blackbox
blackbox copied to clipboard
StackExchange
How do I indoctrinate an new user when using a `pubring.kbx` file?
My system is using GPG2.1 which uses a new Keybox file format pubring.kbx.
So I can't run gpg --import keyrings/live/pubring.gpg.
And if I try gpg --import keyrings/live/pubring.kbx it doesn't work.
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
Even though gpg --homedir=keyrings/live --list-keys shows the keys I expect.
It turns out that --import doesn't work with the kbx format.
How are users of Blackbox dealing with this? Is there an alternative mechanism for importing keys or should I downgrade/start-over in a way that ensures the older .gpg file format is used?
The newest version of gpg uses a new filename and format for pubring. Sadly this breaks blackbox. Until there's a patch, please install the older gpg. The gpg2 docs say that if the old filename exists gpg2 will continue to use it, so this won't affect old repos.
This change caught me off guard.
It seems that a patch has already been merged a while ago https://github.com/StackExchange/blackbox/pull/82
The issues being that it seems that you cannot import keybox keyrings like with the old format.
I do not know what would be the way to do so.
Another way to work around that issue would be to create manually the pubring.gpg before, then gpg2 would fallback into compatibility mode, and use this file.
But it is not future proof as we don't know for how long the pubring.gpg file format will be supported by gpg
We do know how long the old format will be supported but it's not long. From the project homepage for GPG (https://www.gnupg.org/):
2.0.30 is the stable version from an often used branch. This branch will reach end-of-life on 2017-12-31
After some playing around and a bit of reading I think I may have the right combination of commands to import new keys from Blackbox into the local keybox if using GPG 2.1+
gpg2 --keyring keyrings/live/pubring.kbx --export | gpg2 --import
The trick is to export the keys and then pipe them into the import
This mailing list email has some good insights into the different mechanisms for importing/exporting between keyrings and keyboxes:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790665;msg=7
Please try this again. I believe this was fixed in 4bc97049abb07fcc11cee6ca71daf9375d8137da
I ran into this today with the latest version of blackbox on Ubuntu LTS 16.04 while adding a new admin
Solved the issue as follows.
Importing the key (thanks @Binarytales!):
gpg2 --keyring keyrings/live/pubring.kbx --export | gpg2 --import
To re-encrypt the files, I had to prefix blackbox_update_all_files with GPG=gpg2:
GPG=gpg2 blackbox_update_all_files
over at git-secret, a RFC on "A stable and forwards compatible public key storage format" was merged recently https://github.com/sobolevn/git-secret/pull/207/files
Ran into this and @Binarytales solutions works on macOS X with
gpg --keyring keyrings/live/pubring.kbx --export | gpg --import
blackbox_update_all_files
A better form of the workaround is:
gpg --no-default-keyring --keyring .blackbox/pubring.kbx --export -a | gpg --import
--no-default-keyring prevents gpg from also exporting the default keyring, which is pointless and noisy for this operation.
~~It's 2020, can we make a push to update the README with this information?~~
~~Also, is there any reason this isn't included and automated into blackbox? Why can't the commands try to import these keys on each run, or at the very least before blackbox_update_all_files?~~
My problem was elsewhere and it looks like the source already does this. Why is this not closed?
I've managed to add myself to a blackbox repo that is using the old GPG using this
GPG=gpg blackbox_addadmin ....
I am not sure if GPG=gpg is obeyed by blackbox_addadmin script or by gpg itself.
Yes, using GPG=gpg is fully supported. All blackbox tools use $GPG if it is set, otherwise it defaults to gpg.