Using Github actions I'm able to run a script to decrypt files using gpg. This doesn't seem to work in Xcode cloud (I guess because gpg is not installed there).
Is there another way to encrypt and decrypt files when using Xcode cloud for CI? Or maybe there's a way to install gpg in Xcode cloud?
E.g. I want to be able to decrypt my JSON cloud config files.
After a lot of searching I can't seem to find any alternatives or even discussion about it. Is there a way to do it?
Or is this a silly thing to do in the first place? Maybe there's a better approach?
It turns out you can install gpg on Xcode cloud using homebrew.
I just added this line to my shell script before the decrypt lines and the build passed!
brew install gpg
See https://developer.apple.com/documentation/xcode/writing-custom-build-scripts for more info.
On a fresh Arch Linux install, I have difficulties to make flatpak work.
It seems it's due to a GPG issue but I can't figure out what I did wrong.
I cleared the caches, uninstalled & reinstalled, to no avail.
Here is an expression of the symptom:
$ flatpak remote-ls flathub
error: Unable to load summary from remote flathub: Signature made Mon Jan 24 18:48:35 2022 using RSA key ID 562702E9E3ED7EE8
Can't check signature: public key not found
Please note that the user profile has been restored from a backup (incl. its GPG keys). I checked GPG seems functional.
Any clue?
Thanks!
I found that I was missing the corresponding trusted key in /var/lib/flatpak/repo/flathub.trustedkeys.gpg. I copied it from a VM of mine and now it works.
But why was the trusted key missing in first instance?
I am trying to run the following commands on Heroku to import and trust a PGP public key which I need to use to encrypt a file before sending it via SFTP:
heroku run gpg --import key.asc
heroku run gpg --edit-key email#example.com
The first command seems to work, but when I run the second command it fails to find the key. I get the following output when running heroku run gpg --list-keys:
gpg: directory '/app/.gnupg' created
gpg: keybox '/app/.gnupg/pubring.kbx' created
gpg: /app/.gnupg/trustdb.gpg: trustdb created
This may be due to the fact that Heroku does not allow writing to the file system, but I wanted to see if anyone knows what is going on and can help me figure out how to use this public key for encryption. It works locally using the iostreams gem to run something similar to the third example here
I guess that the problem is in the first command.The key.asc file in not in the dyno, it is on your computer. So, it is not importing anything.
You can run: heroku run bash and play directly inside the dyno.
Hope it helps!!!
I'm trying to enable commit signing on OS X Mojave.
git commit -S -am "Test"
The error is:
error: gpg failed to sign the data
fatal: failed to write commit object
What I tried:
gpg works fine (see below), did not install gpg1 or gpg2
Installed GPG KeyChain and added a new key (even added a separate sign-only subkey whithin)
Installed pinentry
gpg2 --clearsign works fine (generates a new .asc file for files, outputs text for plain text)
Questions I looked into and tried every option:
gpg failed to sign the data fatal: failed to write commit object [Git 2.10.0]
Git error - gpg failed to sign data
What am I doing wrong?
I also had this problem. I found a good solution.
Just try to sign a file before you commit.
$ touch a.txt
$ gpg --sign a.txt
Then, the OS will let you input the password.
If this step is OK, now you can commit by signing correctly.
I just added the key ID to the global config
list all keys:
gpg --list-keys
Select the one you added to github and set it.
git config --global user.signingkey [public key ID]
Heh, of course, right after I posted this question, I found the solution.
So my problem was that I followed this doc: https://help.github.com/en/articles/telling-git-about-your-signing-key
And set up both GPG and smimesign, when I have Git < 2.19 and no proper X.509 keys.
So I just removed the part with smimesign from global ~/.gitconfig
Try with echo "foobar" | gpg --clearsign. It should ask for your key's passphrase and return the signature.
If instead you see the following error message:
error: gpg failed to sign the data
fatal: failed to write commit object
You might want to try running export GPG_TTY=$(tty). If after testing again you're prompted for the password and it works, run this everytime on startup, adding it to ~/.bashrc, which is actually required according to gpg-agent's documentation, as mentioned in this dev.gnupg thread and which you can verify with man gpg-agent.
I also found this gitHub gist very useful.
To prompt you to enter a PIN or passphrase when required, install pinentry-mac
$ brew install pinentry-mac
$ echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf
$ killall gpg-agent
I get the following error running curl https://npmjs.org/install.sh | sh on Mac OSX 10.9 (Mavericks):
install npm#latest
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
How do I fix this?
First off, you should be wary of urls that throw SSL errors. That being said, you can suppress certificate errors in curl with
curl -k https://insecure.url/content-i-really-really-trust
Using the Safari browser (not Chrome, Firefox or Opera) on Mac OS X 10.9 (Mavericks) visit https://registry.npmjs.org
Click the Show certificate button and then check the checkbox labelled Always trust. Then click Continue and enter your password if required.
Curl should now work with that URL correctly.
NOTE: This answer obviously defeats the purpose of SSL and should be used sparingly as a last resort.
For those having issues with scripts that download scripts that download scripts and want a quick fix, create a file called ~/.curlrc
With the contents
--insecure
This will cause curl to ignore SSL certificate problems by default.
Make sure you delete the file when done.
UPDATE
12 days later I got notified of an upvote on this answer, which made me go "Hmmm, did I follow my own advice remember to delete that .curlrc?", and discovered I hadn't. So that really underscores how easy it is to leave your curl insecure by following this method.
The problem is an expired intermediate certificate that is no longer used and must be deleted. Here is a blog post from Digicert explaining the issue and how to resolve it.
https://blog.digicert.com/expired-intermediate-certificate/
I was seeing the issue with Github not loading via SSL in both Safari and the command line with git pull. Once I deleted the old expired cert everything was fine.
After updating to OS X 10.9.2, I started having invalid SSL certificate issues with Homebrew, Textmate, RVM, and Github.
When I initiate a brew update, I was getting the following error:
fatal: unable to access 'https://github.com/Homebrew/homebrew/': SSL certificate problem: Invalid certificate chain
Error: Failure while executing: git pull -q origin refs/heads/master:refs/remotes/origin/master
I was able to alleviate some of the issue by just disabling the SSL verification in Git. From the console (a.k.a. shell or terminal):
git config --global http.sslVerify false
I am leary to recommend this because it defeats the purpose of SSL, but it is the only advice I've found that works in a pinch.
I tried rvm osx-ssl-certs update all which stated Already are up to date.
In Safari, I visited https://github.com and attempted to set the certificate manually, but Safari did not present the options to trust the certificate.
Ultimately, I had to Reset Safari (Safari->Reset Safari... menu). Then afterward visit github.com and select the certificate, and "Always trust" This feels wrong and deletes the history and stored passwords, but it resolved my SSL verification issues. A bittersweet victory.
On MacOS High Sierra/10.13:
~$brew install curl ca-certificates
works like a charm for me.
Another cause of this can be duplicate keys in your KeyChain. I've seen this problem on two macs where there were duplicate "DigiCert High Assurance EV Root CA". One was in the login keychain, the other in the system one. Removing the certificate from the login keychain solved the problem.
This affected Safari browser as well as git on the command line.
Let's say you try to download something using curl or install hub
using brew, then, you get an error like:
==> Downloading https://ghcr.io/v2/linuxbrew/core/ncurses/manifests/6.2
curl: (60) SSL certificate problem: unable to get local issuer certificate
Then, let ghcr.io being the server, execute following commands:
cd ~
# Download the cert:
openssl s_client -showcerts -servername ghcr.io -connect ghcr.io:443 > cacert.pem
# type "quit", followed by the "ENTER" key / or Ctrl+C
# see the data in the certificate:
openssl x509 -inform PEM -in cacert.pem -text -out certdata-ghcr.io.txt
# move the file to certificate store directory:
sudo mv cacert.pem /usr/local/share/ca-certificates/cacert-ghcr.io.crt
# update certificates
sudo update-ca-certificates
# done !
References
SSL Certificate Verification
Snippet
After attempting all of the above solutions to eliminate the "curl: (60) SSL certificate problem: unable to get local issuer certificate" error, the solution that finally worked for me on OSX 10.9 was:
Locate the curl certificate PEM file location
'curl-config --ca' -- > /usr/local/etc/openssl/cert.pem
Use the folder location to identify the PEM file
'cd /usr/local/etc/openssl'
Create a backup of the cert.pem file
'cp cert.pem cert_pem.bkup'
Download the updated Certificate file from the curl website
'sudo wget http://curl.haxx.se/ca/cacert.pem'
Copy the downloaded PEM file to replace the old PEM file
'cp cacert.pem cert.pem'
This is a modified version of a solution posted to correct the same issue in Ubuntu found here:
https://serverfault.com/questions/151157/ubuntu-10-04-curl-how-do-i-fix-update-the-ca-bundle
I started seeing this error after installing the latest command-line tools update (6.1) on Yosemite (10.10.1). In this particular case, a reboot of the system fixed the error (I had not rebooted since the update).
Mentioning this in case anyone with the same problem comes across this page, like I did.
In some systems like your office system, there is sometimes a firewall/security client that is installed for security purpose. Try uninstalling that and then run the command again, it should start the download.
My system had Netskope Client installed and was blocking the ssl communication.
Search in finder -> uninstall netskope, run it, and try installing homebrew:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
PS: consider installing the security client.
If you are behind a corporate firewall like Palo Alto it will intercept all TLS/SSL traffic, inspect it and re-encrypt it using its own using self-signed certificates. Although these certificates will typically be available on your workstation, the various programs like npm, Git, curl, etc. will not inherit them from the workstation.
If you are working in an enterprise do not use the -k or --insecure option because this turns of the TLS/SSL encryption completely and opens up you and your organization to compromise
The solution is to add this self signed certificate to the specific certificate chain that is used by the program you are trying to use. I have included a link to Adrian Escutia Soto's answer which is the best way of addressing this. Unfortunately, I cannot comment or upvote on it because I don't have enough reputation points