docker-misp icon indicating copy to clipboard operation
docker-misp copied to clipboard

Published 20 hours ago verified publisher icon coolacid

Add documentation for configuring GnuPG

Open seanthegeek opened this issue 5 years ago • 18 comments

The MISP instance is currently built without configuring GnuPG or generating a key. We should document how to set this up and.or automate the process.

seanthegeek avatar Feb 25 '20 02:02 seanthegeek

This should be a wiki page, also the creating and/or using actual SSL certs should be documented in the wiki as well.

coolacid avatar Feb 25 '20 15:02 coolacid

@coolacid I just failed to import my secret PGP key. Any suggestions?

root@0130065ac283:/var/www/MISP# sudo -u www-data gpg --homedir /var/www/MISP/app/Config/.gnupg --import /tmp/threatintel.asc 
gpg: key 81CB89AFEDECD842: "Threat Intel <[email protected]>" not changed
gpg: key 81CB89AFEDECD842/81CB89AFEDECD842: error sending to agent: Permission denied
gpg: key 81CB89AFEDECD842/874DD5C7635A04D4: error sending to agent: Permission denied
gpg: error reading '/tmp/threatintel.asc': Permission denied
gpg: import from '/tmp/threatintel.asc' failed: Permission denied
gpg: Total number processed: 0
gpg:              unchanged: 1
gpg:       secret keys read: 1
root@0130065ac283:/var/www/MISP# sudo -u www-data gpg --homedir /var/www/MISP/app/Config/.gnupg -Kroot@0130065ac283:/var/www/MISP#

seanthegeek avatar Feb 25 '20 19:02 seanthegeek

error reading '/tmp/threatintel.asc': Permission denied

Is the file there, is it readable by www-data user?

coolacid avatar Feb 25 '20 19:02 coolacid

I'm also hoping this can be done without entering the container. I should find out how I did it for my prod.

coolacid avatar Feb 25 '20 19:02 coolacid

error reading '/tmp/threatintel.asc': Permission denied

Is the file there, is it readable by www-data user?

Yep. That's the weird part.

root@0130065ac283:/var/www/MISP# ls -al /tmp/threatintel.asc 
-rw-------. 1 www-data root 923 Feb 25 18:19 /tmp/threatintel.asc

seanthegeek avatar Feb 25 '20 19:02 seanthegeek

And, it imported the public key just fine

root@0130065ac283:/var/www/MISP#  gpg --homedir /var/www/MISP/app/Config/.gnupg -k
/var/www/MISP/app/Config/.gnupg/pubring.kbx
-------------------------------------------
pub   ed25519 2020-02-25 [SC]
      C59A7A8C07AD3CFB5521BDCF81CB89AFEDECD842
uid           [ultimate]  Threat Intel <[email protected]>
sub   cv25519 2020-02-25 [E]

I was reading somewhere that this might have something to do with www-data not having access to /dev/tty...

seanthegeek avatar Feb 25 '20 19:02 seanthegeek

I just tried as root for the hell of it and it still failed

root@0130065ac283:/var/www/MISP#  gpg --homedir /var/www/MISP/app/Config/.gnupg --import /tmp/threatintel.asc 
gpg: WARNING: unsafe ownership on homedir '/var/www/MISP/app/Config/.gnupg'
gpg: key 81CB89AFEDECD842: "Threat Intel <[email protected]>" not changed
gpg: key 81CB89AFEDECD842/81CB89AFEDECD842: error sending to agent: Permission denied
gpg: key 81CB89AFEDECD842/874DD5C7635A04D4: error sending to agent: Permission denied
gpg: error reading '/tmp/threatintel.asc': Permission denied
gpg: import from '/tmp/threatintel.asc' failed: Permission denied
gpg: Total number processed: 0
gpg:              unchanged: 1
gpg:       secret keys read: 1

seanthegeek avatar Feb 25 '20 19:02 seanthegeek

I figured it out

https://github.com/MISP/MISP/issues/2372 tipped me off.

So sudo breaks the special terminal input that gpg uses for the passphrase input prompt. Running gpg inside a screen session works fine.

sudo apt-get install -y screen
sudo -u www-data screen gpg --homedir /var/www/MISP/app/Config/.gnupg --import /tmp/threatintel.asc

seanthegeek avatar Feb 26 '20 16:02 seanthegeek

Ah, that makes sense. Should find a way to do this outside of the docker container still. If you import it into the homedir that's volume mounted, the entrypoint_nginx.sh file should ensure it's owned correctly.

coolacid avatar Feb 26 '20 16:02 coolacid

True. Just gotta do it before running the containers. Didn't even think of that!

seanthegeek avatar Feb 26 '20 19:02 seanthegeek

Or, restart the core container.

coolacid avatar Feb 26 '20 19:02 coolacid

We should also add a copy action for the public key to /var/www/MISP/app/webroot/gpg.asc like what is currently done for SSL certs.

seanthegeek avatar Feb 26 '20 19:02 seanthegeek

We had this issue with our MISP deployment. Instead of using screen you can just use the --batch switch.

We're adding the key to /tmp, importing it into the keyring and then exporting the armored key.

You can see it here:

https://github.com/Xyrodileas/misp-docker/blob/3cd199d1b5e0f7c1af47600481841b11b781acaf/web/run.sh#L114

Hope that helps :)

VVX7 avatar Feb 27 '20 02:02 VVX7

Revisiting this now. I'm trying to work out the best way to document this. I see two possible senarios that need to be documented:

  1. Import an existing key made by some other tool
  2. Generate a key and import from scratch (Do we need this, or do we let someone figure out the how to generate one?)

Everyone talks about exporting the public key to the webroot - is this really needed? Why not put it on a public keystore, or a website related, but not specific to the app? (Honest questions, I'm in the process of building another instance, and looking at all these things)

coolacid avatar Mar 21 '20 15:03 coolacid

Looking at https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html

Maybe we check for a gnupg.txt (or some other filename/extention) in the configuration directory and batch add the key, then delete the file. We could also extract the passphrase from the config file and apply it to MISP

If we find gnupg.key in the configuration directory and passphrase is set in environment, we could import the file. We'd also want to configure MISP.

coolacid avatar Mar 30 '20 14:03 coolacid

This issue has been idle a while :) here's my attempt at providing the requested help. The MISP server provides a download link for its gpg key from the bottom-left of the screen footer, it appears to be simply a link to the file found at webroot/gpg.asc

Maybe for dev/test purposes you'd like to have one auto-generated? But for production use, docker allows mounting a single file into the running container. I copied our existing file and added this line to docker-compose:

      - ./gpg/gpc.asc:/var/www/MISP/app/webroot/gpg.asc

With that file mounted into the container, the text at the bottom left changed from " Could not locate the PGP public key." to "Download: PGP public key" with a working link.

Would you like a new issue with that proposed change to docker-compose.yml ?

chrisinmtown avatar May 19 '21 17:05 chrisinmtown

I'm just hit the lack of "native" support of GPG of this Docker image.

      - ./gpg/gpc.asc:/var/www/MISP/app/webroot/gpg.asc

With that file mounted into the container, the text at the bottom left changed from " Could not locate the PGP public key." to "Download: PGP public key" with a working link.

Followed this approach and it works properly to let WebUI provide the GPG key via the bottom-left link. Without the keystore hosted in the container, it is still not possible to send mails through MISP. Error is:

2021-12-20 16:02:58 Notice: GPG couldn't be initialized, GPG encryption and signing will be not available.
[Crypt_GPG_FileException] The 'homedir' "" is not readable or does not exist and cannot be created. This can happen if 'homedir' is not specified in the Crypt_GPG options, Crypt_GPG is run as the web user, and the web user has no home directory.
Stack Trace:
#0 /var/www/MISP/app/Vendor/pear/crypt_gpg/Crypt/GPGAbstract.php(269): Crypt_GPG_Engine->__construct(Array)
[...]

Is there a way to allow sending mails work even if GPG is not configured? Is GPG still not required by MISP?

pandvan avatar Dec 20 '21 16:12 pandvan

'Pinging' this issue in hopes there's a 'clean' solution?

packet-rat avatar Oct 07 '22 20:10 packet-rat