import OpenPGP key into Launchpad

Asked by David B on 2020-07-28

I cannot import my gpg key into Launchpad. I have made it as per the instructions in Launchpad using the 'Password and Keys" tool (rather than my preferred command line), sent it successfully to the Ubuntu KeyServer and then, after ensuring its arrived at the keyserver, copied the "fingerprint" to the appropriate page in Launchpad.

Launchpad tells me it will send me an email (but does not tell it has done so). Nothing.

Now, I see a lot of mentions about Launchpad accepting only v1 gpg keys. However, I have followed the Launchpad instructions meticulously and I am using Ubuntu18.04. I have not, manually replaced a gpg v1 with a gpc v2 but, looking at the man page, it seems I do have only gpg v2 installed.

Is the Launchpad documentation out of date ? I need to revoke that key, install gpg1 and generate a dated key and try again.

or am I doing something else quite wrong ? If so, what can I do to correct the situation ?

Thanks

Davo

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
David B
Solved:
2020-08-04
Last query:
2020-08-04
Last reply:
2020-08-03
Colin Watson (cjwatson) said : #1

We'll need to look at the public key in question. What does "gpg --list-keys FINGERPRINT" say (replacing FINGERPRINT with the fingerprint of your key)?

David B (d-bannon) said : #2

Hi Colin, thanks for your interest.

This -

pub rsa2048 2020-07-27 [SC]
      53FE0A4EE7964B504C079783D1FCDF97650B7299
uid [ultimate] David Bannon (For my personal use) <email address hidden>
sub rsa2048 2020-07-27 [E]

I 'think' its a v2 key ....

Davo

Colin Watson (cjwatson) said : #3

No, that's a v1-compatible key, so the problem is something else.

Could you please copy and paste for us the exact message that Launchpad shows you when you attempt to import your key? I'd also recommend carefully checking spam folders and similar (you may have done so already, but it sounds like Launchpad thinks it's sent you an email but it hasn't reached you for some reason, so it's worth checking this kind of thing).

David B (d-bannon) said : #4

Colin, when I clicked the "Import Key" button, I was immediately taken, again, to the OpenID login screen, I logged in, allowed requested permission and was then taken back to the Launchpad 'fingerprint' screen. The screen was identical to when I clicked the "import key" button except that the fingerprint field was now blank.

No email from Launchpad in my inbox or in my spam folder.

I have received a number of emails from Launchpad since then, relating to changing my ssh keys and this conversation.

Davo

David B (d-bannon) said : #5

Colin, are you sure mine is a V1 key ?

gpg --version [enter]
gpg (GnuPG) 2.2.4
....

I cannot find anything that looks like gpg1 so have to assume the GUI used my gpg command. Or does it have some other way to generate a version 1 key ? I cannot find an option to tell me what it really is....

I assume I can remove that key from the KeyServer if I revoke it. So, I could do so and start again if you think that would help ? I could even send it to you but not with the passphrase, so I doubt it would help in any way.

But I could make a burner key, let you have that ???

Signing off here, late !

Davo

David B (d-bannon) said : #6

Sorry to nag but I need to move ...

Should I revoke that key, remove it from the keyserver (? how ?) and start again ?

Davo

David B (d-bannon) said : #7

OK, some eight hours ago I generated a revoke certificate, revoked that cert from my keyring, good, its now marked here, locally, as revoked. In both the GUI and command line. Good.

So I then synced that revoked cert with the Ubuntu keyserver. It still shows exactly the same as before I went through the revoke process. After 8 hours.

I still get no errors at any stage. I am reluctant to try creating a new cert and uploading a potentially unusable AND unremovable cert to this keyserver.

Just what is going on here please ??

Davo

Colin Watson (cjwatson) said : #8

I'm afraid I was on leave for part of last week. Trying to work out what's been going on now ...

Yes, I'm quite sure your key is (was?) GPG v1-compatible - I checked. The fact that you're running GPG v2 is immaterial to this.

> Colin, when I clicked the "Import Key" button, I was immediately taken, again, to the OpenID login screen, I logged in, allowed requested permission and was then taken back to the Launchpad 'fingerprint' screen. The screen was identical to when I clicked the "import key" button except that the fingerprint field was now blank.

Dealing with GPG keys in Launchpad requires you to have freshly logged in, which is why you were redirected to the login screen. What happens if you enter your fingerprint again immediately after this?

Also, is it possible that you're rejecting cookies from launchpad.net or from login.launchpad.net?

Revoking your key has probably made the situation several times more complicated, unfortunately. You shouldn't have done that. It will probably now be necessary to generate a new key, and you won't be able to remove the revoked one from the keyserver. In future, you should normally only revoke keys if you've lost control of them.

Don't send us the private key under any circumstances. We will never ask for it and do not need it.

David B (d-bannon) said : #9

In reverse order, yes, I understand revoking is a big step but I expected it to be marked as revoked on the server, apparently not ?? The documentation on the Ubuntu/Launchpad website is quite dated I am afraid.

I set an expiring date on that key, the "to expire key" then showed up on the server as yet another one, it has now expired an I am back where I started.

I have generated a new key, pushed it to the server and then waited for 24 hours before doing any more. That 24 hours will be up soon....

No, I don't believe I am rejecting cookies from anywhere. I have an ad blocker active, would the launchpad response look anything like an ad ?

When my 24 hours are up, I will disable the ad blocker, check the cookies situation, do a fresh login and try again.

Sorry i proceeded but it appeared, from my end that there was no help available. I had to do something and that looked a bit like "something".

The new key i made is also rsa, 2K but without a comment this time.

I used to work with x509, I have to say that approach seemed a lot more flexible, it was possible to hide revoked keys and end users could clearly see what was, and what was not viable !

Thanks for getting back to me.

Davo

William Grant (wgrant) said : #10

It's important that you include details of relevant keys. In this case it looks like your last comment might be discussing 3A2A CB01 F94D EC6C BCC6 0E0B 28E0 C379 C996 11AC, but do please confirm that.

What happens when you enter the fingerprint on https://launchpad.net/~/+editpgpkeys? Even if you've already tried, please try again to ensure there are recent logs on our side and any intermediate mail servers. As Colin says, if you sit on the form page for too long it will ask you to reauthenticate, after which you need to reenter the fingerprint and resubmit the form.

David B (d-bannon) said : #11

Yes William, thats my new key. I have pushed it to the keyserver (obviously) but was waiting 24 hours before trying the import into launchpad. I suspected i may have rushed it last time....

So, will try now !
....

And that worked exactly as expected !

Now, i am happy but sad that I cannot replicate the problem for you. What have I done differently ?

1. I waited 24 hours between pushing the key and importing into launchpad.
2. My new key has no comment.
3. I made sure I was in a current (ie no time out) login session before doing the import. Last time I would have been flicking between tabs reading instructions....

Davo

William Grant (wgrant) said : #12

I think the most likely cause is that you didn't resubmit the form after it asked you to reauthenticate.

David B (d-bannon) said : #13

yes, so do I in hindsight. At the time I thought it was asking me to authenticate the processing of my fingerprint, in fact it had discarded my fingerprint and was requiring me to start again.

I suggest it would be helpful if the fingerprint page informed the user it had timed out, or, if thats not possible because its stateless, just said that a time out is possible, "refresh before you start".

In my case, I had arrived at the fingerprint page without a key I wished to use for this purpose. So, went off reading various docs, created the key, discovered the Password and Keys app. All plenty of time for the page to expire !

Anyway, much thanks to you, William and Colin, I am underway now !

Davo