 23, 2018, 2:56pm

Selection_078

Thank you!

I can’t believe that with your help I finally made it! <3

Thank you so much to all of you!

kevin · July 23, 2018, 5:33pm

Glad that it’s finally working! Enjoy Passbolt

system · July 28, 2018, 5:34pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.