passforios: Cannot view any stored pass item after setup

Tested environments

  • the beta version pass for iOS 0.12.0 (8) from testflight on iOS 14.4 (has this issue)
  • the stable version pass for iOS 0.11.0 (11) from App Store on iOS 14.4 (has this issue)
  • iOS 11.4 running Pass for iOS 0.9.0 (21) (works without this issue)

Steps to reproduce:

  1. Set up a remote https git repo at gitlab via username and password (id_rsa 4096 key and id_ed25519 keys don’t seem to be supported… but that is irrelevant to this).
  2. Also exported the gpg keys via local server URL (using ruby -run -e httpd . -p 8080 and then http://<local ip>:8080/a.asc etc.). The import seemed fine, except it warned me not to use http but use https instead.
  3. Then I clicked on one pass item in the Passwords menu. It asked for the PGP secret key Passphrase.
  4. I filled in the password correctly (I tried 20+ times, even via a bluetooth keyboard); the same password unlocks my gpg on my computer fine).

Result

However, once I finish inserting my password and click OK, I get:

Cannot show password
gopengp: unable to add locked key to a keyring

Expected results:

The item opens, and shows the item view, where I could copy or show the password.

Things I have tried to fix/rule out:

  • Guessing it may have been talking about iOS keychain, I checked my keychain. It is synced fine with iCloud, and works fine.
  • Tried several times after deleting the GPG key and several ways to export the gpg key (via key id, or the email etc.).
  • Also tried importing via iTunes (dropped the keys into the Pass Beta app then clicked iTunes import which showed a prompt saying “success”).
  • Tried deleting the app (along with its data) and completely setting up afresh.

None of those worked. Not sure what went wrong here.

Let me know what more info I can provide to help debug or resolve this issue with better documentation.

Not sure if it is relevant, but I was using an old iOS 11.4 running Pass for iOS 0.9.0 (21) before which worked (and still works) fine; I just migrated (via backing up to iTunes, ehm, it is called Music now and works directly from within Finder) from that to iOS 14.4.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 2
  • Comments: 32 (22 by maintainers)

Commits related to this issue

Most upvoted comments

Response

@telnoratti I tried what you suggested but without luck. Here is what I did:

  • gpg --edit-key MY_KEY_ID
  • list to show the keys
  • 1 to select a key
  • expire to edit the expiration dates of all the subkeys to never
  • list now shows
sec  rsa4096/XXXXXXXXXXXXXXXX
     created: 2016-07-24  expires: 2022-09-28  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/XXXXXXXXXXXXXXXX
     created: 2016-07-24  expires: never       usage: E
sub  rsa4096/XXXXXXXXXXXXXXXX
     created: 2018-07-10  expires: never       usage: A
[ultimate] (1). Hormet Yiltiz <hyiltiz@gmail.com>

Originally, the ssb encryption subkey and the sub auth subkey had expiration dates (though not yet expired) but I removed them but that didn’t resolve anything.

A new lead

I noticed that it is common to have a sec key for Signature SC followed by an ssb key for Encryption E. Maybe the additional Auth subkey is messing it up?

I then tried two sets of keys (one pair of RSA2048 and a triplet of elliptic curve) that I had from before (created with the same gpg version); the elliptic set had an additional Auth subkey. To use a new key pair, I just did:

gpg --list-keys  # pick the new key ID
cd ~/.password-store/
pass init NEW_KEY_ID  # wait for each key to be encrypted
pass git push # upload all re-encrypted keys to the gitserver
gpg --export -a NEW_KEY_ID > sub.pub
gpg --export-secret-subkeys -a NEW_KEY_ID > sub  # can append ! to force only export a single subkey, e.g. use NEW_KEY_ID!
gpg --show-key sub  # to make sure only the E type subkey has been exported
ruby -run -e httpd . -p 8080
# from iOS app, select Upload Key via URL and insert http://<machine ip>:8080/sub.pub etc.
# import should be successful, with a warning about using HTTP
# from iOS app, drag down to refresh the keys to get the re-encrypted ones
# click open any key that was previously not possible to open

The above procedure worked for the RSA2048 key pair but failed for the elliptic key pair.

Finally, I re-tried the same steps as above, but used the subkey ID with the E type for the elliptic set (instead of the main key with the type SC) for the export. Then the elliptic key set that had Auth type subkey also worked (remember to append after the E type subkey ID an exclamation ! if the --show-key lists the A type Auth key as well)!

Final test

I then followed up the test with my original RSA4096 keys that started this thread, using the E type subkey for export then import. This finally worked! The issue was having an extra Auth key all along! The Go code listed above must’ve got confused with it.

TL;DR

Generate a new pair of keys, re-encrypt with pass init NEW_KEY_ID! (notice the exclamation mark ! appended after the ID to force only export a single subkey), then use its E type subkey ID during import/export.

@mssun I can see we can resolve this in two ways now: - Simply add a bit detailed instruction to the app. - Patch the goopengpg library code as shown above.

I think the former can be implemented any day now.

+1
hyiltiz on Oct 1, 2021

I got this error and tried both --export-secret-subkeys and --export-secret-keys with no luck. When editing the key I noticed I had both a revoked subkey and an expired subkey. I deleted the keys, exported the key again, then imported into passforios, and was able to decrypt passwords after that. They keys don’t show up with --list-keys and only were visible when I was in the --edit-key prompt and used the list command.

I restored my keys from a backup after that. I’m pretty sure I don’t have anything encrypted to those subkeys and they were just used for testing, but I could see how these keys might have tripped the lines of code in gopengpg that @hyiltiz identified.

+1
telnoratti on Mar 31, 2021

We have a test case for RSA4096 secret subkey: https://github.com/mssun/passforios/blob/1454693308b6fb73519aaefc32f6bbb3eecc5821/passKitTests/Testbase/TestPGPKeys.swift#L41-L46

Can anyone provide step by step commands to generate such key which break the gopenpgp library.

+1
mssun on Feb 10, 2021

Thank you. Let me have a try.

+1
mssun on Feb 7, 2021
Read more comments on GitHub
← YouTube-Viewer: WebDriverException error
passforios: Crashed when trying to import "gnu-dummy" S2K key pairs →