Open wassp-ds opened 5 days ago
After a quick read there may be a gpg version mismatch, see this issue for versions that come from qusal
formulas.
I don't see how git
is relevant. It is failing before git, it is failing on the gpg agent level.
Qubes.Gpg2
It is not upper case Q
. Verify your policy.
gpg -- homedir /home/user/.gnupg/split-gpg/gpg-client-vm --gen-key
There is no space between -- homedir
, it is just --homedir
.
On sys-pgp
:
cd ~/.gnupg/split-gpg/gpg-client-vm
gpg --homedir . -k
gpg --homedir . -K
It should list the public (K
) and private key (K
).
echo "test" | gpg --clearsign
Works for me. Please redo the steps.
Follow the debugging steps I gave to the other user: 1, 2.
After a quick read there may be a gpg version mismatch, see this issue for versions that come from
qusal
formulas.
Try updating qusal to guarantee you are on the latest version.
I pushed a commit that might be relevant in case you did not enable the service as I deleted the True|1
from the example by mistake.
Yes - I was typing on my mobile so some syntax got screwed up - will get back on that asap
@ben-grande on sys-pgp
:
cd ~/.gnupg/split-gpg/gpg-client-vm
gpg --homedir . -k
gpg --homedir . -K
both return correct keys.
on gpg-client-vm
:
gpg -k
returns the correct key.
gpg -K
returns nothing.
echo "test" | gpg --clearsign
returns the same error as stated above.
And this debugging step?
On gpg-client-vm
:
ls /var/run/qubes-service
Is split-gpg2-client
in there?
Another way:
qvm-features gpg-client-vm service.split-gpg2-client
on gpg-client-vm
:
ls /var/run/qubes-service
shows split-gpg2-client
present
The instructions upstream say to only copy the public part of the key to the gpg-client-vm
, which I did through exporting commands (public keys and ownertrust), and then imported to gpg-client-vm
through respective --import
and --import-ownertrust
.
It almost feels like the secret part of the key has a problem "splitting".
And this debugging step?
Third time I ask to do this debugging step...
I there are no problem in that debugging step, try to reproduce it without Qusal being involved, create the qubes by yourself and test.
Sorry, I missed it completely!
$ cat ~/.config/qubes-split-gpg2/qubes-split-gpg2.conf
[DEFAULT]
autoaccept = 86400
pksign_autoaccept = 86400
pkdecrypt_autoaccept = 86400
verbose_notifications = yes
allow_keygen = no
#gnupghome =
isolated_gnupghome_dirs = ~/.gnupg/split-gpg
#debug_log =
#source_keyring_dir =
$ cat ~/.config/sh/profile.d/split-gpg2.sh
export GSK_RENDERER=cairo LIBGL_ALWAYS_SOFTWARE=1
zenity --question --title title --text text
outputs a popup with correct title
and text
.
Qubes.Gpg2
It is not upper case
Q
. Verify your policy.
Last resort is to check your policy logs. Follow the troubleshoot guide for the Qrexec. If the call is allowed, I have no idea of the problem and you can only try to reproduce outside of Qusal.
You got split-gpg2-client working before? https://github.com/ben-grande/qusal/issues/64
Please try this again on gpg-client-vm
:
systemctl --user status split-gpg2-client
You got split-gpg2-client working before? #64
Please try this again on
gpg-client-vm
:systemctl --user status split-gpg2-client
The zenity
error got fixed on sys-pgp
side, I proceeded to hit the issue in question.
To your question:
% systemctl --user status split-gpg2-client
● split-gpg2-client.service - split-gpg2 client
Loaded: loaded (/usr/lib/systemd/user/split-gpg2-client.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-07-01 17:09:18 UTC; 1min 44s ago
Main PID: 537 (socat)
Tasks: 1 (limit: 385)
Memory: 3.2M
CPU: 10ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/split-gpg2-client.service
└─537 socat "unix-listen:'/run/user/1000/gnupg/S.gpg-agent',fork,unlink-early" "exec:qrexec-client-vm @default qubes.Gpg2"
I'll share my notes on this tomorrow to give you full insight into the steps I am making to set it up - maybe that'll help. In the meantime I tried on a new machine spawned from dev
template, same issue.
Commitment
I confirm that I have read the following resources:
Software version
R4.2.1
Brief summary
gpg-client-vm
doesn't list keys withgpg -K
, only withgpg --list-keys
after public part of the key is imported fromsys-pgp
.Checked
Qubes.Gpg2
policy following the TROUBLESHOOTING guide - all correct.Steps to reproduce
Perform upstream doc instruction to generate new key under
gpg -- homedir /home/user/.gnupg/split-gpg/gpg-client-vm --gen-key
Expected behavior
Should be able to use gpg keys normally
Actual behavior
Tried testing with
echo "test" | gpg --clearsign
, to get:Can't sign commits or pulls with gpgs.
Thanks! .