gpg: no running gpg-agent

[wassp-ds]

Commitment

I confirm that I have read the following resources:

• How to ask questions The Smart Way
• Writing the perfect question
• Question checklist

Question

After going through the state path of installing the formulas for sys-pgp, I went through the setup guide from here. Everything was fine until the below happened.

On dev-companyA:

% gpg -vvv -K
gpg: using character set 'utf-8'
gpg: using pgp trust model
gpg: key 55CCE0FCC9033EEA: accepted as trusted key
gpg: key 2D4ADD0F4B0E5019: accepted as trusted key
gpg: no running gpg-agent - starting '/usr/share/split-gpg2/gpg-agent-placeholder'
gpg: waiting for the agent to come up ... (5s)
gpg: waiting for the agent to come up ... (4s)
gpg: waiting for the agent to come up ... (3s)
gpg: waiting for the agent to come up ... (2s)
gpg: waiting for the agent to come up ... (1s)
gpg: can't connect to the agent: End of file
gpg: no running gpg-agent - starting '/usr/share/split-gpg2/gpg-agent-placeholder'
gpg: waiting for the agent to come up ... (5s)
gpg: waiting for the agent to come up ... (4s)
gpg: waiting for the agent to come up ... (3s)
gpg: waiting for the agent to come up ... (2s)
gpg: waiting for the agent to come up ... (1s)
gpg: can't connect to the agent: End of file

Verified the dom0 for qvm-service on the dev-companyA qube:

$ qvm-service dev-companyA
split-gpg2-client    on
qusal-proxy-client  on
crond  on 

Verified the journalctl /usr/bin/qrexec-policy | grep -i gpg:

qubes.Gpg: dev -> sys-pgp: denied: no matching rule found

Nothing on qubes.Gpg2.

Also noticed: On dev-companyA:

% gpg --version
gpg (GnuPG) 2.2.40

On sys-pgp:

$ gpg --version
gpg (GnuPG) 2.4.4

Policy on dom0:

qubes.Gpg2 + dev-companyA @default allow target=sys-pgp 
qubes.Gpg2 * @anyvm @default ask target=sys-pgp default_target=sys-pgp
qubes.Gpg2 * @anyvm @anyvm   `deny`

What did I miss this time?

[ben-grande]

Commitment

I confirm that I have read the following resources:

• How to ask questions The Smart Way
• Writing the perfect question
• Question checklist

Question

After going through the state path of installing the formulas for sys-pgp, I went through the setup guide from here. Everything was fine until the below happened.

That upstream link is wrong, it should be the QubesOS repo instead of mine, will fix.

On dev-companyA:

% gpg -vvv -K
gpg: using character set 'utf-8'
gpg: using pgp trust model
gpg: key 55CCE0FCC9033EEA: accepted as trusted key
gpg: key 2D4ADD0F4B0E5019: accepted as trusted key
gpg: no running gpg-agent - starting '/usr/share/split-gpg2/gpg-agent-placeholder'
gpg: waiting for the agent to come up ... (5s)
gpg: waiting for the agent to come up ... (4s)
gpg: waiting for the agent to come up ... (3s)
gpg: waiting for the agent to come up ... (2s)
gpg: waiting for the agent to come up ... (1s)
gpg: can't connect to the agent: End of file
gpg: no running gpg-agent - starting '/usr/share/split-gpg2/gpg-agent-placeholder'
gpg: waiting for the agent to come up ... (5s)
gpg: waiting for the agent to come up ... (4s)
gpg: waiting for the agent to come up ... (3s)
gpg: waiting for the agent to come up ... (2s)
gpg: waiting for the agent to come up ... (1s)
gpg: can't connect to the agent: End of file

On dev-companyA:

systemctl --user status split-gpg2-client

Verified the journalctl /usr/bin/qrexec-policy | grep -i gpg:

qubes.Gpg: dev -> sys-pgp: denied: no matching rule found

Nothing on qubes.Gpg2.

qubes.Gpg is the wrong service, it should be qubes.Gpg2. Why it is calling the wrong service I don't know yet.

Run:

alias gpg   # show if gpg is aliased
\gpg -vvv -K    # run gpg without functions or aliases, so from PATH

Also noticed: On dev-companyA:

% gpg --version
gpg (GnuPG) 2.2.40

On sys-pgp:

$ gpg --version
gpg (GnuPG) 2.4.4

Policy on dom0:

qubes.Gpg2 + dev-companyA @default allow target=sys-pgp 
qubes.Gpg2 * @anyvm @default ask target=sys-pgp default_target=sys-pgp
qubes.Gpg2 * @anyvm @anyvm   `deny`

The rest seems fine.

[wassp-ds]

qubes.Gpg is the wrong service, it should be qubes.Gpg2. Why it is calling the wrong service I don't know yet.

I also don't have a default dev qube and I have not touched anything Gpg related. Only the upstream docs.

Run:

alias gpg # show if gpg is aliased \gpg -vvv -K # run gpg without functions or aliases, so from PATH

gpg is not aliased, which points to /usr/bin/gpg \gpg -vvv -K <- same errors as above

[ben-grande]

https://github.com/ben-grande/qusal/issues/64#issuecomment-2181027969

On dev-companyA:

systemctl --user status split-gpg2-client

[wassp-ds]

#64 (comment)

On dev-companyA:

systemctl --user status split-gpg2-client

active and running:

● split-gpg2-client.service - split-gpg2 client
     Loaded: loaded (/usr/lib/systemd/user/split-gpg2-client.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-06-20 16:24:20 UTC; 4min 19s ago
   Main PID: 700 (socat)
      Tasks: 1 (limit: 385)
     Memory: 3.1M
        CPU: 9ms
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/split-gpg2-client.service
             └─700 socat "unix-listen:'/run/user/1000/gnupg/S.gpg-agent',fork,unlink-early" "e…

[ben-grande]

Please follow this guide https://github.com/ben-grande/qusal/blob/main/docs/TROUBLESHOOTING.md#qrexec-client-shows-request-refused

On Thu, Jun 20, 2024, 6:28 PM wassp-ds @.***> wrote:

64 (comment)

https://github.com/ben-grande/qusal/issues/64#issuecomment-2181027969

On dev-companyA:

systemctl --user status split-gpg2-client

active and running

— Reply to this email directly, view it on GitHub https://github.com/ben-grande/qusal/issues/64#issuecomment-2181096588, or unsubscribe https://github.com/notifications/unsubscribe-auth/BCE2O4IMVZEECABBJEVEMUTZIL7LHAVCNFSM6AAAAABJUFXVAWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBRGA4TMNJYHA . You are receiving this because you commented.Message ID: @.***>

[wassp-ds]

Everything seems fine, except: on dev-companyA:

% qrexec-client-vm @default qubes.Gpg2
Error in a config file, aborting

[ben-grande]

Thanks for the debugging info. Issue has been fixed. Pull qusal again and apply the sys-pgp.configure state to sys-pgp.