Client: "ERROR No secret key available" on keybase pgp sign

Follow up. I'm unsure what state things are stuck in, but it seems quite messed up:

$: echo "hello" | keybase pgp encrypt pearce | keybase pgp decrypt
ERROR unable to find decryption key for this message (error 924)

I've spoken with a few other OSX users that upgraded from similar old versions to 1.0.3 who exhibit similar behavior.

Does keybase pgp select --only-import help?

We have a new model in which we're no longer shelling out to GPG. We're using Go's OpenPGP libraries instead. But as part of this process, we're asking for users to explicitly ask for their keys to be used in this regard.

So I'd try this fix first. If it works, I'll follow up on how to improve the messaging around this site. Thanks!

I just did a totally fresh install on a brand new laptop after properly setting up gpgtools.

$: echo "hi" | keybase pgp sign
▶ ERROR Login required
$: keybase login
How would you like to sign this install of Keybase?

(1) Use an existing device
(2) Use a paper key
(3) Use my Keybase passphrase
(4) Use GPG
Choose a signing option: 4
In order to authorize this installation, keybase needs to sign this installation
with your GPG secret key.

You have two options.

(1) Keybase can use GPG commands to sign the installation.

(2) Keybase can export your secret key from GPG and save it to keybase's local encrypted
    keyring. This way, it can be used in 'keybase pgp sign' and 'keybase pgp decrypt' 
    going forward.
Which do you prefer?: 2
#    Algo   Key Id             Created      UserId
=    ====   ======             =======      ======
1    R      44A852C5CEE93F68   2014-09-21   Paul Pearce ...
Choose a key: 1
Enter a public name for this device: ...
✔ Success! You provisioned your device ...

You are logged in as pearce
  - type `keybase help` for more info.
$: echo "hi" | keybase pgp sign
▶ ERROR No secret key available

The text in that workflow seemed correct and matched what you said above (importing the gpg key for use with the OpenPGP libs). But it didn't work. So then I ran what you said:

$: keybase pgp select --only-import
#    Algo    Key Id             Created   UserId
=    ====    ======             =======   ======
1    4096R   44A852C5CEE93F68             ...
Choose a key: 1
▶ INFO Bundle unlocked: 44A852C5CEE93F68
▶ INFO Key 44A852C5CEE93F68 imported
$: echo "hi" | keybase pgp sign
-----BEGIN PGP MESSAGE-----
Comment: https://keybase.io/download
Version: Keybase Go 1.0.3 (darwin)
...

So yes this fix worked, but it should be happening automatically when you provision a new install and tell it to import the gpg key for use with the pgp commands.

Thanks so much for the bug report. I'll put a ticket in for it and we'll investigate.

We fixed this in https://github.com/keybase/client/pull/1422 which will be included in release 1.0.4 today.

My symptoms match those of @paul-pearce, but running keybase pgp select --only-import failed with an error.

$ keybase pgp select --only-import
#    Algo    Key Id             Created   UserId
=    ====    ======             =======   ======
1    4096R   4FC48C5074E866E9             Elijah Gwynn ...
Choose a key: 1
Collecting your passphrase for Import of key into keybase keyring.
▶ INFO Bundle unlocked: 4FC48C5074E866E9
▶ ERROR key generation error: Failed to get pubkey: openpgp: invalid data: subkey signature invalid: openpgp: invalid data: signing subkey is missing cross-signature

EDIT: FWIW, it appears as though my subkey is cross-signed properly:

$ gpg --edit-key 4FC48C5074E866E9
Secret key is available.

pub  4096R/74E866E9  created: 2013-08-09  expires: 2017-08-09  usage: SCEA
                     trust: ultimate      validity: ultimate
sub  4096R/751FB424  created: 2013-08-09  expires: 2017-08-09  usage: SEA
[ultimate] (1). Elijah Gwynn ...
[ultimate] (2)  Elijah Gwynn ...

gpg> cross-certify
signing subkey 751FB424 is already cross-certified

After upgrading to keybase version 1.0.16-20160707110020+ee537fc, running keybase pgp select --only-import both runs successfully and makes the other keybase pgp commands work properly.

Hi Eli!

On Tuesday, July 12, 2016, egwynn [email protected] wrote:

After upgrading to keybase version 1.0.16-20160707110020+ee537fc, running keybase
pgp select --only-import both runs successfully and makes the other keybase
pgp commands work properly.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/keybase/client/issues/1411#issuecomment-232048757,
or mute the thread
https://github.com/notifications/unsubscribe/AA05_xsZjO7khN33ydNNtr2bYVSoijCLks5qU5gIgaJpZM4GqxF_
.

Hi Max!

If you import an existing private key into GPG and then have trouble importing it into Keybase with keybase pgp select --only-import, you may be running into the gpg vs gpg2 problem.

All of the tutorials I've found for importing keys tell you to use gpg --import keyname and the like. The problem is, on Ubuntu for example, that gpg and gpg2 are often installed simultaneously on a system.

If gpg and gpg2 are both installed and you import a key with gpg --import keyname, gpg --sign will work and gpg -k will show your imported key; however, ls ~/.gnupg/private-keys-v1.d/ will show that the private key folder is empty (I believe this is where Keybase looks for the key with keybase pgp select). That's because gpg doesn't use that folder to store keys; only gpg2 does.

To import your gpg keys into gpg2: gpg --export-secret-keys && gpg2 --import

This seems to crop up most often on systems that have been upgraded a bunch of times, such as Ubuntu 12.04 → 16.04.

It took me a million years to figure this out and get Keybase working with my existing keys.

EDIT
looks like this is also mentioned in keybase/keybase-issues#2975

References

• https://wiki.debian.org/Teams/GnuPG/UsingGnuPGv2
• Re: Unable to sign e-mails with gpg through Evolution
• https://lists.gnupg.org/pipermail/gnupg-users/2017-March/057868.html
• http://manpages.ubuntu.com/manpages/xenial/man1/gpg2.1.html
• https://lists.fedoraproject.org/archives/list/[email protected]/thread/LK4OC43LQROZV7NKXADBD3B2BKABOXOD/

I ended up here because I didn't know why

keybase pgp sign -c -m "hello"

was giving me the "ERROR No secret key available" error even though keybase knew about the public part of my pgp key already. In my situation, I re-imported my pgp key with the following command

keybase pgp select --import --multi

Getting the warning that I would have to enter the encryption password for my PGP twice was very helpful. The command line seemed to freeze after my entering my password the first time. The reason: keybase was waiting, but the second prompt, a pop-up window from keybase, was buried under other windows. I'd suggest that keybase look at how to push their prompt to the foreground. (I'm on macOS Mojave 10.14.4 running keybase version 3.1.2-20190312142912+4c383e6a53.)

Hoping this note might be of help to others out there.