WebCrypt challenge code problems

When I try to sign a message with WebCrypt, I always get “Error incorrect challenge entered”. Steps to repeat:

  • Go to OnlyKey - Encrypt & sign messages in your browser using OnlyKey
  • Choose “Sign Only”
  • Enter my ProtonMail address, and a message
  • Click “Sign”
  • Challenge code is presented. LED on OnlyKey changes to yellow, but just for the first 5 seconds of the 10 second countdown.
  • While LED is yellow, I enter the challenge code. The LED does not flash as I press buttons, suggesting it’s not registering the button presses.
  • The countdown continues until it runs out.
  • “Error incorrect challenge was entered”

Possible contributing factors:

  • OnlyKey is in sysadmin mode.
  • I have one key saved on the OnlyKey. It’s an ECC key. It has a subkey.

I’ve tried changing my preferences from “Challenge Code Required” to “Button Press Required.” But WebCrypt still presents the challenge code.

Thanks for your help! :slight_smile:

It sounds like you may not have the correct key loaded, a PGP key has a signing key and an encryption key, you will need to load your private key like this - Import keys from Keybase, Protonmail, and Mailvelope/GPG | Docs

Ahh! Yes, I remember not ticking the “signing key” box when I did that, now you mention it. I’ll go through that now. Do I have to have the encryption key saved to one slot and the signing key saved to the next slot? Or can I save them both to one slot?

You have to set the keys to the correct slots and you have to enable the correct key features, this is why we recommend using Auto Load which will load your key correctly automatically.

There’s a bug in autoload which meant my key couldn’t load. Seems to be because I have a subkey. Sorry I didn’t get chance to report it! Could you elaborate on “correct keys in correct slots” please.

If you are trying to load a standard OpenPGP key from Protonmail or Keybase it should auto load, if not let me know so we can find out why. For manually loading keys that is covered in this section of the guide - Import keys from Keybase, Protonmail, and Mailvelope/GPG | Docs

Decryption key is loaded to slot 1 and Signing key loaded to slot 2.

Yes, it’s from Proton. No problem, I’ll add the signing key to ECC slot 2 for now. When I get the chance, I’ll wipe the thing and do an auto load and give you the exact error message (I don’t think I can just redo it without wiping it, because I’ve locked the key in slot 1 to the backup encryption!). Thanks ever so much for your help!