sys-pgp not recognising any keys for git

[wassp-ds]

Commitment

I confirm that I have read the following resources:

• How to troubleshoot Qusal
• How to ask questions The Smart Way
• Writing the perfect question
• Question checklist
• Could you please make my preference the default?

Software version

R4.2.1

Brief summary

gpg-client-vm doesn't list keys with gpg -K, only with gpg --list-keys after public part of the key is imported from sys-pgp.

Checked Qubes.Gpg2 policy following the TROUBLESHOOTING guide - all correct.

Steps to reproduce

Perform upstream doc instruction to generate new key under gpg -- homedir /home/user/.gnupg/split-gpg/gpg-client-vm --gen-key

Expected behavior

Should be able to use gpg keys normally

Actual behavior

Tried testing with echo "test" | gpg --clearsign, to get:

gpg: no default secret key: No secret key
gpg: [stdin]: clearsign failed: No secret key

Can't sign commits or pulls with gpgs.

Thanks! .

[wassp-ds]

After a quick read there may be a gpg version mismatch, see this issue for versions that come from qusal formulas.

[ben-grande]

I don't see how git is relevant. It is failing before git, it is failing on the gpg agent level.

Qubes.Gpg2

It is not upper case Q. Verify your policy.

gpg -- homedir /home/user/.gnupg/split-gpg/gpg-client-vm --gen-key

There is no space between -- homedir, it is just --homedir.

On sys-pgp:

cd ~/.gnupg/split-gpg/gpg-client-vm
gpg --homedir . -k
gpg --homedir . -K

It should list the public (K) and private key (K).

echo "test" | gpg --clearsign

Works for me. Please redo the steps.

Follow the debugging steps I gave to the other user: 1, 2.

After a quick read there may be a gpg version mismatch, see this issue for versions that come from qusal formulas.

Try updating qusal to guarantee you are on the latest version.

[ben-grande]

I pushed a commit that might be relevant in case you did not enable the service as I deleted the True|1 from the example by mistake.

[wassp-ds]

Yes - I was typing on my mobile so some syntax got screwed up - will get back on that asap

[wassp-ds]

@ben-grande on sys-pgp:

cd ~/.gnupg/split-gpg/gpg-client-vm
gpg --homedir . -k
gpg --homedir . -K

both return correct keys.

on gpg-client-vm:

gpg -k 

returns the correct key.

gpg -K

returns nothing.

echo "test" | gpg --clearsign

returns the same error as stated above.

[ben-grande]

And this debugging step?

On gpg-client-vm:

ls /var/run/qubes-service

Is split-gpg2-client in there?

Another way:

qvm-features gpg-client-vm service.split-gpg2-client

[wassp-ds]

on gpg-client-vm:

ls /var/run/qubes-service

shows split-gpg2-client present

The instructions upstream say to only copy the public part of the key to the gpg-client-vm, which I did through exporting commands (public keys and ownertrust), and then imported to gpg-client-vm through respective --import and --import-ownertrust. It almost feels like the secret part of the key has a problem "splitting".

[ben-grande]

And this debugging step?

Third time I ask to do this debugging step...

I there are no problem in that debugging step, try to reproduce it without Qusal being involved, create the qubes by yourself and test.

[wassp-ds]

Sorry, I missed it completely!

$ cat ~/.config/qubes-split-gpg2/qubes-split-gpg2.conf
[DEFAULT]
autoaccept = 86400
pksign_autoaccept = 86400
pkdecrypt_autoaccept = 86400
verbose_notifications = yes
allow_keygen = no
#gnupghome =
isolated_gnupghome_dirs = ~/.gnupg/split-gpg
#debug_log =
#source_keyring_dir =

$ cat ~/.config/sh/profile.d/split-gpg2.sh
export GSK_RENDERER=cairo LIBGL_ALWAYS_SOFTWARE=1

zenity --question --title title --text text

outputs a popup with correct title and text.

[ben-grande]

Qubes.Gpg2

It is not upper case Q. Verify your policy.

Last resort is to check your policy logs. Follow the troubleshoot guide for the Qrexec. If the call is allowed, I have no idea of the problem and you can only try to reproduce outside of Qusal.

[ben-grande]

You got split-gpg2-client working before? https://github.com/ben-grande/qusal/issues/64

Please try this again on gpg-client-vm:

systemctl --user status split-gpg2-client

[wassp-ds]

You got split-gpg2-client working before? #64

Please try this again on gpg-client-vm:

systemctl --user status split-gpg2-client

The zenity error got fixed on sys-pgp side, I proceeded to hit the issue in question.

To your question:

% systemctl --user status split-gpg2-client
● split-gpg2-client.service - split-gpg2 client
     Loaded: loaded (/usr/lib/systemd/user/split-gpg2-client.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-07-01 17:09:18 UTC; 1min 44s ago
   Main PID: 537 (socat)
      Tasks: 1 (limit: 385)
     Memory: 3.2M
        CPU: 10ms
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/split-gpg2-client.service
             └─537 socat "unix-listen:'/run/user/1000/gnupg/S.gpg-agent',fork,unlink-early" "exec:qrexec-client-vm @default qubes.Gpg2"

[wassp-ds]

I'll share my notes on this tomorrow to give you full insight into the steps I am making to set it up - maybe that'll help. In the meantime I tried on a new machine spawned from dev template, same issue.