Hi everyone,
I’ve been struggling for about two weeks with a specific issue regarding the decryption of credentials via the Passbolt API using a Python script.
The Scenario:
I have a “robot” user (robot.rpa) which is part of an automation group. This group has access to several resources. My script successfully authenticates and can decrypt the password (the main secret) without any issues using the robot’s private GPG key.
The Problem:
I cannot decrypt the username and label stored in the metadata (Resource Types). When I fetch the resource via API, the username field appears encrypted with a key that seems different from my robot’s private key.
I noticed that the fingerprint of the key associated with these metadata fields is F9B59A220C9BD39E. Since I can see the username perfectly fine through the Passbolt Web UI (and even inspect the decrypted data via DevTools), I know the robot user has the necessary permissions.
What I’ve tried:
-
Re-sharing the resources.
-
Creating/Editing new resources within the group.
-
Leaving and re-joining the automation group.
-
Using different Python libraries (like PGPy and gnupg).
Technical Doubt:
Since the Web UI can decrypt this information, I assume the logic for decrypting the metadata (Resource Config/Types) might differ slightly from the main secret decryption. Is there a specific API endpoint or a “shared” group key logic that I should be calling to handle these metadata fields? Can I retrieve the necessary public/private parts to handle this specific fingerprint F9B59A220C9BD39E via API?