Docker migration from 3.5.0 to 4.1.0-1 cause gpg error

Hello !
I’ve update my passbolt from 3.5.0. to 4.1.0-1 using docker and now it doesn’t start. When checking the log here what I obtain :

gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key AAAAAAAAAAAAAAA: public key "Passbolt default user <>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key AAAAAAAAAAAAAAA: "Passbolt default user <>" not changed
gpg: key AAAAAAAAAAAAAAA/AAAAAAAAAAAAAAA: error sending to agent: No such file or directory
gpg: error building skey array: No such file or directory
gpg: error reading '/etc/passbolt/gpg/serverkey_private.asc': No such file or directory
gpg: import from '/etc/passbolt/gpg/serverkey_private.asc' failed: No such file or directory
gpg: Total number processed: 0
gpg:              unchanged: 1
gpg:       secret keys read: 1

The AAAAAAAAAAAAAAA is for masking values
I’ve changed the docker entrypoint to “tail -f /dev/null” to be able to enter the container (otherwise it keep crashing) and here is the permissions :

The healthcheck :


 [PASS] PHP version 7.4.28.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in config/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check


 [PASS] The application is able to connect to the database
 [PASS] 32 tables found
 [FAIL] No default content found
 [HELP] Run the install script to set the default content such as roles and permission types
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt install" www-data
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [PASS] There is a valid email id defined for the server key.

 Application configuration

 [FAIL] This installation is not up to date. Currently using 3.6.0 and it should be v4.1.2.
 [HELP] See.
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 6 error(s) found. Hang in there!

I’ve tried :

[HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data

But it changes nothing… Any idea ?

My passbolt storage is on a NAS using NFS but as you should see the permission seems correct…

Best regards :slight_smile:
[X ] I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Does anyone has an idea ?
I’m still stuck with it

Even removing the mount of gpg key failed (in that case passbolt display that the entropy is too low)

Also if i manually import the key ( gpg --batch --import serverkey_private.asc) then launch the healthcheck it seems to pass. But when I restart the container the effect cannot persist…

Ok it seems related to NFS, even with the permission shown below, it doesn’t work from NFS target but works if I mount from the host :confused:

Maybe you can try to send your gpg server keys as Docker secrets. Here is the documentation:

Also, remember to give to docker the environment variables of fingerprint and email

I was thinking of that but secrets are only mounted to a specific path in the container, /run/secrets/secretname so If I don’t have a way to change the behavior of passbolt and to make it look to this place it wont work