~sircmpwn/sr.ht-discuss

10 4

Can not add my PGP public key

Details
Message ID
<949e79a2-666a-617f-80ae-87795d9a6233@mehdix.org>
DKIM signature
pass
Download raw message
Dear all,

I am trying to learn how to use sr.ht and just ran into a problem. I did 
some internet searching and mail archive reading to no avail. I am 
trying to add my PGP key using the command provided on the keys page, 
however it produces this error with no further explanation:

    We were unable to encrypt a test message with this key

The command which I use is this:

    gpg --armor --export-options export-minimal --export
    6EAD3E90BBD5F493B6B060F3A60CDB0F2E292C9F

FWIW I use a Yubikey.

I'd appreciate any help on this.

Cheers,
Mehdi
Details
Message ID
<C91R1P9DGKDT.YYWC0KT3UXPL@taiga>
In-Reply-To
<949e79a2-666a-617f-80ae-87795d9a6233@mehdix.org> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
We use the pgpy library, I'd look into seeing if they can use your PGP
key.
Details
Message ID
<2f323d0a-461e-2a94-9dc7-1ef4e01759ec@orbital.rocks>
In-Reply-To
<949e79a2-666a-617f-80ae-87795d9a6233@mehdix.org> (view parent)
DKIM signature
pass
Download raw message
In addition to what Drew said, I would double check that the key is 
setup for both signing and encrypting, as you can create keys for each.

-gildarts
Details
Message ID
<0a5d443d-3f80-a9fe-c46b-fd0b2bf5d1eb@mehdix.org>
In-Reply-To
<2f323d0a-461e-2a94-9dc7-1ef4e01759ec@orbital.rocks> (view parent)
DKIM signature
pass
Download raw message
 > In addition to what Drew said, I would double check that the key is 
setup for both signing and encrypting, as you can create keys for each.

Using Thunderbird I can sign and send emails (just tried). I have 
different sub-keys for signing and encrypting. This email should arrive 
signed too.

- Mehdi
Details
Message ID
<4630ab8b-e78c-6c94-7ad5-b88f718e5407@orbital.rocks>
In-Reply-To
<0a5d443d-3f80-a9fe-c46b-fd0b2bf5d1eb@mehdix.org> (view parent)
DKIM signature
pass
Download raw message
On 2/5/2021 2:20 PM, Mehdi Sadeghi wrote:
> Using Thunderbird I can sign and send emails (just tried). I have 
> different sub-keys for signing and encrypting. This email should arrive 
> signed too.
> 
> - Mehdi
> 

Yep it arrived signed. The question is if sr.ht can use the public key 
you uploaded to encrypt a message for you.

And you mention Thunderbird, did you create the key inside of 
Thunderbird? I have been unable to add any key created with Thunderbird 
to sr.ht after several rounds of trying.

-gildarts
Details
Message ID
<C920KPPYSGDH.3VJ8YY79SLS0N@clamps>
In-Reply-To
<4630ab8b-e78c-6c94-7ad5-b88f718e5407@orbital.rocks> (view parent)
DKIM signature
pass
Download raw message
On Fri Feb 5, 2021 at 3:53 PM EST, gildarts wrote:
> On 2/5/2021 2:20 PM, Mehdi Sadeghi wrote:
> > Using Thunderbird I can sign and send emails (just tried). I have 
> > different sub-keys for signing and encrypting. This email should arrive 
> > signed too.
> > 
> > - Mehdi
> > 
>
> Yep it arrived signed. The question is if sr.ht can use the public key
> you uploaded to encrypt a message for you.
>

You nerd-sniped me, so I took a look. I can see that there are 3 user id
packets in your public key. 2 of them have cipher preferences and 1 does
not. (As displayed by `gpg --list-packet`)

That's curious, and seems worth checking out with pgpy. A small script
to dump the preferences:

```
import pgpy
filename = 'key_mehdi.asc'
key, _ = pgpy.PGPKey.from_file(filename)
for u in key.userids:
  print(f'{u}')
  if u.selfsig:
    print(f'cipher prefs: {",".join([str(p) for p in u.selfsig.cipherprefs])}')
```

That shows:

Mehdi Sadeghi <mehdi@sadeghi.xyz>
cipher prefs: 
Mehdi Sadeghi <mehdi@mehdix.ir>
cipher prefs:
SymmetricKeyAlgorithm.AES256,SymmetricKeyAlgorithm.AES192,SymmetricKeyAlgorithm.AES128,SymmetricKeyAlgorithm.TripleDES
Mehdi Sadeghi <mehdi@mehdix.org>
cipher prefs:
SymmetricKeyAlgorithm.AES256,SymmetricKeyAlgorithm.AES192,SymmetricKeyAlgorithm.AES128,SymmetricKeyAlgorithm.TripleDES

If I then try to encrypt a mesage to you using pgpy's default settings:

```
text_message = pgpy.PGPMessage.new('hello, pgpy')
print(f'{key.encrypt(text_message)}')
```

Traceback (most recent call last):
  File "$HOME/pgp-test/main.py", line 12, in <module>
      print(f'{key.encrypt(text_message)}')
  File
  "$HOME/pgp-test/venv/lib/python3.9/site-packages/pgpy/decorators.py",
	line 129, in _action
      return action(_key, *args, **kwargs)
  File "$HOME/pgp-test/venv/lib/python3.9/site-packages/pgpy/pgp.py",
        line 2439, in encrypt
	          pref_cipher = next(c for c in uid.selfsig.cipherprefs
		  if c.is_supported)
StopIteration

If instead of encrypting to the default identity, I encrypt to your
medix.org email address:

```
text_message = pgpy.PGPMessage.new('hello, pgpy')
print(f'{key.encrypt(text_message,user="mehdi@mehdix.org")}')
```

I get a message you should be able to read:

-----BEGIN PGP MESSAGE-----

wcBMA4arxY2CtkAiAQf+M3ANA4PyuX96agmept8x+VtSPYZ4u5FTIdRZsc3VvgtC
IBrxLdGrYx8Dw6ub2Oy1GnypdjVni/BoVFyo8ufd7dwOvTPr+7ATkoeFwMLHAWPK
UprFg3YXSt6c1o04CN2sh6rEt5lmXFWxWuGk3AWUq2p6fLKnV9OvqYVsZVZOGmYs
EUL4Qc7EyOt7Z44px59+ApEpM8N8SjccHDln4p25z7EBZkV7T5AScMt775brkw8i
uvqTa7yq4AgkKTN9Kfyzax+ZXl1BlH9fqAL+tIOB8Wrr28qiXE+xwgW5vMUGp/s9
4NB/O52pcIX1/54HatGJ0E5DUDBd+fWjkBy8Bj2DHdJBAYiSMofLfNZ9nUcppc2K
0itDwlQB3Y9dO/tFO2kBmLTDAbo3Tw68a5alG8Fvpfl2qzkEfowDiSq+yseduQ1T
f8s=
=Pf2p
-----END PGP MESSAGE-----

Based on this, I'd say you have two options:

1. Re-export your public key either with only the email you want sr.ht
to send to, or with appropriate cipher preferences for every user id.

2. Patch sr.ht to use the recipient email address when encrypting the
message. Adding `user=to` to the encrypt() call here:

https://git.sr.ht/~sircmpwn/core.sr.ht/tree/master/item/srht/email.py#L94

should do the job. I would create and send the patch myself, but every
time I've tried to set up a development environment where I can test a
patch like this for sr.ht, I have exceeded my time box so far. Anyone
who knows a fast track to that and wants to share, please feel free to
do so!

HTH,

Geoff
Details
Message ID
<d888d42f-9a38-3f95-ea47-fa189fccd0af@mehdix.org>
In-Reply-To
<4630ab8b-e78c-6c94-7ad5-b88f718e5407@orbital.rocks> (view parent)
DKIM signature
pass
Download raw message
On 2/5/21 9:53 PM, gildarts wrote:
> And you mention Thunderbird, did you create the key inside of 
> Thunderbird? I have been unable to add any key created with 
> Thunderbird to sr.ht after several rounds of trying.
>
> -gildarts

My secret key is on a Yubikey, and I have only imported them recently to 
Thunderbird (by explicitly enabling it in the configs, since using my 
local pgp installation was disabled by default in TB 85). So no, I did 
not created the keys inside TB.
Details
Message ID
<915a744e-5f6c-38db-906e-24953bf3c7b1@mehdix.org>
In-Reply-To
<C920KPPYSGDH.3VJ8YY79SLS0N@clamps> (view parent)
DKIM signature
pass
Download raw message
On 2/6/21 1:16 AM, Geoff Beier wrote:
>
> You nerd-sniped me, so I took a look. I can see that there are 3 user id
> packets in your public key. 2 of them have cipher preferences and 1 does
> not. (As displayed by `gpg --list-packet`)
>
> Based on this, I'd say you have two options:
>
> 1. Re-export your public key either with only the email you want sr.ht
> to send to, or with appropriate cipher preferences for every user id.
>
> 2. Patch sr.ht to use the recipient email address when encrypting the
> message. Adding `user=to` to the encrypt() call here:
>
> https://git.sr.ht/~sircmpwn/core.sr.ht/tree/master/item/srht/email.py#L94
>
> should do the job. I would create and send the patch myself, but every
> time I've tried to set up a development environment where I can test a
> patch like this for sr.ht, I have exceeded my time box so far. Anyone
> who knows a fast track to that and wants to share, please feel free to
> do so!
>
> HTH,
>
> Geoff
>
>
>
Thanks for the thorough disaster analysis! I learned something, had no 
idea about "packets" (for my future self:  gpg --armor --export-options 
export-minimal --export A60CDB0F2E292C9F | gpg --list-packets). It 
explains everything. The first id does not have any ciphers because I 
have already deleted it, since I don't hold that domain anymore. I was 
under the impression that I have already published this, locally I don't 
have it anymore.

For the sr.ht environment, I just followed the instructions from 
https://git-send-email.io and was able to quickly set it up using my own 
mail server. Just choose your distro and follow the instructions. It 
worked like charm.

- Mehdi
Details
Message ID
<442ea482-ad6a-25d0-4da3-0c6e5166c48b@mehdix.org>
In-Reply-To
<2f323d0a-461e-2a94-9dc7-1ef4e01759ec@orbital.rocks> (view parent)
DKIM signature
pass
Download raw message
I was able to workaround the issue by explicitly exporting the desired 
public key:

     $ gpg --armor --export-options export-minimal --export-filter 
keep-uid="uid = Mehdi Sadeghi <mehdi@mehdix.org>" --export A60CDB0F2E292C9F

Thanks!
Details
Message ID
<4fb28f7b-d960-75a1-db6e-7363e5fd4a82@mehdix.org>
In-Reply-To
<C920KPPYSGDH.3VJ8YY79SLS0N@clamps> (view parent)
DKIM signature
pass
Download raw message
On 2/6/21 1:16 AM, Geoff Beier wrote:
> 2. Patch sr.ht to use the recipient email address when encrypting the
> message. Adding `user=to` to the encrypt() call here:
>
> https://git.sr.ht/~sircmpwn/core.sr.ht/tree/master/item/srht/email.py#L94
>
> HTH,
>
> Geoff

Geoff, on your behalf I made the patch and Drew applied it. See 
https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/20084.

Hier is a mini wrap-up of the send-patch workflow I did. First add the 
following to your ~/.gitconfig (adapt it based on your email provider):

[sendemail]
     smtpServer = tuxpup.com
     smtpUser = geoff@tuxpup.com
     smtpEncryption = tls
     smtpPass = pass
     smtpServerPort = 587

Then you would only need the following to push your last commit to sr.ht:

$ git send-email --to="~sircmpwn/sr.ht-dev@lists.sr.ht" HEAD^

- Mehdi
Details
Message ID
<C92ZDWVI789Z.39OI8ONCGVVDD@clamps>
In-Reply-To
<4fb28f7b-d960-75a1-db6e-7363e5fd4a82@mehdix.org> (view parent)
DKIM signature
pass
Download raw message
On Sat Feb 6, 2021 at 1:37 PM EST, Mehdi Sadeghi wrote:
> Geoff, on your behalf I made the patch and Drew applied it. See
> https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/20084.
>

Very nice! Thank you for doing that, and I'm glad Drew was able to apply
it so swiftly.

> Hier is a mini wrap-up of the send-patch workflow I did. First add the
> following to your ~/.gitconfig (adapt it based on your email provider):

Thanks also for sharing your configuration for this. I suspect I was
unclear in my statement/question about where I'd gotten stuck sending
in a patch, though :). git-send-email works fine for me, and I've used
it without trouble to contribute to other things.

The reason I was hesitant to send my patch was because I haven't yet
managed to build my own sr.ht development instance to test it. Every
time I start, I (for example) wind up filling my timebox troubleshooting
Redis instead of testing my patch. The thing I was hoping someone could
point out was a shortcut I'd missed that might help me get just enough
of an instance to hack on it. I don't want to self-host it right now...
I just want to contribute a couple of features I'd like.

TLDR: sending a patch isn't a problem. testing one is, in the context of
lists.sr.ht or todo.sr.ht. I didn't want to send an untested patch, and
was asking for pointers on setting things up to test.

Thanks again, and I'm very glad you were able to get your keys into
place.

Best,

Geoff
Reply to thread Export thread (mbox)