Lockbox::Error (Master key must be 32 bytes (64 hex digits))

[TheGroundZero]

🐛 Bug Report

The tool does not seem to accept my master key.
Even though the value was taken from the tool's encryption key generator /pages/generate_key and does indeed count 64 characters.

🔬 How To Reproduce

Steps to reproduce the behavior:

1. Grab random master key from own tool
2. Set it as PWPUSH_MASTER_KEY
3. Try to Push a secret

Code sample

I'm using Podman to run the container.
The Master key is set via the PWPUSH_MASTER_KEY env variable using podman secret.

Secrets file

$ cat /srv/service/secret/pwpush
2460873c513c44d596b07d0c190c760d9e4c1e4777125d1728c5282c87d2d6ad

Podman service file

[Unit]
Description=PasswordPusher Container
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n TZ=Europe/Brussels
Restart=on-failure
RestartSec=30
TimeoutStopSec=70
ExecStartPre=-/usr/bin/podman secret create pwpush-creds /srv/service/secret/pwpush
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run \
                          --conmon-pidfile %t/%n-pid \
                          --cidfile=%t/%n.ctr-id \
                          --cgroups=no-conmon \
                          --rm \
                          --sdnotify=conmon \
                          --replace \
                          --detach \
                          --label "io.containers.autoupdate=registry" \
                          --name=pwpush \
                          --mount=type=bind,source=/srv/service/pwpush/config/settings.yml,target=/opt/PasswordPusher/config/settings.yml,ro=true \
                          -e PWP__THEME=vapor \
                          --secret=pwpush-creds,type=env,target=PWPUSH_MASTER_KEY \
                          -p 5100:5100 \
                          docker.io/pglombardo/pwpush:release
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id -t 10
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=-/usr/bin/podman secret rm z2m-creds
PIDFile=%t/%n-pid
Type=notify
NotifyAccess=all

[Install]
WantedBy=default.target

Environment

Where are you running/using Password Pusher?

• pwpush.com
• Docker Image
  • pwpush
  • custom image
• Heroku
• Digital Ocean
• Microsoft Azure
• Google Cloud
• AWS
• Source Code
• Other (please specify)

If applicable, what version of Password Pusher? release (Jan 10, 2024).

Screenshots

📈 Expected behavior

📎 Additional context

[09a48dcb-1389-4a06-b104-f2bb671cd77d] method=GET path=/en/pages/generate_key format=html controller=PagesController action=show status=200 allocations=7675 duration=12.53 view=11.62 db=0.00 ip=xxx.xxx.xxx.xxx forwarded_for=xxx.xxx.xxx.xxx, 10.0.2.100
[7252956b-0048-4c1a-9959-739ad26bf1c4] method=GET path=/en format=html controller=PasswordsController action=new status=200 allocations=6262 duration=11.72 view=11.03 db=0.00 ip=10.0.2.100
[1787f90a-e687-448f-ae21-84fac827c5a5] method=POST path=/en/p format=turbo_stream controller=PasswordsController action=create status=500 allocations=644 duration=1.71 view=0.00 db=0.00 ip=10.0.2.100
[1787f90a-e687-448f-ae21-84fac827c5a5]
[1787f90a-e687-448f-ae21-84fac827c5a5] Lockbox::Error (Master key must be 32 bytes (64 hex digits)):
[1787f90a-e687-448f-ae21-84fac827c5a5]
[1787f90a-e687-448f-ae21-84fac827c5a5] app/controllers/passwords_controller.rb:233:in `create'
[1787f90a-e687-448f-ae21-84fac827c5a5] app/controllers/application_controller.rb:18:in `custom_set_locale_from_url'

$ podman exec -ti pwpush /bin/bash
727977afb3bb:/opt/PasswordPusher$ printf "$PWPUSH_MASTER_KEY"
2460873c513c44d596b07d0c190c760d9e4c1e4777125d1728c5282c87d2d6ad

[github-actions]

Hello @TheGroundZero, thanks for contributing to the Password Pusher community! We will respond as soon as possible.

[pglombardo]

At first glance I have no idea. All looks good. Even running locally with that secret value works:

docker run -p "5100:5100" --name pwpush --env PWPUSH_MASTER_KEY=2460873c513c44d596b07d0c190c760d9e4c1e4777125d1728c5282c87d2d6ad pglombardo/pwpush:release

Let me give it some thought.

[pglombardo]

Could there be an extra newline in the secret? Could you try assuring that there is no new line in /srv/service/secret/pwpush?

[TheGroundZero]

Aha, that may be it!

The file was made by just opening it in nano and copy/pasting from the browser.
Nano does tend to add a newline add the end of a file.

$ cat pwpush
2460873c513c44d596b07d0c190c760d9e4c1e4777125d1728c5282c87d2d6ad

$ hexdump pwpush
0000000 3432 3036 3738 6333 3135 6333 3434 3564
0000010 3639 3062 6437 6330 3931 6330 3637 6430
0000020 6539 6334 6531 3734 3737 3231 6435 3731
0000030 3832 3563 3832 6332 3738 3264 3664 6461
0000040 000a
0000041

$ wc -c pwpush
65 pwpush

Cyberchef

To fix it:

$ echo -n "2460873c513c44d596b07d0c190c760d9e4c1e4777125d1728c5282c87d2d6ad" > pwpush

$ wc -c pwpush
64 pwpush

Maybe it's not a bad idea to do a .strip of the string before using it?

[pglombardo]

Excellent - that is great to hear.

Maybe it's not a bad idea to do a .strip of the string before using it?

I agree but this environment variable is actually processed by a 3rd party gem. I'll think about filing a fix request there.

I'll close this issue out but if anything remains - let me know.