gpg claiming "No secret key" while it is available - gnupg

I am trying to sign another public key using gpg --sign-key which then errors with signing failed: No secret key
Full output:
❯ gpg --ask-cert-level --sign-with tinoheuberger#protonmail.com --sign-key 0x9303B33A305224CB
pub rsa4096/0x9303B33A305224CB
created: 2017-10-05 expires: never usage: C
trust: unknown validity: unknown
sub rsa4096/0x9B79B45691DB4173
created: 2017-10-05 expires: 2021-07-27 usage: S
sub rsa4096/0xDAB71C6FBCD75257
created: 2017-10-05 expires: 2021-07-27 usage: E
sub rsa4096/0x7651CCCB55BC4D56
created: 2017-10-05 expires: 2021-07-27 usage: A
[ unknown] (1). --------------) <----------------->
pub rsa4096/0x9303B33A305224CB
created: 2017-10-05 expires: never usage: C
trust: unknown validity: unknown
Primary key fingerprint: A8FC 55F3 B04B A314 6F34 92E7 9303 B33A 3052 24CB
----- (-----) <-------->
How carefully have you verified the key you are about to sign actually belongs
to the person named above? If you don't know what to answer, enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection? (enter '?' for more information): 3
Are you sure that you want to sign this key with your
key "Tino Heuberger (Personal MasterKey) <tinoheuberger#protonmail.com>" (0xB4B88025927E502D)
I have checked this key very carefully.
Really sign? (y/N) y
gpg: signing failed: No secret key
gpg: signing failed: No secret key
Key not changed so no update needed.
This command work without issues though:
echo "test message string" | gpg --armor --clearsign > signed.txt
Output of gpg -K
/home/cobra/.gnupg/pubring.kbx
------------------------------
sec# rsa4096/0xB4B88025927E502D 2021-04-05 [C]
Key fingerprint = 90BD 307D 847F 7524 EA22 2F27 B4B8 8025 927E 502D
uid [ultimate] Tino Heuberger (Personal MasterKey) <tinoheuberger#protonmail.com>
ssb> rsa4096/0x4AE34056E26AE417 2021-04-05 [S] [expires: 2022-04-05]
ssb> rsa4096/0x1F0B2D0F39B5549D 2021-04-05 [E] [expires: 2022-04-05]
ssb> rsa4096/0x3659102D72DF0E6C 2021-04-05 [A] [expires: 2022-04-05]
and output of gpg --card-status ( I am using a yubikey):
❯ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006111828330000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 11182833
Name of cardholder: Tino Heuberger
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: tinoheuberger#protonmail.com
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 28
KDF setting ......: off
Signature key ....: 7C2C E04B 91AE 02D5 1935 F438 4AE3 4056 E26A E417
created ....: 2021-04-05 16:31:24
Encryption key....: 6408 7413 4AEC F845 E176 D6C9 1F0B 2D0F 39B5 549D
created ....: 2021-04-05 16:32:46
Authentication key: 45E1 05AD 16FA F864 16BB CC75 3659 102D 72DF 0E6C
created ....: 2021-04-05 16:33:35
General key info..: sub rsa4096/0x4AE34056E26AE417 2021-04-05 Tino Heuberger (Personal MasterKey) <tinoheuberger#protonmail.com>
sec# rsa4096/0xB4B88025927E502D created: 2021-04-05 expires: never
ssb> rsa4096/0x4AE34056E26AE417 created: 2021-04-05 expires: 2022-04-05
card-no: 0006 11182833
ssb> rsa4096/0x1F0B2D0F39B5549D created: 2021-04-05 expires: 2022-04-05
card-no: 0006 11182833
ssb> rsa4096/0x3659102D72DF0E6C created: 2021-04-05 expires: 2022-04-05
card-no: 0006 11182833
I can't figure out with I cannot use gpg --sign-key while all other gpg commands work without issues


After some time I was able to figure it out.
gpg --sign-key only work if you have the private key of the masterkey, meaning I had to sign the public key on my offline machine with the master private key. Subkeys don't work with gpg --sign-key

Related

How to transfer tokens using a multisig authority on Solana v1.10.25

I am trying to transfer tokens using a multisig authority on Solana v1.10.25. I have written a script which creates all necessary dependencies for this process and runs it against a local validator. Unfortunately, when I attempt to run the transfer SPL command, I get an error error: invalid account data. You can view the script here.
The sequence of commands:
#!/bin/bash
#
# # Usage
# "./multisig-transfer.sh"
#
set -e
function gen_kp {
# Generates a keypair and returns its path to stdout
local name="${1}"
local path="${dir}/${name}-kp.json"
solana-keygen new --no-passphrase -o "${path}" &> /dev/null
pubkey=$(solana-keygen pubkey ${path})
echo "${name}: ${pubkey}" 1>&2
echo "${path}"
}
# random prefix for all files
dir=$(cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1)
dir="runs/${dir}"
mkdir -p "${dir}"
printf "\n\n----- pin solana -----\n\n"
SOLANA_VERSION="1.10.25"
solana --version 2>&1 1>/dev/null || sh -c "$(curl -sSfL https://release.solana.com/${SOLANA_VERSION}/install)"
solana --version | grep "${SOLANA_VERSION}" || solana-install init "${SOLANA_VERSION}"
printf "\n\n----- point CLI to local validator -----\n\n"
solana config set --url http://127.0.0.1:8899
printf "\n\n----- create a fee payer -----\n\n"
fp=$(gen_kp "fee-payer")
solana airdrop 100 -k "${fp}"
printf "\n\n----- prepare multisig authorities -----\n\n"
auth1_kp=$(gen_kp "auth1")
auth2_kp=$(gen_kp "auth2")
auth3_kp=$(gen_kp "auth3")
printf "\n\n----- create multisig -----\n\n"
multisig_kp=$(gen_kp "multisig")
spl-token create-multisig 2 "${auth1_kp}" "${auth2_kp}" "${auth3_kp}" \
--fee-payer "${fp}" \
--address-keypair "${multisig_kp}"
printf "\n\n----- create mint -----\n\n"
mint_kp=$(gen_kp "mint")
mint_auth_kp=$(gen_kp "mint-auth")
spl-token create-token "${mint_kp}" \
--mint-authority "${mint_auth_kp}" \
--fee-payer "${fp}"
printf "\n\n----- create source token account -----\n\n"
source_acc_kp=$(gen_kp "source-acc")
spl-token create-account "${mint_kp}" "${source_acc_kp}" \
--owner "${multisig_kp}" \
--fee-payer "${fp}"
printf "\n\n----- create target token account -----\n\n"
target_acc_kp=$(gen_kp "target-acc")
target_acc_owner=$(gen_kp "target-acc-owner")
spl-token create-account "${mint_kp}" "${target_acc_kp}" \
--owner "${target_acc_owner}" \
--fee-payer "${fp}"
printf "\n\n----- mint to source token account -----\n\n"
spl-token mint "${mint_kp}" 10 "${source_acc_kp}" \
--mint-authority "${mint_auth_kp}" \
--fee-payer "${fp}"
printf "\n\n----- create a nonce account -----\n\n"
nonce_kp=$(gen_kp "nonce")
nonce_auth_kp=$(gen_kp "nonce-auth")
solana create-nonce-account "${nonce_kp}" 1 \
--nonce-authority "${nonce_auth_kp}" \
-k "${fp}"
blockhash=$(solana nonce "${nonce_kp}")
printf "\n\n----- spl accounts info -----\n\n"
spl-token multisig-info "${multisig_kp}"
spl-token account-info --address "${source_acc_kp}"
spl-token account-info --address "${target_acc_kp}"
printf "\n\n----- multisig transfer -----\n\n"
transfer_cmd="spl-token transfer ${mint_kp} 10 ${target_acc_kp} \
--from ${source_acc_kp} \
--owner ${multisig_kp} \
--multisig-signer ${auth1_kp} \
--multisig-signer ${auth2_kp} \
--multisig-signer ${auth3_kp} \
--blockhash ${blockhash} \
--fee-payer ${fp} \
--nonce ${nonce_kp} \
--nonce-authority ${nonce_auth_kp}"
# skip first 3 lines to get the list of signers in format
# pubkey1=signhash1
# pubkey2=signhash2
# ...
transfer_signers_lines=$( eval "${transfer_cmd} --mint-decimals 9 --sign-only" | tail -n +4 )
signers_flags=""
while IFS= read -r line; do
signers_flags="${signers_flags} --signer ${line}"
done <<< "$transfer_signers_lines"
eval "${transfer_cmd} ${signers_flags}"
And here's an output of with the error mentioned above:
----- pin solana -----
solana-cli 1.10.25 (src:d64f6808; feat:965221688)
----- point CLI to local validator to it -----
Config File: /home/xxx/.config/solana/cli/config.yml
RPC URL: http://127.0.0.1:8899
WebSocket URL: ws://127.0.0.1:8900/ (computed)
Keypair Path: /home/xxx/.config/solana/id.json
Commitment: confirmed
----- create a fee payer -----
fee-payer: 4UihfiAJFJbkzcvqbCxhf2UyDCKYKDaEPYsmQMHW6UoK
Requesting airdrop of 100 SOL
Signature: 5QtszEFNNcAqTToPbS3HaVXoPtTgjBKNaWY7oaoYDZRmVof31euzAhZvhYQ2TveZ7EzBD4B4Zmb4ue1qgX1yfytm
100 SOL
----- prepare multisig authorities -----
auth1: 1WdKMVYxeSc3bFQyUaC726EHiEHkT8xdxK6Tju9WyrK
auth2: HiH2SGB8SsTAACLj8hLkXeLzXqVWRUCxWMo4XGVT5H3w
auth3: 46VhbvYvNaFZ6QyGaB8asvAZw2WxxmrZb8Fvx9ibL5ir
----- create multisig -----
multisig: FxJi77UjbeQH6wMqBgpJr93Y6Y8Kq5WMom9svHupBGHV
Creating 2/3 multisig FxJi77UjbeQH6wMqBgpJr93Y6Y8Kq5WMom9svHupBGHV
Signature: CjyFBA7Yh7eoxksvFr3UwAonjsBj6EtpRkbbKYeSvZUi5cb3u8ukCJTFDkJFdRCQRj9fy1TCXVBekd7TnDXHa6Z
----- create mint -----
mint: DukyrQsNTPED4mhoxwAoiegCaknqzM4x7hB1UPnuAnYG
mint-auth: J4xzof5UjNGD2VvwjbdTNLwBWsvHpJCMH3VNTNKX2Bpw
Creating token DukyrQsNTPED4mhoxwAoiegCaknqzM4x7hB1UPnuAnYG
Signature: 3WMLSHVGGDounFFgGR6C21qdKjezaiavnzfaHRiK9hdSVczCDgThZ2jkyHVSwjEDgHhCzC2MYvCTYV2DxRcx2bL2
----- create source token account -----
source-acc: 56TeLuYYyevRDEBkYgFZg3BaSU7ovoo7B9E2QrZtro4Z
Creating account 56TeLuYYyevRDEBkYgFZg3BaSU7ovoo7B9E2QrZtro4Z
Signature: 3qtgQgeJCPy7N9xYq5iTafVMWYfoBX5PyY5AWAEC5ybX7auyPmTzRNACJBCib7qyoN5BjWgwhRURB6hfoFD22i5i
----- create target token account -----
target-acc: G2moZysTkpEtwPjQGbUFTXMc8N7BEWcjhh6yYpvuhnCW
target-acc-owner: 49ethEAs8j3Lssgx9kfEDEXZd5KabyABzxHYBEWxSwpS
Creating account G2moZysTkpEtwPjQGbUFTXMc8N7BEWcjhh6yYpvuhnCW
Signature: 63vS5AdX6HtTRxWZD5nxbsVqNwGCoATDYLeLKUoEjygZEr7fEpFzKW4bva6utpAA4psZuyuvDwsj2hTK29SsvHAq
----- mint to source token account -----
Minting 10 tokens
Token: DukyrQsNTPED4mhoxwAoiegCaknqzM4x7hB1UPnuAnYG
Recipient: 56TeLuYYyevRDEBkYgFZg3BaSU7ovoo7B9E2QrZtro4Z
Signature: 2c2ttnZxe2Qi6T6s123L5MPdEovbwCxf9VCECQ9v84CzMvbcRyPRfGvoVAVAZenR2VpuzAgc2LHRPds5yVq2itBe
----- create a nonce account -----
nonce: AjVABrmzMtnzwFiggfNLGbuXpAfUWV9opAXrXpTfcseN
nonce-auth: GYNQE8RQyo5C3Ejj945FQhPaqUGxytRt7yVGbGyn2qZN
Signature: CPnr8nnrRRk93wtciQ2LboHL8EnFGYqsn2znprZoTWFAgfFzBN68jQTzr7hxR8Y9WbwdLb9E9aYTTyyMVeQF1Ay
----- spl accounts info -----
Address: FxJi77UjbeQH6wMqBgpJr93Y6Y8Kq5WMom9svHupBGHV
M/N: 2/3
Signers:
1: 1WdKMVYxeSc3bFQyUaC726EHiEHkT8xdxK6Tju9WyrK
2: HiH2SGB8SsTAACLj8hLkXeLzXqVWRUCxWMo4XGVT5H3w
3: 46VhbvYvNaFZ6QyGaB8asvAZw2WxxmrZb8Fvx9ibL5ir
Address: 56TeLuYYyevRDEBkYgFZg3BaSU7ovoo7B9E2QrZtro4Z (Aux*)
Balance: 10
Mint: DukyrQsNTPED4mhoxwAoiegCaknqzM4x7hB1UPnuAnYG
Owner: FxJi77UjbeQH6wMqBgpJr93Y6Y8Kq5WMom9svHupBGHV
State: Initialized
Delegation: (not set)
Close authority: (not set)
* Please run `spl-token gc` to clean up Aux accounts
Address: G2moZysTkpEtwPjQGbUFTXMc8N7BEWcjhh6yYpvuhnCW (Aux*)
Balance: 0
Mint: DukyrQsNTPED4mhoxwAoiegCaknqzM4x7hB1UPnuAnYG
Owner: 49ethEAs8j3Lssgx9kfEDEXZd5KabyABzxHYBEWxSwpS
State: Initialized
Delegation: (not set)
Close authority: (not set)
* Please run `spl-token gc` to clean up Aux accounts
----- multisig transfer -----
Transfer 10 tokens
Sender: 56TeLuYYyevRDEBkYgFZg3BaSU7ovoo7B9E2QrZtro4Z
Recipient: G2moZysTkpEtwPjQGbUFTXMc8N7BEWcjhh6yYpvuhnCW
error: invalid account data

Tutorials about start a private substrate network, Where the suri come from?

The tutorials about start a private substrate network.
It says:
This example uses the secret seed generated from the key subcommand
into the keystore. In this tutorial, the secret seed generated was
0x563d22ef5f00e589e07445a3ad88bb92efaa897d7f73a4543d9ac87476434e65, so
the --suri command-line option specifies that string to insert the key
into the keystore:
My wondering is where the suri come from? the article doesn't demo very clearly.
I log what I did:
$ ./target/release/node-template key generate --scheme Sr25519 --password-interactive
Key password: 123456
Secret phrase `raw glory squeeze allow demand erase ensure car hair dry tobacco mule` is account:
Secret seed: 0xa80c9a2c2c96ac61a548a358c81aa07a519af00e7b3fc25f06761e2a5af42044 # use the string as next step's input, import to node01
Public key (hex): 0x780a4cd1e018e5433c061da3c28ad1ff33a59da6cd8b750a5a37f3e7fb69fc62
Public key (SS58): 5En6fQsu3ju9zo2PvwptfnZZWrrWWs9zsBt1WuF9U8TGNWFj
Account ID: 0x780a4cd1e018e5433c061da3c28ad1ff33a59da6cd8b750a5a37f3e7fb69fc62
SS58 Address: 5En6fQsu3ju9zo2PvwptfnZZWrrWWs9zsBt1WuF9U8TGNWFj #put this in the chain-spec file, aura.authorities
$ ./target/release/node-template key inspect --password-interactive --scheme Ed25519 0xa80c9a2c2c96ac61a548a358c81aa07a519af00e7b3fc25f06761e2a5af42044
Key password: 123456
Secret Key URI `0xa80c9a2c2c96ac61a548a358c81aa07a519af00e7b3fc25f06761e2a5af42044` is account:
Secret seed: 0xa80c9a2c2c96ac61a548a358c81aa07a519af00e7b3fc25f06761e2a5af42044
Public key (hex): 0x9c1726a7a0cca51dc506a06789b0781260e999ccafd687799c275a52916b1b01
Public key (SS58): 5FbNCp3ZHWzFGQkS1PRt9SPUs16zAHk1WhC2CWTQ97nsE2yk
Account ID: 0x9c1726a7a0cca51dc506a06789b0781260e999ccafd687799c275a52916b1b01
SS58 Address: 5FbNCp3ZHWzFGQkS1PRt9SPUs16zAHk1WhC2CWTQ97nsE2yk #put this in the chain-spec file, grandpa.authorities
$ ./target/release/node-template key generate --scheme Sr25519 --password-interactive
Key password: 123456
Secret phrase `caution evil word live concert suit cousin crisp tobacco lizard wheat banner` is account:
Secret seed: 0x52e547fc68fed1d7e97be6232434ccc51d9cfe1cc237820d9cf3a559dd2be6e8 # use the string as next step's input, import to node02
Public key (hex): 0xced1d44c697e75fd3c51096e869d204f9aec8620ab3422d3e81ec6870fe81c41
Public key (SS58): 5Gjt44znWzR8eu7fDH7cRey8KavbHQuoraD1a3ttYPsVpn75
Account ID: 0xced1d44c697e75fd3c51096e869d204f9aec8620ab3422d3e81ec6870fe81c41
SS58 Address: 5Gjt44znWzR8eu7fDH7cRey8KavbHQuoraD1a3ttYPsVpn75 #put this in the chain-spec file, aura.authorities
$ ./target/release/node-template key inspect --password-interactive --scheme Ed25519 0x52e547fc68fed1d7e97be6232434ccc51d9cfe1cc237820d9cf3a559dd2be6e8
Key password: 123456
Secret Key URI `0x52e547fc68fed1d7e97be6232434ccc51d9cfe1cc237820d9cf3a559dd2be6e8` is account:
Secret seed: 0x52e547fc68fed1d7e97be6232434ccc51d9cfe1cc237820d9cf3a559dd2be6e8
Public key (hex): 0x1d2259132f8ad2d6cb92ce397c97dfe86226708130c94ca3fa10651276de514f
Public key (SS58): 5CiuT1fKfVZGeok2T68g4zx1RCMCmZbHD7zFUrguLeiuCZ1g
Account ID: 0x1d2259132f8ad2d6cb92ce397c97dfe86226708130c94ca3fa10651276de514f
SS58 Address: 5CiuT1fKfVZGeok2T68g4zx1RCMCmZbHD7zFUrguLeiuCZ1g #put this in the chain-spec file, grandpa.authorities
./target/release/node-template key insert --base-path /tmp/node01 \
--chain customSpecRaw.json \
--suri 0xa80c9a2c2c96ac61a548a358c81aa07a519af00e7b3fc25f06761e2a5af42044 \ # Secret seed
--password-interactive \
--key-type aura
./target/release/node-template key insert --base-path /tmp/node01 \
--chain customSpecRaw.json \
--suri 0xa80c9a2c2c96ac61a548a358c81aa07a519af00e7b3fc25f06761e2a5af42044 \
--password-interactive \
--key-type gran
./target/release/node-template key insert --base-path /tmp/node02 \
--chain customSpecRaw.json \
--suri 0x52e547fc68fed1d7e97be6232434ccc51d9cfe1cc237820d9cf3a559dd2be6e8 \
--password-interactive \
--key-type aura
./target/release/node-template key insert --base-path /tmp/node02 \
--chain customSpecRaw.json \
--suri 0x52e547fc68fed1d7e97be6232434ccc51d9cfe1cc237820d9cf3a559dd2be6e8 \
--password-interactive \
--key-type gran
After import key to keystore
$ ls /tmp/node01/chains/local_testnet/keystore
61757261780a4cd1e018e5433c061da3c28ad1ff33a59da6cd8b750a5a37f3e7fb69fc62 6772616e780a4cd1e018e5433c061da3c28ad1ff33a59da6cd8b750a5a37f3e7fb69fc62
$ ls /tmp/node02/chains/local_testnet/keystore
61757261ced1d44c697e75fd3c51096e869d204f9aec8620ab3422d3e81ec6870fe81c41 6772616eced1d44c697e75fd3c51096e869d204f9aec8620ab3422d3e81ec6870fe81c41
I restart node1,node2, but The result is :
Idle (1 peers), best: #94 (0x8634…b5c9), finalized #0 (0x4f9a…68f0), ⬇ 40 B/s ⬆ 0.1kiB/s
finalized block number is always 0
I tried the old version of the topic start a private network, it use the subkey to generate the keys. It worked. but I failed when reference the new tutorial.
Where am I wrong?

Let me to post a correct answer:
$./target/release/node-template key insert --base-path /tmp/node01 \
--chain customSpecRaw.json \
--scheme ed25519 \
--suri 0xa80c9a2c2c96ac61a548a358c81aa07a519af00e7b3fc25f06761e2a5af42044 \
--password-interactive \
--key-type gran
when import grandpa key, add this: --scheme ed25519 .
after do this, It works.
Idle (1 peers), best: #95 (0xf51f…65a8), finalized #93 (0x072b…192a), ⬇ 0.5kiB/s ⬆ 0.6kiB/s
please reference: https://core.tetcoin.org/docs/en/knowledgebase/integrate/subkey#inserting-keys-to-a-nodes-keystore

There are a section called Generate your own keys.
https://docs.substrate.io/tutorials/v3/private-network/#generate-your-own-keys
The Secret Seed is your suri
And here some nice script to insert the keys easily
https://github.com/substrate-developer-hub/substrate-node-template/blob/tutorials/solutions/private-chain-v3/key-insert/insert-keys.sh

Trying to set variable from while read loop header to var

I am trying to set a variable from my while loop to itself. I've looked around a lot and tested various methods but haven't been able to get anything to work.
while read ip port srv ban
do
rm -f certificate.crt #sterilizing
echo -e "$ban" | base64 -d | dos2unix | openssl x509 -inform d > certificate.crt
sleep .5
cert=$(openssl x509 -in certificate.crt -text -noout)
echo "$cert"
$ban = $cert
done < outfiles.txt
Here's what outfiles.txt looks like with a one line snippet.
xxx.xx.xxx.xxx 443 X509 MIIE/zCCA+egAwIBAgIEUdNARDANBgkqhkiG9w0BAQsFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDkyMjE3MTQ1N1oXDTI0MDkyMzAxMzE1M1owgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAwOSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvimekwAad26jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ0GqAgABFHrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG40kfO5MlJxDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs0JslguPMwsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxid+q36OW7NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4to2UYySkcQIDAQABo4IBDzCCAQswDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L3Jvb3RjYTEuY3JsMDsGA1UdIAQ0MDIwMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NQUzAdBgNVHQ4EFgQUanImetAe733nO2lR1GyNn5ASZqswHwYDVR0jBBgwFoAUaJDkZ6SmU4DHhmak8fdLQ/uEvW0wDQYJKoZIhvcNAQELBQADggEBAGkzg/woem99751V68U+ep11s8zDODbZNKIoaBjqHmnTvefQd9q4AINOSs9v0fHBIj905PeYSZ6btp7h25h3LVY0sag82f3Azce/BQPUAsXx5cbaCKUTx2IjEdFhMB1ghEXveajGJpOkt800uGnFE/aRs8lFc3a2kvZ2ClvhA0e36SlMkTIjN0qcNdh4/R0f5IOJJICtt/nP5F2l1HHEhVtwH9s/HAHrGkUmMRTMZb9n3srMM2XlQZHXN75BGpad5oqXnafOrE6aPb0BoGrZTyIAi0TVaWJ7LuvMuueSfWlnPfy4fN5Bh9Bp6roKGHoalUOzeXEodm2h+1dK7E3IDhA=
I'm trying to decode the cert, which I can do but I'm trying to replace (overwrite) the encoded certificate with the decoded certificate from the file I'm reading from on each line I go though by setting the $ban variable from while read ip port srv ban to the $cert variable.
So when looking at the outfiles.txt you should se
xxx.xx.xxx.xxx 443 Certificate: Data: Version: 3 (0x2) Serial Number: 1372799044 (0x51d34044) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority Validity Not Before: Sep 22 17:14:57 2014 GMT Not After : Sep 23 01:31:53 2024 GMT Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ba:84:b6:72:db:9e:0c:6b:e2:99:e9:30:01:a7: 76:ea:32:b8:95:41:1a:c9:da:61:4e:58:72:cf:fe: f6:82:79:bf:73:61:06:0a:a5:27:d8:b3:5f:d3:45: 4e:1c:72:d6:4e:32:f2:72:8a:0f:f7:83:19:d0:6a: 80:80:00:45:1e:b0:c7:e7:9a:bf:12:57:27:1c:a3: 68:2f:0a:87:bd:6a:6b:0e:5e:65:f3:1c:77:d5:d4: 85:8d:70:21:b4:b3:32:e7:8b:a2:d5:86:39:02:b1: b8:d2:47:ce:e4:c9:49:c4:3b:a7:de:fb:54:7d:57: be:f0:e8:6e:c2:79:b2:3a:0b:55:e2:50:98:16:32: 13:5c:2f:78:56:c1:c2:94:b3:f2:5a:e4:27:9a:9f: 24:d7:c6:ec:d0:9b:25:82:e3:cc:c2:c4:45:c5:8c: 97:7a:06:6b:2a:11:9f:a9:0a:6e:48:3b:6f:db:d4: 11:19:42:f7:8f:07:bf:f5:53:5f:9c:3e:f4:17:2c: e6:69:ac:4e:32:4c:62:77:ea:b7:e8:e5:bb:34:bc: 19:8b:ae:9c:51:e7:b7:7e:b5:53:b1:33:22:e5:6d: cf:70:3c:1a:fa:e2:9b:67:b6:83:f4:8d:a5:af:62: 4c:4d:e0:58:ac:64:34:12:03:f8:b6:8d:94:63:24: a4:71 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 Authority Information Access: OCSP - URI:http://ocsp.entrust.net X509v3 CRL Distribution Points: Full Name: URI:http://crl.entrust.net/rootca1.crl X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: http://www.entrust.net/CPS X509v3 Subject Key Identifier: 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB X509v3 Authority Key Identifier: keyid:68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D Signature Algorithm: sha256WithRSAEncryption 69:33:83:fc:28:7a:6f:7d:ef:9d:55:eb:c5:3e:7a:9d:75:b3: cc:c3:38:36:d9:34:a2:28:68:18:ea:1e:69:d3:bd:e7:d0:77: da:b8:00:83:4e:4a:cf:6f:d1:f1:c1:22:3f:74:e4:f7:98:49: 9e:9b:b6:9e:e1:db:98:77:2d:56:34:b1:a8:3c:d9:fd:c0:cd: c7:bf:05:03:d4:02:c5:f1:e5:c6:da:08:a5:13:c7:62:23:11: d1:61:30:1d:60:84:45:ef:79:a8:c6:26:93:a4:b7:cd:34:b8: 69:c5:13:f6:91:b3:c9:45:73:76:b6:92:f6:76:0a:5b:e1:03: 47:b7:e9:29:4c:91:32:23:37:4a:9c:35:d8:78:fd:1d:1f:e4: 83:89:24:80:ad:b7:f9:cf:e4:5d:a5:d4:71:c4:85:5b:70:1f: db:3f:1c:01:eb:1a:45:26:31:14:cc:65:bf:67:de:ca:cc:33: 65:e5:41:91:d7:37:be:41:1a:96:9d:e6:8a:97:9d:a7:ce:ac: 4e:9a:3d:bd:01:a0:6a:d9:4f:22:00:8b:44:d5:69:62:7b:2e: eb:cc:ba:e7:92:7d:69:67:3d:fc:b8:7c:de:41:87:d0:69:ea: ba:0a:18:7a:1a:95:43:b3:79:71:28:76:6d:a1:fb:57:4a:ec:
4d:c8:0e:10

Replace
$ban = $cert
with
ban=$cert
$ is only used to retrieve the value of a variable, not to set a variable.

Ansible keytool: command not found

I developed a task to simply execute a command on remote host:
- name: generate ssl
shell: ./example.sh
args:
chdir: /tmp/example-pki-scripts
The example.sh file execute some scripts in order: https://github.com/floragunncom/search-guard-ssl/tree/master/example-pki-scripts
then when I deploy this task on a remote host the following error appears:
fatal: [efk1]: FAILED! => {
"changed": true,
"cmd": "./example.sh",
"delta": "0:00:00.213500",
"end": "2017-01-20 12:02:10.703895",
"failed": true,
"invocation": {
"module_args": {
"_raw_params": "./example.sh",
"_uses_shell": true,
"chdir": "/tmp/example-pki-scripts",
"creates": null,
"executable": null,
"removes": null,
"warn": true
},
"module_name": "command"
},
"rc": 127,
"start": "2017-01-20 12:02:10.490395",
"stderr": "Generating a 2048 bit RSA private key\n.+++\n.......+++\nwriting new private key to 'ca/root-ca/private/root-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n Serial Number: 1 (0x1)\n Validity\n Not Before: Jan 20 11:02:10 2017 GMT\n Not After : Jan 20 11:02:10 2027 GMT\n Subject:\n domainComponent = com\n domainComponent = example\n organizationName = Example Com Inc.\n organizationalUnitName = Example Com Inc. Root CA\n commonName = Example Com Inc. Root CA\n X509v3 extensions:\n X509v3 Key Usage: critical\n Certificate Sign, CRL Sign\n X509v3 Basic Constraints: critical\n CA:TRUE\n X509v3 Subject Key Identifier: \n EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n X509v3 Authority Key Identifier: \n keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\nGenerating a 2048 bit RSA private key\n..............................................................................+++\n......................+++\nwriting new private key to 'ca/signing-ca/private/signing-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n Serial Number: 2 (0x2)\n Validity\n Not Before: Jan 20 11:02:10 2017 GMT\n Not After : Jan 20 11:02:10 2027 GMT\n Subject:\n domainComponent = com\n domainComponent = example\n organizationName = Example Com Inc.\n organizationalUnitName = Example Com Inc. Signing CA\n commonName = Example Com Inc. Signing CA\n X509v3 extensions:\n X509v3 Key Usage: critical\n Certificate Sign, CRL Sign\n X509v3 Basic Constraints: critical\n CA:TRUE, pathlen:0\n X509v3 Subject Key Identifier: \n 19:19:0A:28:78:33:A8:04:A9:5F:62:81:CA:3D:9F:8A:1F:97:00:6F\n X509v3 Authority Key Identifier: \n keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\n./gen_root_ca.sh: line 72: keytool: command not found",
"stdout": "Root CA generated\nSigning CA generated",
"stdout_lines": [
"Root CA generated",
"Signing CA generated"
],
"warnings": []
}
so as you cam see the problem is line 72: keytool: command not found, but when I execute the same script example.sh on the machine locally it generates ssl keys with no problem.
The exact line where ansible stucks is:
cat ca/root-ca.pem | keytool \
-import \
-v \
-keystore truststore.jks \
-storepass $TS_PASS \
-noprompt -alias root-ca-chain

Use full path to the keytool executable in your script.
Ansible uses non-interactive, non-login shell session and shells do not source the same rc files as for interactive/login sessions thus the value of PATH differs.
Other solutions include: specifying PATH manually in the environment delaraction, or wrapping the command in a call to bash.

GPG: secret key & check passphrase

How to check that GPG secret key does not contain passphrase?
I wouldn't like import this key.

I found solution:
stdin, stdout, stderr = Open3.popen3("echo '\n\n\n\n\nsave' | gpg --command-fd 0 --homedir #{dir} --edit-key #{secret_key[:keyid]} passwd")
output = stderr.read
if output =~ /.../
...
end

Resources