InitKeyring failed to load

Hello,

I have have been trying to set up passbolt. While following the guide on medium with the exception that am running PHP7.0 I have managed to got all the health checks green with the exception of one. The public key cannot be used to encrypt and sign a message

I have enabled debugging and the stackstace returns the following code:
public function authenticate(CakeRequest $request, CakeResponse $response) {
// Init gpg object and load server key
$this->_initKeyring();
$this->_response = &$response;

I checked phpinfo and i have the following lines listed:
gnupg:
gnupg support => enabled
GPGme Version => 1.6.0
Extension Version => 1.4.0

While logged in as www-data (yes bad but just for debugging) Am able to list all pgp keys and sign files.

The server is a Ubuntu 16.04
PHP 7.0.22
mysql 5.7
passbolt version cloned yesterday

Checklist
[ X ] I have read intro post: About the Installation Issues category
[ X ] I have read the tutorials, help and searched for similar issues
[ X ] I provide relevant information about my server (component names and versions, etc.)
[ X ] I provide a copy of my logs and healthcheck
[ X ] I describe the steps I have taken to trouble shoot the problem
[ X ] I describe the steps on how to reproduce the issue

@eddie4 We’ve seen this issue with two reasons:

  • There is not enough random entropy on your system (see. cat /proc/sys/kernel/random/entropy_avail )
  • Even though www-data can read/write on the keyring it is not the owner of the files (gnupg requires the later).

Have you try to generate a user and log in with it?

@remy Thank you for your reply,

The keys are owned by www-data. And an value of 3000+ random entropy should be enough I would think.

drwx------ 3 www-data www-data 4.0K dec 4 13:41 .
drwxr-xr-x 5 root root 4.0K dec 4 11:55 …
-rw-rw-r-- 1 www-data www-data 0 dec 4 10:50 .gpg-v21-migrated
drwx------ 2 www-data www-data 4.0K dec 4 13:41 private-keys-v1.d
-rw------- 1 www-data www-data 2.2K dec 4 13:28 pubring.gpg
-rw------- 1 www-data www-data 2.2K dec 4 13:28 pubring.gpg~
-rw------- 1 www-data www-data 600 dec 4 15:05 random_seed
-rw------- 1 www-data www-data 4.7K dec 4 13:28 secring.gpg
srwxrwx— 1 www-data www-data 0 dec 4 13:41 S.gpg-agent
-rw------- 1 www-data www-data 1.3K dec 4 13:28 trustdb.gpg

root@passbolt:/var/www/.gnupg# cat /proc/sys/kernel/random/entropy_avail
3192

EDIT:
the plot thickens, I decided to check server configuration with the following code and this works.

<?php
// Enter your .gnupg environment
putenv('GNUPGHOME=/var/www/.gnupg/');
error_reporting(E_ALL);
$res = gnupg_init();
gnupg_seterrormode($res,GNUPG_ERROR_WARNING);
$info = gnupg_keyinfo($res, '1D2757F6764AA8A68EE96008651FBE12F7A623EC');
echo "Key - Info<pre>";
var_dump($info);
echo "</pre>";
?>

Edit2:
Yes i have the following variables set
’GPG’ => [
‘env’ => [
‘setenv’ => true,
‘home’ => ‘/var/www/.gnupg’,

Can you try to extend your code with encryption and signature as well?
Ref. http://php.net/manual/en/function.gnupg-encryptsign.php

Am no hero in php but this is what i came up with:

<?php
// Enter your .gnupg environment
putenv('GNUPGHOME=/var/www/.gnupg/');
error_reporting(E_ALL);
$res = gnupg_init();
echo "kmek";
gnupg_addencryptkey($res,"1D2757F6764AA8A68EE96008651FBE12F7A623EC");
gnupg_addsignkey($res,"1D2757F6764AA8A68EE96008651FBE12F7A623EC","");
$enc = gnupg_encryptsign($res, "just a test");
echo $enc;
echo "kmek";
?>

Output is: kmekkmek
Which means $enc is empty. The only thing I wasn’t sure about is the “,”"); As there is no passphrase as per documentation I believe this is correct. No errors or stacktraces tho…

Can you add after the gnupg_encryptsign

print_r(gnupg_geterror($res));

This hopefully will give us something to work with.

Code:

<?php
putenv('GNUPGHOME=/var/www/.gnupg/');
error_reporting(E_ALL);
$res = gnupg_init();
gnupg_seterrormode($res,GNUPG_ERROR_WARNING);
$info = gnupg_keyinfo($res, '1D2757F6764AA8A68EE96008651FBE12F7A623EC');
echo "KEY INFO print_r gnupg_gete =\n";
print_r(gnupg_geterror($res));
echo "KEY INFO vardump enc = \n";
var_dump($enc);
echo "Key - Info<pre>";
var_dump($info);
echo "</pre>";


// Enter your .gnupg environment
gnupg_addencryptkey($res,"1D2757F6764AA8A68EE96008651FBE12F7A623EC");
gnupg_addsignkey($res,"1D2757F6764AA8A68EE96008651FBE12F7A623EC","");
$enc = gnupg_encryptsign($res, "just a test");
echo "TXT print_r(gnupg_geterror(res));TXT\n";
print_r(gnupg_geterror($res));
echo "TXT var_dump($enc); TXT\n";
var_dump($enc);
?>

output:

KEY INFO print_r gnupg_gete = KEY INFO vardump enc = NULL Key - Info
array(1) {
  [0]=>
  array(8) {
    ["disabled"]=>
    bool(false)
    ["expired"]=>
    bool(false)
    ["revoked"]=>
    bool(false)
    ["is_secret"]=>
    bool(false)
    ["can_sign"]=>
    bool(true)
    ["can_encrypt"]=>
    bool(true)
    ["uids"]=>
    array(1) {
      [0]=>
      array(6) {
        ["name"]=>
        string(8) "Passbolt"
        ["comment"]=>
        string(0) ""
        ["email"]=>
        string(16) "security@true.nl"
        ["uid"]=>
        string(27) "Passbolt "
        ["revoked"]=>
        bool(false)
        ["invalid"]=>
        bool(false)
      }
    }
    ["subkeys"]=>
    array(2) {
      [0]=>
      array(11) {
        ["fingerprint"]=>
        string(40) "1D2757F6764AA8A68EE96008651FBE12F7A623EC"
        ["keyid"]=>
        string(16) "651FBE12F7A623EC"
        ["timestamp"]=>
        int(1512390494)
        ["expires"]=>
        int(0)
        ["is_secret"]=>
        bool(false)
        ["invalid"]=>
        bool(false)
        ["can_encrypt"]=>
        bool(false)
        ["can_sign"]=>
        bool(true)
        ["disabled"]=>
        bool(false)
        ["expired"]=>
        bool(false)
        ["revoked"]=>
        bool(false)
      }
      [1]=>
      array(11) {
        ["fingerprint"]=>
        string(40) "7DB712B657B432086CDA30466D0AD4AA4C799C97"
        ["keyid"]=>
        string(16) "6D0AD4AA4C799C97"
        ["timestamp"]=>
        int(1512390494)
        ["expires"]=>
        int(0)
        ["is_secret"]=>
        bool(false)
        ["invalid"]=>
        bool(false)
        ["can_encrypt"]=>
        bool(true)
        ["can_sign"]=>
        bool(false)
        ["disabled"]=>
        bool(false)
        ["expired"]=>
        bool(false)
        ["revoked"]=>
        bool(false)
      }
    }
  }
}
TXT print_r(gnupg_geterror(Resource id #2));TXT TXT var_dump(); TXT bool(false)

The forum won’t let me post the output so i put it on pastebin:
https://pastebin.com/RBL8K174

@eddie4 so there is an error but no information from gnupg about it :frowning:
Maybe there is something directly in gnupg logs?

I think i might have something here:

version:
gpg --help
gpg (GnuPG) 1.4.20

gpg2 --help
gpg (GnuPG) 2.1.11

www-data@passbolt:/data/www/passbolt$ gpg2 --list-secret-keys
www-data@passbolt:/data/www/passbolt$ gpg --list-secret-keys
/var/www/.gnupg/secring.gpg
---------------------------
sec   4096R/F7A623EC 2017-12-04
uid                  Passbolt <security@domain.com>
ssb   4096R/4C799C97 2017-12-04

EDIT:
gpg2 lists home as ~/.gnupg which is /var/www/.gnupg/ surprising that it doesn’t list the keys.

To my knowledge php-gnupg uses gnupg version 1, so it shouldn’t be an issue.
Do you get any error when doing the encrypt/ sign directly from command line?

echo ‘test’ > encrypt.file
gpg --recipient F7A623EC --encrypt --sign encrypt.file

At that point if you don’t get any error, i’m not sure what’s going on. Maybe it could be an oddity with your key, maybe an issue with php-gnupg on your particular setup. Hard to tell without error messages…

www-data@passbolt:~/.gnupg$ echo ‘test’ > encrypt.file
www-data@passbolt:~/.gnupg$ gpg --recipient F7A623EC --encrypt --sign encrypt.file
www-data@passbolt:~/.gnupg$ ls -lh
total 52K
-rw-rw-r-- 1 www-data www-data 11 dec 5 12:36 encrypt.file
-rw-rw-r-- 1 www-data www-data 1.2K dec 5 12:36 encrypt.file.gpg

Just plain weird…

EDIT:
however gpg2 ofcource fails:
www-data@passbolt:~/.gnupg$ gpg2 --recipient F7A623EC --encrypt --sign encrypt.file
gpg: no default secret key: No secret key
gpg: encrypt.file: sign+encrypt failed: No secret key

am going to fix gpg2 if it fixes the problem ill report back

Well importing the key into pgp2 solved the problem. However I then ran into https://github.com/passbolt/passbolt_api/issues/100
I spent some time debugging it but got annoyed. Deleted the whole passbolt directory and .gnupg directorys and started from scratch. With success I now have an instance running still clueless what i facked up the first time.

Thanks for the help.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.