libreoffice: cannot sign documents with GPG

[marek22k]

Description

LibreOffice with Firejail cannot sign documents

Steps to Reproduce

1. Open a Write/Impress document with LibreOffice.
2. Click in the menu on File -> Digital Signatures -> Digital Signatures... -> Sign Document...

Expected behavior

My private GPG key appears.

Actual behavior

No key appears at all.

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?_

$ LC_ALL=C firejail --noprofile /usr/bin/libreoffice --impress presentation.odp 
Parent pid 258790, child pid 258791
Child process initialized in 7.06 ms
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

Additional context

When I click on "Start Certificate Manager..." Kleopatra appears. With Firejail, Kleopatra appears and does not display any private or public keys. Without Firejail, all my keys are displayed.

Environment

Arch Linux

$ firejail --version
firejail version 0.9.72

Compile time support:
    - always force nonewprivs support is disabled
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - D-BUS proxy support is enabled
    - file transfer support is enabled
    - firetunnel support is disabled
    - IDS support is disabled
    - networking support is enabled
    - output logging is enabled
    - overlayfs support is disabled
    - private-home support is enabled
    - private-cache and tmpfs as user enabled
    - SELinux support is disabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

Checklist

• [X] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [X] I can reproduce the issue without custom modifications (e.g. globals.local).
• [X] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [ ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [X] I have performed a short search for similar issues (to avoid opening a duplicate).
  • [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

``` $ LC_ALL=C firejail /usr/bin/libreoffice --impress presentation.odp Reading profile /etc/firejail/libreoffice.profile Reading profile /etc/firejail/allow-java.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 259461, child pid 259462 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /home/marek/.ssh/config Warning: not remounting /run/user/1000/doc Warning: cleaning all supplementary groups Child process initialized in 136.03 ms Parent is shutting down, bye... ```

Output of LC_ALL=C firejail --debug /path/to/program

[firejail.log](https://github.com/netblue30/firejail/files/15394988/firejail.log)

[glitsj16]

Hi, thank you for reporting. Looks like we never considered GPG signing is a thing in LibreOffice. Should be easily fixed. Can you test the below snippets in a ~/.config/firejail/libreoffice.local please? Both try to achieve functioning document signing, but differ in how much we open the profile for doing so.

[1] The less restrictive version:

$ cat ~/.config/firejail/libreoffice.local
noblacklist ${HOME}/.gnupg

[2] The more restrictive version:

$ cat ~/.config/firejail/libreoffice.local
noblacklist ${HOME}/.gnupg
read-only ${HOME}/.gnupg/gpg.conf
read-only ${HOME}/.gnupg/trustdb.gpg
read-only ${HOME}/.gnupg/pubring.kbx
blacklist ${HOME}/.gnupg/random_seed
blacklist ${HOME}/.gnupg/pubring.kbx~
blacklist ${HOME}/.gnupg/private-keys-v1.d
blacklist ${HOME}/.gnupg/crls.d
blacklist ${HOME}/.gnupg/openpgp-revocs.d

Hopefully you can get a working document signing with at least one of the above.

Regards

[marek22k]

Thanks for the quick reply.

Both variants work for me.

[glitsj16]

Both variants work for me.

Great. I've opened a PR implementing the more restrictive version. Thanks for testing!