From 97ee0bc6856fd85a206f897ac4529505f4549c4d Mon Sep 17 00:00:00 2001 From: Tom DNetto Date: Tue, 27 Jun 2023 15:39:22 -0700 Subject: [PATCH] cmd/tailscale: improve error message when signing without a tailnet lock key Updates #8568 Signed-off-by: Tom DNetto --- cmd/tailscale/cli/network-lock.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/cmd/tailscale/cli/network-lock.go b/cmd/tailscale/cli/network-lock.go index fa9fdad24..2130b0c84 100644 --- a/cmd/tailscale/cli/network-lock.go +++ b/cmd/tailscale/cli/network-lock.go @@ -465,7 +465,16 @@ func runNetworkLockSign(ctx context.Context, args []string) error { } } - return localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey.Verifier())) + err := localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey.Verifier())) + // Provide a better help message for when someone clicks through the signing flow + // on the wrong device. + if err != nil && strings.Contains(err.Error(), "this node is not trusted by network lock") { + fmt.Fprintln(os.Stderr, "Error: Signing is not available on this device because it does not have a trusted tailnet lock key.") + fmt.Fprintln(os.Stderr) + fmt.Fprintln(os.Stderr, "Try again on a signing device instead. Tailnet admins can see signing devices on the admin panel.") + fmt.Fprintln(os.Stderr) + } + return err } var nlDisableCmd = &ffcli.Command{