Added to the release notes on the wiki. Andy LoPresto [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Mar 29, 2016, at 2:45 PM, Sean Busbey <[email protected]> wrote: > > In the mean time can we call this out in the release notes as a known > issue so that folks using things as Alan was know about it before htey > upgrade? > > On Tue, Mar 29, 2016 at 12:58 PM, Andy LoPresto > <[email protected]> wrote: >> Thanks Alan. I don’t anticipate it being a large effort. I have it marked as >> minor and will bump it if resources are strained. >> >> Andy LoPresto >> [email protected] >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> On Mar 29, 2016, at 10:32 AM, Alan Jackoway <[email protected]> wrote: >> >> Honestly, it's not clear to me that we should handle this scenario. The >> only reason I would propose fixing it is to handle people (like me) who did >> it wrong and then upgraded. Requiring a keyring isn't that unusual, and the >> docs are pretty specific. I just didn't read them. >> >> Alan >> >> On Tue, Mar 29, 2016 at 1:28 PM, Andy LoPresto <[email protected]> >> wrote: >> >> Alan, >> >> The processor properties for public keyring file and secret keyring file >> are fairly explicit in their names, so when I upgraded the BouncyCastle >> dependencies, I wrote logic that performs strict validation on the file >> format because the underlying library code changed substantially. I was >> unaware anyone was using the individual key file there. >> >> I have created a Jira [1] for 0.7.0 to add custom logic to handle this >> scenario. >> >> [1] https://issues.apache.org/jira/browse/NIFI-1694 >> >> Andy LoPresto >> [email protected] >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> On Mar 29, 2016, at 8:03 AM, Alan Jackoway <[email protected]> wrote: >> >> I don't get a stacktrace. Probably because it is a validation failure and >> the error is caught at >> https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EncryptContent.java#L288 >> >> I couldn't get your template to work without the gpgkeyring file. However, >> that clued me into what I believe is the problem. >> >> I have not been using a public keyring file, but rather the public key >> itself. Somehow that used to work, but the parameter has always been called >> Public Keyring File so I was using it wrong the whole time. >> >> I attached the encrypt template that is working for me back in 0.3.0 (and >> should work in 0.4.1 but not 0.5.1) >> >> To fix it for 0.5.1, I had to make a real keyring file AND change the user >> id to be the right thing. >> >> This feels like a regression to me, but one where I was not following the >> instructions all along. >> >> Thanks, >> Alan >> >> On Tue, Mar 29, 2016 at 1:15 AM, Andy LoPresto <[email protected] >> >> wrote: >> >> >> The only other thing I can think of off the top of my head is that the >> userID specification may have changed with the BouncyCastle upgrade and the >> provided userID of just an email may be incomplete? In my testing, I had to >> specify the "name", "description", and "email" fields from the key in the >> format below in order to match the exact format that the library reads from >> the keyring. >> >> userID = "Name (Description) <Email>" >> >> You can test this and evaluate what the library sees as the key userID by >> attaching a remote debugger to your running instance and evaluating inside >> the iterator loop here [1]. >> >> I'm not sure what version of GPG you're running, but it is worth >> investigating if the format of the stored key no longer matches how NiFi >> was reading it. >> >> [1] >> https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/crypto/OpenPGPKeyBasedEncryptor.java#L200 >> >> >> >> Andy LoPresto >> [email protected] >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> On Mar 28, 2016, at 18:24, Andy LoPresto <[email protected]> >> >> wrote: >> >> >> Forgot to mention you’ll want to change the input/output directories in >> >> the GetFile and PutFile processors, as well as the paths to the public and >> secret keyring, the user ID, and the password for the EncryptContent >> processors. >> >> >> Andy LoPresto >> [email protected] >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> On Mar 28, 2016, at 4:04 PM, Andy LoPresto <[email protected]> >> >> wrote: >> >> >> Hi Alan, >> >> I am investigating this issue (spinning up an instance, setting up a >> >> flow that involves PGP encryption and decryption, etc.) to verify. >> >> >> As an aside, the setting for “Key Derivation Function” is irrelevant >> >> if “Encryption Algorithm” is set to “PGP” or “PGP_ASCII_ARMOR”. The KDF is >> required for symmetric encryption (deriving a key from the provided >> password), but not used for PGP encryption/decryption at all. >> Unfortunately, we cannot currently display/hide or change the required-ness >> of processor properties based on the value of other properties. There is an >> existing Jira open [1] to enhance this functionality. Perhaps this can be >> better documented in the Admin Guide [2]. >> >> >> Can you also provide the full stacktrace and your system >> >> configuration, if possible, to help with the troubleshooting? Thank you. >> >> >> [1] https://issues.apache.org/jira/browse/NIFI-1121 >> [2] >> >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#encryption >> >> >> >> Andy LoPresto >> [email protected] >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> On Mar 28, 2016, at 2:18 PM, Alan Jackoway <[email protected]> >> >> wrote: >> >> >> Hello, >> >> I had an EncryptContent processor running with PGP public key >> >> encryption when we were running NiFi 0.4.x. >> >> >> We recently went up to a 0.5.x, which includes NIFI-1257 and >> >> NIFI-1259. Now my EncryptContent processors are failing to validate my key >> with an error message: >> >> 'Public Keyring File' is invalid because Invalid Public Keyring File >> >> filename because java.io.IOException: invalid header encountered >> >> >> I tried all the key derivation functions, but in all cases I got the >> >> same error. >> >> >> Is there an easy way to talk NiFi into using my key again? >> >> I have attached a public key that works on 0.3.0 (I didn't have 0.4 >> >> on my machine for some reason) but fails in 0.5.1. The user id is >> [email protected] >> >> >> Is there any easy fix? Should I file a jira? >> >> Since it said invalid header, I tried taking out the comment at the >> >> top of the key. That didn't work. >> >> >> Thanks, >> Alan >> <TestPublicKey.asc> >> >> >> >> >> <AlanEncryptTemplate.xml> >> >> >> >> > > > > -- > busbey
signature.asc
Description: Message signed with OpenPGP using GPGMail
