[BUG] OpenKeychain does not recognize the same key formats as GPG
Closed this issue ยท 37 comments
Whenever I save a password entry, I get the following error:
"Found .gpg-id, but it contains an invalid key id, fingerprint or user ID."
This can be reproduced by editing any existing entry or creating a new entry. Existing entries can be decrypted just fine.
Oneplus 7 Pro, Android 10, Password Store 1.10.3.
The only thing I can see that I'm doing that may diverge from the common case is that my key id is not a fully-formed email address (user@domain.tld), but simply user@host.
Thanks for the report.
This seems to be an issue with OpenKeychain, as we are ultimately using this regex to parse the user ID in the .gpg-id file. Could you file an issue with them here?
OpenKeychain issue for reference: open-keychain/open-keychain#2579
I ran into the same issue but in my case, my user id did not contain in invalid email address. Instead, it just contained no email address at all. My user id was like "PasswordStoreKey".
Looking at the code that uses the regex you referred to and assuming this regex is not buggy, it seems to match my case and return a UserId object with email and comment set to null, which reflects my actual user id.
Therefore, I suspect that PasswordStore is mainly relying on the email-address to identify pgp keys, could that be possible? If so, I don't know if that is a sensible configuration, since it is possible to create pgp keys without email addresses. So, maybe this issue could actually be caused by PasswordStore but it is still debatable which behavior would be expected and is desired.
Anyways, if someone else ends up here and does not know how to fix/workaround that issue (it took me some time), this is what I have done:
The .gpg-id file is a (possibly hidden) file in your .password-store directory where the user id of a pgp key is stored. In my case it only contained the line "PasswordStoreKey". I changed that file to contain the single line "PasswordStoreKey randomaddress@example.com".
Additionally, in OpenKeychain, I added another identity to the pgp key that I am using for password storage with name set to "PasswordStoreKey" and email-address set to "randomaddress@example.com". Then, I was able (again?) to generate and store passwords from PasswordStore.
Therefore, I suspect that PasswordStore is mainly relying on the email-address to identify pgp keys, could that be possible? If so, I don't know if that is a sensible configuration, since it is possible to create pgp keys without email addresses. So, maybe this issue could actually be caused by PasswordStore but it is still debatable which behavior would be expected and is desired.
AFAIK OpenKeychain's API offers precisely two ways to identify a key: it's long key ID or an email address. @msfjarvis please correct me if I'm wrong.
I would recommend to always specify the key ID of your master key in .gpg-id, which also works around this issue.
I encountered exactly the same problem as @CaptainVonNutbar on Android 9 with PasswordStore 1.10.3 and OpenKeychain 5.5. It does seem to be a recently introduced problem: While my key's email is also 'name@othername', not 'name@othername.yetanother', it used to be possible to create passwords in the app with this configuration. I can't tell in which version the behavior went faulty exactly, but I feel like it has to have happened in the last weeks or few months at most.
Maybe this will help to track down the change that's responsible for this. Apart from this, I just want to say that I really appreciate everyone's work on this app. Keep it up! ๐
AFAIK OpenKeychain's API offers precisely two ways to identify a key: it's long key ID or an email address. @msfjarvis please correct me if I'm wrong.
Well, then, this changes everything. Then PasswordStore already does the best it can.
I would recommend to always specify the key ID of your master key in
.gpg-id, which also works around this issue.
Thanks for that hint, I'll try that.
Therefore, I suspect that PasswordStore is mainly relying on the email-address to identify pgp keys, could that be possible? If so, I don't know if that is a sensible configuration, since it is possible to create pgp keys without email addresses. So, maybe this issue could actually be caused by PasswordStore but it is still debatable which behavior would be expected and is desired.
AFAIK OpenKeychain's API offers precisely two ways to identify a key: it's long key ID or an email address. @msfjarvis please correct me if I'm wrong.
I re-checked the code today and can confirm: OpenKeychain's intent system does not offer the ability to use any other identification option. We don't have any options other than educating users or offering an option to overwrite the invalid .gpg-id contents with a manual key selection.
I have played around with the .gpg-id file a little bit today and what I found is that I can not encrypt passwords with any other key than my default one by specifying different email addresses. PasswordStore or OpenKeychain just seems to ignore the email address specified there. Using a key id in .gpg-id instead works.
Has someone tried this before and can confirm this? I'm super confused right now and I'm wondering if I'm doing something wrong ...
PasswordStore 1.11.0, OpenKeychain 5.5
Can someone elaborate on how to add a key id to .gpg-id? I am not good at GPG/PGP.
Can someone elaborate on how to add a key id to
.gpg-id? I am not good at GPG/PGP.
In that case it'd be much easier if you simply delete the .gpg-id file, then let Password Store create it for you when you edit or add a new password.
Can someone elaborate on how to add a key id to
.gpg-id? I am not good at GPG/PGP.In that case it'd be much easier if you simply delete the
.gpg-idfile, then let Password Store create it for you when you edit or add a new password.
Thanks very much for the quick reply. I have two questions if you don't mind.
- Right now, looks like the
.gpg-idis tracked by the git repo. Do you think it is okay to.gitignoreit? - I am not sure how to delete the
.gpg-idstored on my phone. I am using the hidden repo option, where the app clones the repo into the app memory. Sorry if I used the incorrect terminology here but I hope you get the idea.
Can someone elaborate on how to add a key id to
.gpg-id? I am not good at GPG/PGP.In that case it'd be much easier if you simply delete the
.gpg-idfile, then let Password Store create it for you when you edit or add a new password.Thanks very much for the quick reply. I have two questions if you don't mind.
- Right now, looks like the
.gpg-idis tracked by the git repo. Do you think it is okay to.gitignoreit?
The .gpg-id file tells pass clients what key to use to encrypt/decrypt your passwords with, so I'd highly recommend you do not add it to the Git ignore file.
- I am not sure how to delete the
.gpg-idstored on my phone. I am using the hidden repo option, where the app clones the repo into the app memory. Sorry if I used the incorrect terminology here but I hope you get the idea.
At the moment there's no option to show all files in the repository, but since we're now using .gpg-id files it certainly makes sense to offer the option to remove it as well. You'll have to use your computer or a separate Git client on your phone for this right now, but the next version will expand the 'Show hidden folders' option to also include files.
Thanks very much. I will look into it.
I've created #1059 to allow seeing hidden files within Password Store so that this flow is simpler for end users.
Redmi note 8t with LineageOS 17 here.
I have somehow the same issue but with different error from app.
Logged with adb logcat, last log part is displayed on-screen by the app
PasswordCreationActivity$encrypt$$inlined$with$lambda: onError getMessage: Missing key for encryption: %s
Decrypting works just fine.
Probleme started after I rotate the .gpg-id key with a new ed25519 sub-key.
I will continue to play with .gpg-id, seems te be the probleme here.
Redmi note 8t with LineageOS 17 here.
I have somehow the same issue but with different error from app.
Logged with adb logcat, last log part is displayed on-screen by the app
PasswordCreationActivity$encrypt$$inlined$with$lambda: onError getMessage: Missing key for encryption: %s
hm I need to fix this logging.
Decrypting works just fine.
That's expected, decryption delegates key selection to OpenKeychain which simply goes through all available keys and selects the one that matches.
Problem started after I rotate the .gpg-id key with a new ed25519 sub-key.
I will continue to play with .gpg-id, seems te be the problem here.
Let us know what comes of it.
I ended up adding an email to my key (it was lacking one at the time I made the first comment) and the app works fine now.
Had a heart attack moment when I deleted my old uid without first doing a pass init but that is besides the point.
Ok, solved with reencrypting all my pass files with rsa main key ( .gpg-id modified by pass cmd) on my linux client and pulling the repo on android app.
Encrypting started working again,
none of my keys have a complete email but only comments
I've the same error. But I'm not sure if I understand the conversation well.
Inside the PasswordStore settings I can't define the GPG keys anymore.
Inside of the openKeyChain I selected my 4 Keys I use in the past.
But inside the Android file System (especially not on the SmartDrive/PasswordStore Folder I use for the password files) I can't find any .gpg-id file.
So I'm a little bit confused, what to do.
PS: Use of actual 1.11.3 from Playstore
I've the same error. But I'm not sure if I understand the conversation well.
Inside the PasswordStore settings I can't define the GPG keys anymore.
Inside of the openKeyChain I selected my 4 Keys I use in the past.
But inside the Android file System (especially not on the SmartDrive/PasswordStore Folder I use for the password files) I can't find any .gpg-id file.
So I'm a little bit confused, what to do.
PS: Use of actual 1.11.3 from Playstore
If you have no .gpg-id file in your repository then you can't get the error being discussed in this issue. Make sure you've enabled the 'Show hidden files' setting for your file browser application, then simply delete .gpg-id. When you next attempt to save a password, the app will let you pick your preferred key and create a new .gpg-id file in the store.
If you have no
.gpg-idfile in your repository then you can't get the error being discussed in this issue. Make sure you've enabled the 'Show hidden files' setting for your file browser application, then simply delete.gpg-id. When you next attempt to save a password, the app will let you pick your preferred key and create a new.gpg-idfile in the store.
OK, you are right. The message is different, but hard to read due to she short time visible. The error message is
"Failed to locate .gpg-id, is your store setup correctly?"
Excuse me for this error.
So the store setup, is unchanged since longer time and decrypting is still possible
I am encountering this issue, but in my case it's because Password Store stopped supporting the full range of keyid formats that GPG (and therefore pass) accept. My .gpg-id uses the common 0xlong format but with an exclamation mark after to force a specific subkey (Ex. 0x123456789ABCDEF0!). This format used to work, but no longer does; possibly with the switch from the "legacy" play version to the new play one. I tried removing the the exclamation point, as well as removing the 0x part, but neither format worked.
... then simply delete .gpg-id. When you next attempt to save a password, the app will let you pick your preferred key and create a new .gpg-id file in the store.
I tried deleting my .gpg-id file per @msfjarvis suggestion to allow Password Store to pick the format it preferred, but it doesn't ask me to pick a key, instead just saying "Failed to locate .gpg-id, is your store set up correctly?".
I just realized I was using a subkey id (since that was my original intent with my .gpg-id, and which used to work). Trying again with the primary key id these formats worked:
123456789ABCDEF00x123456789ABCDEF0
These did not:0x123456789ABCDEF0!12345678123456789ABCDEF0123456789ABCDEF0(full fingerprint)
I tried deleting my .gpg-id file per @msfjarvis suggestion to allow Password Store to pick the format it preferred, but it doesn't ask me to pick a key, instead just saying "Failed to locate .gpg-id, is your store set up correctly?".
That was my mistake, I misremembered the strategies we deploy to repair a broken store: The app doesn't prompt for key selection if no .gpg-id was found. We've changed it in the development branch to also work for empty .gpg-id files that the app has been creating as a holdover from its legacy version, and will probably extend it to missing .gpg-id before the release goes out.
I just realized I was using a subkey id (since that was my original intent with my .gpg-id, and which used to work). Trying again with the primary key id these formats worked:
123456789ABCDEF00x123456789ABCDEF0
These did not:0x123456789ABCDEF0!12345678123456789ABCDEF0123456789ABCDEF0(full fingerprint)
If even the full fingerprint is not working then it is almost certainly a bug with OpenKeychain and must be reported to them. I will attempt to reproduce it on my end shortly.
As @computator , I am using a subkey for encryption and decryption. Does it mean I need to use the primary key ID from now on ?
As @computator , I am using a subkey for encryption and decryption. Does it mean I need to use the primary key ID from now on ?
You always had to use the key ID of the primary key in the sense that OpenKeychain has afaik never supported specifying subkey IDs. But we are now respecting the content of the .gpg-id instead of asking you to select the primary key manually.
You always had to use the key ID of the primary key in the sense that OpenKeychain has afaik never supported specifying subkey IDs. But we are now respecting the content of the
.gpg-idinstead of asking you to select the primary key manually.
Oh thanks I understand the whole thing better now.
Doesn't seem like a fix is forthcoming any time soon on the OpenKeychain side. Can we have the option to override .gpg-id and choose a key manually?
Doesn't seem like a fix is forthcoming any time soon on the OpenKeychain side. Can we have the option to override .gpg-id and choose a key manually?
Probably, but it's rather low priority at the moment.
Hi, I ran into the same problem. I am migrating to a pixel 3 with Android 10, lineageOs 17.1.
I set up OpenKeyChain and Password-Store as I had on my previous phone. This means that I imported all previous keys to OpenKeyChain and then cloned my Password-Store structure from my repository (via ssh).
At first glance all seemed fine because decrypting works, but when I first tried to add a new entry - dang, got the error message "Found .gpg-id, but it contains an invalid key id, fingerprint or user ID."
I then followed what I understood from the above - switch on showing hidden files and then delete ".gpg-id" so that the Password-Store can generate it anew. I was able to delete ".gpg-id", but if I now want to add a new password-entry I persistently get the error message "Failed to locate .gpg-id, is your store set up correctly?".
Any advice on how to deal with that? From the above comments I thought that a new .gpg-id would be generated automagically when a new entry is added but that does not seem to happen.
Right now I save new passwords in plain text in a notepad-app, not very satisfying...
Hi, I ran into the same problem. I am migrating to a pixel 3 with Android 10, lineageOs 17.1.
I set up OpenKeyChain and Password-Store as I had on my previous phone. This means that I imported all previous keys to OpenKeyChain and then cloned my Password-Store structure from my repository (via ssh).At first glance all seemed fine because decrypting works, but when I first tried to add a new entry - dang, got the error message "Found .gpg-id, but it contains an invalid key id, fingerprint or user ID."
I then followed what I understood from the above - switch on showing hidden files and then delete ".gpg-id" so that the Password-Store can generate it anew. I was able to delete ".gpg-id", but if I now want to add a new password-entry I persistently get the error message "Failed to locate .gpg-id, is your store set up correctly?".
Any advice on how to deal with that? From the above comments I thought that a new .gpg-id would be generated automagically when a new entry is added but that does not seem to happen.
Right now I save new passwords in plain text in a notepad-app, not very satisfying...
Hi, my apologies for the confusion there, deleting .gpg-id was not the right advice at the time and I should have edited the original response after I posted the correction in the next comment. Here's a custom version of the app that will behave as I said it would: https://dl.msfjarvis.dev/aps-gpg-id-fixup, you can read about the build types here to pick the one that's right for you.
The change shipped in the above binary has been applied to the development branch, and can be tested through the snapshot builds. The APKs linked above are built off the latest release branch with the same change applied.
Hey msfjarvis, you are the greatest! I downloaded your apk already 4 weeks ago and it worked! I then got caught up in sth else and did not get around to say Thanks - so I do it now. I also installed the updated versionvia f-droid on another device - worked as well. Sweet!
[...]
Here's a custom version of the app that will behave as I said
it would: https://dl.msfjarvis.dev/aps-gpg-id-fixup, you can
read about the build types [here]
(https://android-password-store.github.io/docs/users/build-types)
to pick the one that's right for you.
Hey msfjarvis, you are the greatest! I downloaded your apk already 4 weeks ago and it worked! I then got caught up in sth else and did not get around to say Thanks - so I do it now. I also installed the updated versionvia f-droid on another device - worked as well. Sweet!
No worries, glad you got it working ๐
Should we close this issue @fmeum? OpenKeychain will not fix anything anytime soon and our implemented workaround appears to work well enough for users.
Agreed & closed