Issues with GPG Key Trust and Verification on Passbolt Installation

Hello Passbolt Support Team,

I’m experiencing persistent issues with the GPG configuration on my Passbolt installation, specifically related to key trust and verification. I’ve attempted several troubleshooting steps, but certain healthcheck failures persist. Here’s an overview of the setup and the issues:

System Information:

Operating System: Ubuntu Server 24.04.1 LTS

Web Server: Apache

PHP Version: 8.3.13

GPG Version: 2.4.4

Passbolt Version: 4.9.1

SSL: Handled via Cloudflare

Issue Details:

The following [FAIL] messages are returned during the Passbolt healthcheck:

[FAIL] The private key cannot be used to decrypt and verify a message

[FAIL] The public key cannot be used to verify a signature

Despite these failures, other GPG checks, such as the ability to encrypt, sign, and decrypt messages, pass without issues when tested directly with gpg commands.

Steps Taken:

  1. Key Import and Trust Configuration:

• I created and imported a GPG keypair under the www-data user, with permissions on /var/www/.gnupg set to www-data:www-data.

• Used both --edit-key interactive trust setting and --import-ownertrust with 5 for ultimate trust.

• Verified that the key could encrypt and decrypt directly in the terminal for www-data.

  1. Configuration Adjustments:

• Set GNUPGHOME=‘/var/www/.gnupg’ in Passbolt’s passbolt.php configuration and confirmed it is applied correctly.

• Updated gpg.conf with batch and yes to enforce non-interactive mode.

• Attempted to set Passbolt’s GPG options (–batch --yes) in passbolt.php.

  1. File and Directory Permissions:

• Set appropriate permissions on /var/www/.gnupg, serverkey.asc, and serverkey_private.asc.

• Ensured Apache has access to all necessary files and directories.

  1. Additional Tests:

• Used test commands to encrypt and decrypt files successfully under the www-data user.

• Attempted a non-interactive setup to avoid GPG interaction with /dev/tty.

Current Roadblocks:

The healthcheck continues to return [FAIL] on verification tests for decryption and signature checks. It’s unclear if Passbolt is requiring further trust confirmation from GPG or if there’s a configuration issue specific to Passbolt’s use of the GPG keys.

Could you provide guidance on further troubleshooting steps or configuration adjustments that might resolve these verification issues? Alternatively, are there any specific GPG settings or logs that would be helpful for further diagnostics?

Thank you for your assistance.