Client: [OSX] After update, have to re-provision same laptop

Do you remember what your previous version of keybase was?

On Wednesday, July 13, 2016, Ross Donaldson [email protected]
wrote:

I let Keybase update today, on the same laptop I used to set up my keybase
account yesterday. Now, when I launch the client I'm prompted to either
create an account, or to log in. If I select log in, and enter my username,
I'm asked to pick which device I want to connect from: my laptop or a paper
key.

Selecting my laptop prompts me to run keybase device add and enter a
code; however, keybase device add times out, every time:

$ keybase device add
▶ ERROR Operation timed out

If I use my paper key, I can provision this same laptop as a new device.
Neat? Have I misunderstood something about how this works, or is something
hinky?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/keybase/client/issues/3460, or mute the thread
https://github.com/notifications/unsubscribe/AA05_6RftZB5e_IbEJM-RYE9RWbBiSiWks5qVWh4gaJpZM4JL6sp
.

Ah shoot. I downloaded and installed the OSX client yesterday -- but I didn't keep the download around. Soooooo whatever it was on 7/13?

As of now I'm on 1.0.16-20160712110019+8652095

Can you send a keybase log send ?

Unfortunately not. I get ERROR: Not confirmed

Ah, I think that means you didn't write "YES" when it asked.

You have to type "YES" in caps

Aha, yep -- didn't catch the case-sensitivity. Sent now, log ID b606fea1b20404a4a78c031c

@Gastove did you see something like this after running keybase device add?

What kind of device are you adding?

(1) Desktop or laptop
(2) Mobile phone

Choose a device type: 1

Enter the verification code from your other device here.  To get
a verification code, run 'keybase login' on your other device.

Verification code: 

@patrickxb nope. The operation just timed out, every time, until I used my paper key to add the same laptop as a new device.

Is it possible that another login or device add command is running in another terminal window on the same machine? Or any other keybase commands?

I thought of that; I checked through the process list for anything with keybase in the name, and killed everything I could find. :/

From what I've deciphered so far from your log, it looks like the following happened:

1. you ran keybase login on a new (to keybase) device and it started the provisioning process.
2. it told you to run keybase device add, and you ran it on the same device as keybase login, when it is supposed to be on an already provisioned device.

Is that possible?

Yep, that sounds right.

I should clarify: I did my checking of running keybase procs before attempting to login. So, there didn't seem to be any pending login or device add procs waiting when I attempted to log in, but I was not watching what keybase was up to while I was trying to get my laptop re-provisioned.

Sorry if I'm jumping in unhelpfully, but these two statements seem inconsistent:

on the same laptop I used to set up my keybase account yesterday

ran keybase login on a new (to keybase) device

Something I'm missing?

@cjp I'm not sure what to tell you. I:

1. Received my keybase invite on 7/12
2. Setup keybase, using my work laptop
3. The next day, the keybase client had an update, which I let it install
4. Afterwards, it wanted me to log in again. Upon logging in, it wouldn't recognize my work laptop as having already been provisioned, and I had to provision it again, using my paper key.

How're we doing so far?

I get this error too, trying to log in for the first time on a re-installed macOS.

$ keybase device add
▶ ERROR Operation timed out

@mholt can you run keybase log send?

@maxtaco Sure, done. 32ca49091b3f04b1ba2b1b1c

32ca49091b3f04b1ba2b1b1c

@mholt it looks like by reinstalling macOS your ~/Library/Application Support/Keybase folder was cleared:

2 2017-02-08T11:12:14.116688 ▶ [DEBU keybase json.go:58] 002 No config file found; tried /Users/matt/Library/Application Support/Keybase/config.json

But just to make sure:

Is this log from your new device (the newly reinstalled macOS device) or an existing device?

Did you run keybase device add on your new device or on an existing device?

Thanks!

@patrickxb Ouch, so by "device" do you actually mean "instance of a Keybase client installation"? This is the same device, just an updated OS.

I can't login to Keybase on my computer now, since the device is already taken, but I can't rename the existing device at all (feature request plz?) or remove it without being logged in, so now I'm locked out of Keybase on my computer. Does the website have a way to remove or rename a device?

@mholt when you say you reinstalled macOS, does that mean a clean install onto this computer? Did you make a backup before then? If you have a backup, you can restore that directory and you will have your device back.

But if you deleted that keybase config and device keys (by installing an operating system), there isn't much we can do.

Do you have your paper key? You can use that to provision this device as well. You will have to choose a new device name.

I don't back up the ~/Library folder... it's usually full of random junk (scripts, application support files, etc). I do back up my dot folders...

I don't want to choose a new device name for the same device. I have my Keybase password, and private key, and the paper key... there's no way to even rename the old device so I can install Keybase with this name on the same device?

Consider renaming "device" to "instance of a Keybase client installation" or "~/Library/Application Support/Keybase" since that's _actually_ what you mean.

Currently there's no way to re-install Keybase since I can't remove devices from the web UI (and I can't log in on my device).

Unfortunately if you've lost ~/Library/Application Support/Keybase, you'll need to re-login and use your paper key to provision a new device (and you'll have to use a new device name, since they can't be re-used). Are you able to do this? If not, can you give more details about which screen you are stuck at?

On macos, ~/Library/Application Support/{app} is where apps put configuration and data files for a user (instead of dot directories). For example, when you migrate a user from an old computer to a new computer (or upgrade the OS) it will bring this directory along. Time Machine will also backup and restore this directory. It doesn't bring along ~/Library/Caches though or other directories that have temporary files though.

https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/AccessingFilesandDirectories/AccessingFilesandDirectories.html#//apple_ref/doc/uid/TP40010672-CH3-SW11

That's really unfortunate, since I would think having my Keybase private key should be enough to prove that I own the same device. I don't identify this device by another name, so I think what I'll do is reset my keys and start over.

Really consider renaming "device" to "Keybase folder" or something. You don't actually mean the device, you mean a folder.

@mholt: Please don't reset, the device name reuse ban persists across resets. You'd have to use a completely different account name.

@strib You're kidding, right? Why can't the device name be reused?

I don't understand the logic of this; I can still prove possession of my private key and yet I'm locked out of using Keybase on my laptop forever.

Not kidding. It's important for security, to make sure your devices don't get impersonated to people who already trust them. See https://github.com/keybase/keybase-issues/issues/1952#issuecomment-171432314.

I still think this is a bug. There's a sharp distinction between reinstalling Keybase on the same device when you still have secure possession of your private key and when you've lost your key or device. I'm in the former camp. There's no risk here.

Also, I would suggest that it's unsafe and confusing to refer to a single device by multiple names. The mapping should be precisely 1:1.

Same here. The "device" naming is confusing. I did a clean reinstall of my OS (Ubuntu) and had to create a new "device" for keybase because I could not re-use the same name, while it is, from my POV, still the same device.

Same here. I completely removed Keybase and reinstalled. My device is the same. Even the OS is the same.

So I'm sorry @strib — I'm with @mholt and @pixelastic on that. Have you read the comment you linked?

The reason of this restriction is pretty important: we want people to be able to think of devices by name - say, when seeing them in a list, or when talking about them - and never have to think about key fingerprints or id's. The only way to achieve this safely is to make a device<->name map immutable and global, using the sig chain. Otherwise there are endless caveats and visual explanations needed showing the evolution of a device name over time.

All @mholt, @pixelastic and I want is — according to your won source —  _ to be able to think of devices by name_. But the implementation contradicts the basic idea of referring to a device by its name. If the only way to implement that is this way then it basically killed the expected UX.