Pureboot New GPG Keys Failed to Read


So I made new GPG Keys for Pureboot, and then put them on my Librem Key (following this guide https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#managing-gpg-keys).

If I type gpg --card-status I see the signature key, encryption key, and authentication key on the Librem Card.

However, when I boot up my Purism laptop, it for some reason doesn’t see the GPG keys. I get an error saying “Error: GPG keyring empty!”. If I select, “Add a GPG key to the running BIOS” -> “Add GPG key to running BIOS and reflash” it errors into a recovery shell, I restart my computer, and the entire thing repeats.

If I “List GPG keys in your keyring” (from Pureboot’s GPG menu), it shows empty. But, if I select “Generate GPG keys manually on a Librem Key”, it shows the same signature, encryption, and authentication keys (that gpg --card-status does), and asks if I want to overwrite. If I say no, and quit, it asks if I would like to add the GPG key to the BIOS, and sign files in /boot.

Selecting yes shows it reading flash, looking up coreboot tables, etc, but then still fails to update the checksum, reboots, and all starts over again.

Any help would be really appreciated!

Hi @Raspigler, I think pureboot is missing the public key for your new private keys on the Librem Key see: https://docs.puri.sm/PureBoot/GettingStarted.html#changing-gpg-keys for the details.

Ah, it would be something stupid on my part like that, thanks! That’s what I get for working so late.

I’m having an issue creating/signing files on my root disk (/bin, /lib, /sbin, etc).

It asks me for a passphrase for /dev/nvme0n1p2 ?

I try entering my disk encryption passphrase but it says “No key available with this passphrase”

sorry can’t help you with that I’m not using that feature only use Pureboot to sign the files in the /boot partition and that one is not encrypted on mine.

1 Like

Were you previously decrypting the disk using a passphrase or were you using the Librem Key? (It is possible for both to work on one system but only you know which one or both mechanisms you were using and/or you set up to work.)

I would probably go to the shell and try to use the LUKS commands to open the encrypted partition manually i.e. in order to confirm that you do know the passphrase and that it does work.

I’ve only ever used the passphrase. I know the passphrase works because I successfully boot into the computer when doing a normal Pureboot login. It is only when I go to setup ‘sign Root disk’ that this issue occurs.

Just a wild guess but do you have any ‘strange’ characters in the passphrase? ‘Strange’ here would encompass anything that is not printable ASCII and within printable ASCII any punctuation character that might expose a bug somewhere i.e. a character with a special meaning.

1 Like

Yes, that could definitely be it!

I’m not sure which of the two possibilities could definitely be it :wink: but I draw your attention to the fact that the LUKS documentation specifically says that you should stick to ASCII.

If it’s a printable ASCII punctuation character then you should maybe report this to Purism because it is potentially a security issue.

PS In case you don’t know, you can change the passphrase without doing a full re-encryption of the disk i.e. it’s fast and easy to get rid of any dubious characters.