Update request: keybase/kbfs/keybase-gui 6.2.3 → 6.2.4

[seanparsons]

• Package name: keybase/kbfs/keybase-gui
• Latest released version: 6.2.4
• Current version on the unstable channel: 6.2.3
• Current version on the stable/release channel: 6.2.3
• Checked the nixpkgs pull requests

It seems this is fairly important as the keybase apps don't work properly now (especially kbfs it seems) because there has been a change of certificate: keybase/client#26088

@Avaq @carlsverre @np @rvolosatovs @Br1ght0ne @kf5grd

---

Note for maintainers: Please tag this issue in your PR.

---

Add a 👍 reaction to issues you find important.

[eyeinsky]

It's already on master since yesterday #278033.

If I'm not mistaken, kbfs would already be fixed by the above. But keybase-gui apparently downloads a binary off of AWS.

[eyeinsky]

Updated keybase-gui PR here #278346.

[eyeinsky]

(Updating` keybase and restarting kbfs fixes the recent certificate issue.)

[seanparsons]

Will this update be backported into 23.11?

[eyeinsky]

Will this update be backported into 23.11?

I’ll try to fix up the patch tomorrow (unless someone beats me to it). This is indeed a pretty critical issue for people who use keybase on daily basis.

[kf5grd]

(Updating` keybase and restarting kbfs fixes the recent certificate issue.)

@eyeinsky did you verify that kbfs is working properly, and that the private, public, and team folders exist under ~/keybase (or wherever you've configured the mountpoint)?

kbfsfuse is suddenly failing to mount my kbfs directory on all of my systems. the error message that shows up in the logs when the service fails to start is mount helper error: fusermount: mount failed: Operation not permitted.

i've been able to fix it by copying the service from nixpks into my own configs and commenting out the PrivateTmp = true; line. i'm not familiar enough with the implications of that change to know whether the kbfs service in nixpkgs should be updated to remove that line or not. i'm also not positive that i'm not the only one running into this, but i've seen it on several machines now so it seems likely (unless i'm just doing the wrong thing on all of my machines somehow)

[eyeinsky]

@kf5grd kbfs doesn't seem to work for me either :/

[AngryAnt]

It looks like Keybase did a re-release with the same version number, tripping up the default fetchFromGitHub configuration. I don't have the time to do an additional PR right now, but for the existing ones and for anyone else needing a quickfix, this is my overlay:

  nixpkgs.overlays = [(
    self: super:
    {
      keybase = super.keybase.overrideAttrs ( old: rec {
        pname = "keybase";
        version = "6.2.4";
        src = super.fetchFromGitHub {
          owner = "keybase";
          repo = "client";
          rev = "ae7e4a1c153403106352bd2fcfa7f16d54f35974"; #"v${version}";
          hash = "sha256-z7vpCUK+NU7xU9sNBlQnSy9sjXD7/m8jSRKfJAgyyN8=";
        };
      });

      keybase-gui = super.keybase-gui.overrideAttrs ( old: rec {
        pname = "keybase-gui";
        version = "6.2.4";
        versionSuffix = "20240101011938.ae7e4a1c15";
        src = super.fetchurl {
          url = "https://s3.amazonaws.com/prerelease.keybase.io/linux_binaries/deb/keybase_${version + "-" + versionSuffix}_amd64.deb";
          hash = "sha256-XyGb9F83z8+OSjxOaO5k+h2qIY78ofS/ZfTXki54E5Q=";
        };
      });
    }
  )];

Specifically the default configuration has fetchFromGitHub try https://github.com/keybase/client/archive/v6.2.4.tar.gz which at time of writing yields:

the given path has multiple possibilities: #<Git::Ref:0x00007fdfcdd38218>, #<Git::Ref:0x00007fdfcdd5c320>

[eyeinsky]

@AngryAnt Do either nix-build . -A keybase or nix-build . -A keybase-gui give you an error in current master?

[239]

kbfsfuse is suddenly failing to mount my kbfs directory on all of my systems. the error message that shows up in the logs when the service fails to start is mount helper error: fusermount: mount failed: Operation not permitted.

Mounting had stopped working for several weeks on my side, long before the certificate expired. I thought it was just me because there were no matching issues.

[eyeinsky]

@239 It has actually been the same for me (for me, probably even more than weeks, maybe months or so). It also seemed to depend on my nixos install -- an older install it kept working for a while, while a newer machine I had it didn't work right from the start (IIRC).

[239]

Not sure if this is even relevant, but fusermount -V gives fusermount version: 2.9.9 and libfuse 2.9.9 is a bit outdated (#150502). However, I haven't checked whether libfuse 3 makes any difference.

[eyeinsky]

Backports:

• 23.11 keybase: 6.2.3 -> 6.2.4; keybase-gui: 6.2.2 -> 6.2.4; backport to 23.11 #279429
• 23.05 keybase: 6.0.2 -> 6.2.4; keybase-gui: 6.0.2 -> 6.2.4; backport to 23.05 #279435

[seanparsons]

kbfsfuse is suddenly failing to mount my kbfs directory on all of my systems. the error message that shows up in the logs when the service fails to start is mount helper error: fusermount: mount failed: Operation not permitted.

Mounting had stopped working for several weeks on my side, long before the certificate expired. I thought it was just me because there were no matching issues.

I only noticed an issue after the new year and my upgrade to 23.11, where those happened pretty close to each other. It was definitely working when I was on 23.05 immediately before Christmas as I use something which relies on the kbfs mount pretty much constantly.

[seanparsons]

With the overlay from here: #278277 (comment)

I still get a bunch of errors from kbfs.service:

Jan 16 23:12:33 tower kbfsfuse[3842971]: 2024-01-16T23:12:33.716054Z ▶ [WARN kbfs mounter.go:41] 017 KBFS failed to FUSE mount at /home/sean/keybase: fusermount: exit status 1
Jan 16 23:12:33 tower kbfsfuse[3842971]: 2024-01-16T23:12:33.716064Z ▶ [ERRO kbfs mount_interrupter.go:52] 018 Mounting the filesystem failed: fusermount: exit status 1
Jan 16 23:12:34 tower kbfsfuse[3842971]: 2024-01-16T23:12:34.268991Z ▶ [WARN kbfs keybase_service_util.go:43] 019 serviceLoggedIn: Failed to fetch TLF ID for user's public TLF: API network error: doRetry failed, attempts: 3, timeout 13.5s, last err: Get "https://api-0.core.keybaseapi.com/_/api/1.0/user/lookup.json?fields=basics&load_deleted_v2=1&multi=1&username=<MYACCOUNTNAME>": tls: failed to verify certificate: x509: certificate signed by unknown authority (error 1601)
Jan 16 23:12:34 tower kbfsfuse[3842971]: 2024-01-16T23:12:34.871352Z ▶ [WARN kbfs kbfs_ops.go:2126] 01a Can't get inbox: In resolving '<MYACCOUNTNAME>': unknown user assertion [tags:FBOID=<POSSIBLESECRET>]

The "failed to verify certificate" part would appear to be the cause.

[eyeinsky]

@seanparsons Yeah, we haven't fully figured the kbfs issue yet. If you can, please try any of the linked PRs with PrivateTmp = true; and see if it helps?

[seanparsons]

@eyeinsky I got the update to 23.11 which incorporates the update which now just gets fusermount failing with an exit status of 1. But looking at service definition it already appears to have PrivateTmp = true; in it.

[eyeinsky]

@eyeinsky I got the update to 23.11 which incorporates the update which now just gets fusermount failing with an exit status of 1. But looking at service definition it already appears to have PrivateTmp = true; in it.

Ah, it was the reverse, @kf5grd said commenting it out helped, i.e setting it to false (I guess that is the deafult).

[seanparsons]

Ah, it was the reverse, @kf5grd said commenting it out helped, i.e setting it to false (I guess that is the deafult).

Is there a simple way to do so on a regular NixOS setup?

[Pamplemousse]

@seanparsons, you can set:

systemd.user.services.kbfs.Service.PrivateTmp = lib.mkForce false;

(cc @kf5grd, this is cleaner than forking the whole module definition)

[seanparsons]

@seanparsons, you can set:

systemd.user.services.kbfs.Service.PrivateTmp = lib.mkForce false;

(cc @kf5grd, this is cleaner than forking the whole module definition)

It looks like it should be:

systemd.user.services.kbfs.serviceConfig.PrivateTmp = lib.mkForce false;

Which does work for whatever reason.

[Pamplemousse]

Oh right, it's different between nixpkgs and home-manager for some reason 🤔

• https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/network-filesystems/kbfs.nix#L82
• https://github.com/nix-community/home-manager/blob/release-23.11/modules/services/kbfs.nix#L55