hello
passbolt docker version
passbolt:
image: passbolt/passbolt:5.9.0-1-ce
Device: Google Pixel 8 Pro
Android 16 (36)
Passbolt 2.7.1-48
21:22:23 [Session] Passphrase cache cleared
21:22:23 [Session] Passphrase cached
21:22:23 Getting server pgp and rsa keys
21:22:24 → GET https://pass.*.*/auth/verify.json h2
21:22:24 ← 200 https://pass.*.*/auth/verify.json (106ms, unknown-length body)
21:22:24 → GET https://pass.*.*/auth/jwt/rsa.json h2
21:22:24 ← 200 https://pass.*.*/auth/jwt/rsa.json (74ms, unknown-length body)
21:22:24 Getting server pgp and rsa keys succeeded
21:22:24 Checking if time adjustment is needed
21:22:24 Local time sync needed. Adjusted: -2
21:22:24 Verifying server fingerprint
21:22:24 Server key fingerprint is valid
21:22:24 Preparing sign in challenge
21:22:25 There was an error during encryptSignMessageArmored
go.Universe$proxyerror: gopenpgp: the key contains too many entities
at com.proton.gopenpgp.crypto.Crypto.newKeyFromArmored(Native Method)
at com.passbolt.mobile.android.gopenpgp.OpenPgp$encryptSignMessageArmored$2.invokeSuspend(SourceFile:63)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:34)
at kotlinx.coroutines.DispatchedTask.run(SourceFile:100)
at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(SourceFile:124)
at kotlinx.coroutines.scheduling.TaskImpl.run(SourceFile:89)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(SourceFile:586)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(SourceFile:820)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(SourceFile:717)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(SourceFile:704)
go.Universe$proxyerror: gopenpgp: the key contains too many entities
at com.proton.gopenpgp.crypto.Crypto.newKeyFromArmored(Native Method)
at com.passbolt.mobile.android.gopenpgp.OpenPgp$encryptSignMessageArmored$2.invokeSuspend(SourceFile:63)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:34)
at kotlinx.coroutines.DispatchedTask.run(SourceFile:100)
at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(SourceFile:124)
at kotlinx.coroutines.scheduling.TaskImpl.run(SourceFile:89)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(SourceFile:586)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(SourceFile:820)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(SourceFile:717)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(SourceFile:704)
21:22:25 Error during preparing challenge - incorrect passphrase
21:22:32 [Session] Passphrase cache cleared
21:22:32 [Session] Passphrase cached
21:22:32 Getting server pgp and rsa keys
21:22:32 → GET https://pass.*.*/auth/verify.json h2
21:22:32 ← 200 https://pass.*.*/auth/verify.json (150ms, unknown-length body)
21:22:32 → GET https://pass.*.*/auth/jwt/rsa.json h2
21:22:33 ← 200 https://pass.*.*/auth/jwt/rsa.json (81ms, unknown-length body)
21:22:33 Getting server pgp and rsa keys succeeded
21:22:33 Checking if time adjustment is needed
21:22:33 Local time sync needed. Adjusted: -3
21:22:33 Verifying server fingerprint
21:22:33 Server key fingerprint is valid
21:22:33 Preparing sign in challenge
21:22:33 There was an error during encryptSignMessageArmored
go.Universe$proxyerror: gopenpgp: the key contains too many entities
at com.proton.gopenpgp.crypto.Crypto.newKeyFromArmored(Native Method)
at com.passbolt.mobile.android.gopenpgp.OpenPgp$encryptSignMessageArmored$2.invokeSuspend(SourceFile:63)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:34)
at kotlinx.coroutines.DispatchedTask.run(SourceFile:100)
at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(SourceFile:124)
at kotlinx.coroutines.scheduling.TaskImpl.run(SourceFile:89)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(SourceFile:586)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(SourceFile:820)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(SourceFile:717)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(SourceFile:704)
go.Universe$proxyerror: gopenpgp: the key contains too many entities
at com.proton.gopenpgp.crypto.Crypto.newKeyFromArmored(Native Method)
at com.passbolt.mobile.android.gopenpgp.OpenPgp$encryptSignMessageArmored$2.invokeSuspend(SourceFile:63)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:34)
at kotlinx.coroutines.DispatchedTask.run(SourceFile:100)
at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(SourceFile:124)
at kotlinx.coroutines.scheduling.TaskImpl.run(SourceFile:89)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(SourceFile:586)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(SourceFile:820)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(SourceFile:717)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(SourceFile:704)
21:22:33 Error during preparing challenge - incorrect passphrase
21:23:33 [Session] App went background
21:23:33 [Session] Scheduling passphrase cache clear
21:23:33 [Session] Passphrase cache cleared
21:30:29 File logging tree planted
21:30:30 Checking biometry state
21:30:35 Checking biometry state
I get an error when trying to link Passbolt to the mobile app. My request on GitHub was closed and sent here.
passbolt gps healthcheck - good. Not error.
What could be the error?
Thanks
Hello @lowdog136,
looks like an error during sign-in challange preparation in the Crypto.newKeyFromArmored(serverPublicKey) stating about server public key that the key contains too many entities. Possibly the server key was re-generated during restarts and both old and new keys ended up in the keydata response.
Can you run the healthcheck and provide output?
Cheers
hello, mmichalek
Environment
[INFO] Linux 31b5281db6df 6.8.0-85-generic #85-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 18 15:26:59 UTC 2025 x86_64 GNU/Linux
[PASS] PHP version 8.4.16.
[PASS] PHP version is 8.2 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[FAIL] The temporary directory and its content are not writable, or are executable.
[HELP] Ensure the temporary directory and its content are writable by the webserver user.
[HELP] you can try:
[HELP] sudo chown -R www-data:www-data /var/lib/passbolt/tmp/
[HELP] sudo chmod -R 775 $(find /var/lib/passbolt/tmp/ -type d)
[HELP] sudo chmod -R 664 $(find /var/lib/passbolt/tmp/ -type f)
[PASS] The logs directory /var/log/passbolt/ and its content are writable.
[WARN] System clock and NTP service information cannot be found.
[HELP] See `timedatectl | grep -i -A 1 clock`. More information: https://www.passbolt.com/docs/hosting/configure/ntp/
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://pass.fishlab.su
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[FAIL] Could not connect to passbolt repository to check versions. It is not possible to check if your version is up-to-date.
[HELP] Check the network configuration to allow this script to check for updates.
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] The self registration provider is: Email domain safe list.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 35 tables found.
[PASS] Some default content is present.
[PASS] The database version is supported.
Metadata
[PASS] The server is able to decrypt the metadata private key.
[PASS] Active metadata key found or not required.
[PASS] The server has access to the metadata keys or does not require access to it.
[PASS] The server metadata private key is valid.
[FAIL] 4 error(s) found. Hang in there!
Hi @lowdog136
could you please resolve the first 2 fails from the healthcheck? Usually it helps, like in this topic: https://community.passbolt.com/t/ios-android-app-http-forbidden/13570/6.
There are also some changes in 5.10.0-1-ce related to JWT management, but this is a long shot.
G’day @lowdog136,
Following on from @grzegorz, once you’ve resolved those healthcheck FAILs, it’s worth also investigating the key entity issue directly, since that’s what the mobile log is pointing at.
The error gopenpgp: the key contains too many entities means the server key returned by /auth/verify.json contains more than one PGP key block. The mobile gopenpgp library expects exactly one and fails at the newKeyFromArmored call. This can happen if the server GPG key was regenerated across container restarts and the old key wasn’t cleaned out of the keyring.
You can check what the endpoint is actually returning:
bash
curl -sk https://pass.<yourdomain>/auth/verify.json | python3 -m json.tool | grep -c "BEGIN PGP PUBLIC KEY"
If that returns more than 1, inspect the keyring inside the container:
bash
docker exec -it <container> bash
gpg --homedir /var/lib/passbolt/.gnupg --list-keys
If multiple keys are present, you’ll need to export only the one matching the fingerprint in your config, replace the key file, and restart.
Cheers
Gareth
1 Like
