[14:02:55] <XioNoX>	 hello, I'm going to start the depools for eqiad rack D2 maintenance - https://phabricator.wikimedia.org/T419647
[14:12:40] <inflatador>	 ACK
[14:15:28] <XioNoX>	 depools done, downtime set, doing the BGP bounce shortly (cc claime, elukey)
[14:15:38] <claime>	 ack
[14:19:09] <XioNoX>	 all done, 7 pings lost
[16:49:03] <vgutierrez>	 btullis: your last commit is breaking puppet fleet wide
[16:49:30] <vgutierrez>	 useradd: group '935' does not exist
[16:49:48] <btullis>	 oh, sorry. please revert. 
[16:50:04] <btullis>	 I'm 3 mins from keyboard.
[16:50:07] <vgutierrez>	 ack
[16:52:53] <vgutierrez>	 btullis: done.. a quick check shows that the group has gid 953 but the user refers to it as 935
[16:54:37] <btullis>	 yes. many thanks. I had originality tried adding the group as 935 but it failed CI. I changed the group, but forgot to change the reference in the user, but it passed CI.
[17:04:06] <denisse>	 So clinic duty is now changing at the middle of the week?? 
[17:21:20] <moritzm>	 btullis: also don't simply merge sudo changes, it's estalished policy that these are reviewed in the weekly SRE IF meeting (a review which would also caught this error)
[17:21:52] <btullis>	 Yes, apologies. I will be sure to adhere to that in future.
[17:22:10] <moritzm>	 ack, thanks
[18:02:58] <Emperor>	 denisse: yeah, it rotates on Thursday like oncall rotation
[18:07:31] <denisse>	 Nice, it was a good change, it felt less intense and than it previously was. Or maybe it was not such a busy week CD wise. 
[18:07:38] <denisse>	 Or maybe both. :)
[18:22:06] <andrewbogott>	 moritzm or jhathaway: pwstore is not working for me, it complains about Alex's key "Warning: No key found for keyid C0E45DAD009346A1" -- any idea if that's happening to everyone or just to me?
[18:41:42] <jhathaway>	 andrewbogott: looking
[18:41:49] <andrewbogott>	 ty
[18:45:35] <moritzm>	 are you trying to add a new secret or decrypt something?
[18:45:58] <moritzm>	 if you try to add something you need to run pws update-keyring first
[18:48:46] <jhathaway>	 I can view files fine, but adding a new one threw an error on 50E3655873A2266C6E1AAA157509CEA4650AE684, even after updating the keyring
[18:50:32] <andrewbogott>	 Here is what I am seeing:
[18:50:35] <andrewbogott>	 https://www.irccloud.com/pastebin/rw3QgXlh/
[18:51:23] <mutante>	 One of the people with keys in  .pws-trusted-users has to re-encrypt the .users file ?
[18:53:15] <moritzm>	 jynus: your PGP in pwstore.git expired, please extend it (and ideally add one w/o expiry) https://office.wikimedia.org/wiki/Pwstore#Updating_your_own_key
[18:53:56] <moritzm>	 volans|off: ^ same
[18:54:24] <andrewbogott>	 I tried on a second machine, same behavior.  Surely that warning about alex's key isn't because of different people's keys expiring?
[18:54:36] <moritzm>	 yes, see abive
[18:55:00] <jhathaway>	 I was able to view the file andrewbogott, even with the expired keys
[18:55:25] <moritzm>	 viewing is fine, adding or updating a secret will fail in the presence of expired keys
[18:55:48] <jhathaway>	 nod, though I'm not sure why andrewbogott's attempt failed
[18:56:33] <andrewbogott>	 is 'ed' not the same thing as 'view the file'?
[18:57:21] <jhathaway>	 yes, I ran the same command `pws ed rackspace`
[18:57:59] <andrewbogott>	 any chance the two of you need to pull and update keys to get what I'm getting?  Or did you do that too?
[18:58:13] <jhathaway>	 I pulled as well
[18:58:18] <mutante>	 it's just a warning, you can say Y and see the file 
[18:58:39] <andrewbogott>	 when I hit 'y' it opens an empty editor
[18:58:47] <jhathaway>	 hmm, what editor?
[18:58:56] <andrewbogott>	 vim
[18:59:23] <jhathaway>	 nevermind, you shouldn't see "Warning: gpg returned non-zero exit status 2 when decrypting rackspace."
[18:59:50] <jhathaway>	 that one should be more than a warning ;)
[19:01:07] <jhathaway>	 andrewbogott: do you have the pws from wmf-laptop?
[19:01:35] * andrewbogott scowls at 'pws --version' not working
[19:01:44] <andrewbogott>	 no, one machine is a mac with a fresh pws install from brew
[19:01:50] <andrewbogott>	 the other is a bookworm debian host
[19:02:04] <mutante>	 gotta fetch our version that is patched, afair
[19:02:33] <andrewbogott>	 is that new? This has definitely worked for me, historically.
[19:02:44] <mutante>	 https://gerrit.wikimedia.org/r/plugins/gitiles/operations/debs/wmf-laptop/+/refs/heads/master/scripts/pws
[19:02:57] <mutante>	 "The upstream version of pwstore fetches keys from public servers, so can't be used until we submit our patches upstream."
[19:03:02] <mutante>	 it's about not using key servers
[19:08:28] <mutante>	 andrewbogott: you can also try "gpg -d rackspace"
[19:08:40] <mutante>	 like just skip the wrapper
[19:08:51] <mutante>	 as long as it's only for viewing
[19:09:31] <andrewbogott>	 same behavior with that wrapper
[19:09:43] <andrewbogott>	 gpg -d rackspace ends with "gpg: decryption failed: No secret key"
[19:09:55] <andrewbogott>	 full output is
[19:09:57] <andrewbogott>	 https://www.irccloud.com/pastebin/CthueVsf/
[19:10:12] <andrewbogott>	 and yet...
[19:10:28] <andrewbogott>	 gpg --list-secret-keys --keyid-format=long shows my key
[19:11:23] <mutante>	 did it ever ask you to input your passphrase?
[19:11:51] <andrewbogott>	 I don't think my key has a passphrase.
[19:13:27] <andrewbogott>	 sorry, I'm sure I'm doing something goofy but also sure this is not my first time using pws
[19:15:29] <andrewbogott>	 I can paste the output of 'gpg --list-secret-keys' without leaking anything?
[19:15:57] <mutante>	 hrmm.. gpgconf --kill gpg-agent
[19:16:03] <mutante>	 to restart the agent 
[19:16:09] <jhathaway>	 yes
[19:16:13] <mutante>	 then see again if it does not ask for a passphrase
[19:22:43] <andrewbogott>	 so -- I'm seeing the same behavior on my laptop and on a vm on my laptop. So I doubt it's anything to do with agent state.
[19:22:50] <andrewbogott>	 I have rebooted the VM, no change in behavior.
[19:23:10] <andrewbogott>	 I see my key in --list-secret-keys but maybe I'm misinterpreting the output; is that something I can paste here?
[19:23:22] <jhathaway>	 yes
[19:25:06] <andrewbogott>	 https://www.irccloud.com/pastebin/DtQyacK7/
[19:27:59] <jhathaway>	 that looks the same as your pub key in keys/andrew.key
[19:28:54] <andrewbogott>	 is there a way to tell if it has a passphrase or not?  I think it doesn't but would like to be sure
[19:29:29] <moritzm>	 if "gpg --decrypt rackspace" fails as well, then the issue is not in pwstore, but in your gpg setup
[19:29:41] <moritzm>	 pwstore is essentially just a wrapper around basic gpg commands
[19:30:26] <andrewbogott>	 yes, agreed
[19:35:51] <andrewbogott>	 Andrew prepares to log into rackspace, support team at the ready https://ca-times.brightspotcdn.com/dims4/default/2c3a3a1/2147483647/strip/true/crop/1024x575+0+0/resize/1200x674!/format/webp/quality/75/?url=https%3A%2F%2Fcalifornia-times-brightspot.s3.amazonaws.com%2F01%2F59%2F94e4592ab75a7b2925873a7529ce%2Fla-1495211430-c18joms2x8-snap-image
[19:36:33] <andrewbogott>	 any chance my key uses an algo that's no longer supported?
[19:38:30] <jhathaway>	 no, its rsa4096
[19:39:21] <jhathaway>	 do you get a gpg agent passphrase window?
[19:40:06] <mutante>	 you could do this test: copy/paste the message from here: https://phabricator.wikimedia.org/P89850 into a file and "gpg -d" that. it is just "test" encrypted for your key
[19:42:50] <andrewbogott>	 I do not get a prompt for a passphrase
[19:42:59] <andrewbogott>	 that file is in foo.whatever:
[19:43:02] <andrewbogott>	 andrew@bookworm:~/pw$ export GPG_TTY=$(tty)
[19:43:02] <andrewbogott>	 andrew@bookworm:~/pw$ gpg -d ./foo.whatever 
[19:43:02] <andrewbogott>	 gpg: encrypted with 4096-bit RSA key, ID 87C658BDF3020AEE, created 2015-05-04
[19:43:02] <andrewbogott>	       "Andrew Bogott <AndrewBogott@Gmail.com>"
[19:43:02] <andrewbogott>	 gpg: public key decryption failed: No pinentry
[19:43:03] <andrewbogott>	 gpg: decryption failed: No secret key
[19:43:19] <andrewbogott>	 So, 'no pinentry' seems like the interesting bit there. Maybe I /do/ need a passphrase
[19:44:25] <mutante>	 it could have switched from asking on terminal to a GUI and the GUI window is behind the terminal or something like that
[19:45:47] <mutante>	 on my system I have  pinentry-curses  and pinentry-gnome3
[19:46:01] <mutante>	 had something similar with the passphrase for yubikey and ssh-askpass
[19:46:20] <mutante>	 maybe check which pinentry package, if any, you have 
[19:47:32] <andrewbogott>	 yep, heading down the pinentry rabbit hole...
[19:48:48] <andrewbogott>	 ok, I can decrypt! On at least the linux box
[19:48:58] <andrewbogott>	 thanks all
[19:49:07] <jhathaway>	 nice!
[20:17:02] <jynus>	 weird, I don't see an expiration on that identity- I wonder if it is an algorithm issue rather than expiration
[20:47:02] <jynus>	 yeah, it is a gpg deprecation, not an expiration, I have pushed my new keypair to the repo and to key servers