split-gpg2 client exits non-zero when importing public keys on alternate gpg homedir #9534
Comments
ben-grande
added
P: default
|
What does it do with the agent? Agent is responsible for handling only secret keys... Maybe it tries to check if it has secret part for this key? Can you enabled debugging in the split-gpg2 and see what it tries to do? See debug_log option in the config: https://github.com/QubesOS/qubes-app-linux-split-gpg2/blob/main/qubes-split-gpg2.conf.example |
|
Or maybe just journalctl/.xsession-errors in the backend will have that info already? |
Possibly tries to check if there is a secret part.
Checked the dom0 logs now and it never calls the split-gpg2 backend, nothing logged to the journal of |
|
hmm, does it mean split-gpg2 isn't working for you there at all? maybe the client part fails to start or such? |
|
split-gpg2 works fine, I can list secret keys only available in the backend. |
andrewdavidwong
added
C: split-gpg2
Can you also sign or encrypt with them? |
|
Yes, I have full split-gpg2 functionality, listing, signing, encrypting.
It is on every minimal template based qube, I have not tried on a full
template.
…On Sat, Oct 26, 2024, 5:38 PM Euwiiwueir ***@***.***> wrote:
split-gpg2 works fine, I can list secret keys only available in the
backend.
Can you also sign or encrypt with them?
—
Reply to this email directly, view it on GitHub
<#9534 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BCE2O4OC5Z7R2IFOVR6NK3TZ5OZOXAVCNFSM6AAAAABQRATGTOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZZGYZDINJWHE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Example to demonstrate the problem: #!/bin/sh
set -eu
key_url="https://keys.openpgp.org/vks/v1/by-fingerprint/86BA6E93318FBA446642A90ADB8FD31CCAD7D72C"
gnupg_homedir="$(mktemp -d)"
trap 'rm -rf - "${gnupg_homedir}"' EXIT INT HUP QUIT ABRT
cd "${gnupg_homedir}" || exit 1
curl -o key.asc "${key_url}"
gpg --homedir . --import key.ascuser@disp8589:~$ sudo touch /var/run/qubes-service/split-gpg2-client
user@disp8589:~$ sudo apt install -y split-gpg2
user@disp8589:~$ sh -x ./imp.sh
+ set -eu
+ key_url=https://keys.openpgp.org/vks/v1/by-fingerprint/86BA6E93318FBA446642A90ADB8FD31CCAD7D72C
+ mktemp -d
+ gnupg_homedir=/tmp/tmp.axcQxkaPH3
+ trap rm -rf - "${gnupg_homedir}" EXIT INT HUP QUIT ABRT
+ cd /tmp/tmp.axcQxkaPH3
+ curl -o key.asc https://keys.openpgp.org/vks/v1/by-fingerprint/86BA6E93318FBA446642A90ADB8FD31CCAD7D72C
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4426 100 4426 0 0 25248 0 --:--:-- --:--:-- --:--:-- 25291
+ gpg --homedir . --import key.asc
gpg: keybox '/tmp/tmp.axcQxkaPH3/pubring.kbx' created
gpg: key DB8FD31CCAD7D72C: 1 signature not checked due to a missing key
gpg: /tmp/tmp.axcQxkaPH3/trustdb.gpg: trustdb created
gpg: key DB8FD31CCAD7D72C: public key "Marek Marczykowski-Górecki <[email protected]>" imported
gpg: can't connect to the agent: IPC connect call failed
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
+ rm -rf - /tmp/tmp.axcQxkaPH3 |
|
I think it's not related to the import operation, but to a changed homedir. split-gpg2 listens only on the primary (default) socket. I guess the solution would be to change |
|
Good point. It is not always passed to the environment variable but always as parameter,
#!/bin/bash
set -eo pipefail
printf '%s\n' "GNUPGHOME=${GNUPGHOME:-}" | tee -- /tmp/log >/dev/null
printf '%s\n' "$@" | tee -a -- /tmp/log >/dev/null
gpgconf --list-dirs | grep -e -socket -e homedir | tee -a -- /tmp/log >/dev/null
# prevent starting real gpg-agent locally if it's redirected via split-gpg2
if [ -e /run/qubes-service/split-gpg2-client ]; then
exit 0
fi
# otherwise, launch gpg-agent
gpgagent=$(gpgconf --list-components | grep ^gpg-agent: | cut -d ':' -f 3)
exec "$gpgagent" "$@"
#!/bin/sh
set -eu
key_url="https://keys.openpgp.org/vks/v1/by-fingerprint/86BA6E93318FBA446642A90ADB8FD31CCAD7D72C"
gnupg_homedir="$(mktemp -d)"
trap 'rm -rf - "${gnupg_homedir}"' EXIT INT HUP QUIT ABRT
cd "${gnupg_homedir}" || exit 1
curl -o key.asc "${key_url}"
#gpg --import key.asc
gpg --homedir . --import key.asc
#GNUPGHOME=. gpg --import key.asc
#GNUPGHOME="${gnupg_homedir}" gpg --import key.ascThe last one is quite problematic as the homedir on the command line and CWD changed, but What happens when I try to list secret with the default homedir: $ gpg -K
> GNUPGHOME=
> --homedir /home/user/.gnupg --use-standard-socket --daemon
> dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
> agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
> agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
> agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
> agent-socket:/run/user/1000/gnupg/S.gpg-agent
> homedir:/home/user/.gnupgFrom my tests, #!/bin/sh
set -euo pipefail
# prevent starting real gpg-agent locally if it's redirected via split-gpg2
if [ -e /run/qubes-service/split-gpg2-client ]; then
case "$@" in
*"--homedir $HOME/.gnupg "*)
exit 0
;;
esac
# Another option
#if printf '%s\n' "$@" | grep -q -- "--homedir $HOME/.gnupg "; then
# exit 0
#fi
fi
# otherwise, launch gpg-agent
gpgagent="$(gpgconf --list-components | awk -F: '/^gpg-agent:/{print $3}')"
exec "$gpgagent" "$@" |
|
PR submitted. |
ben-grande
changed the title
andrewdavidwong
added
diagnosed
Qubes OS release
R4.2
Brief summary
When import a public key for the first time to a split-gpg2 client, it has a delay as the agent doesn't respond, imports the key but exits non zero. What I am currently doing to overcome the error exit code:
^\[GNUPG:\] IMPORT_OKappears in stderr--agent-program="$(gpgconf --list-components | awk -F: '/^gpg-agent:/{print $3}')"Steps to reproduce
Add a new public key (not previously imported) to the client keyring.
Expected behavior
Import happens successfully and exits with code zero. The
/usr/share/split-gpg2/gpg-agent-placeholdershould reply with something useful when importing a key, not only exit zero.Actual behavior
Import happens successfully, but it has a delay and exits with code non-zero.
The text was updated successfully, but these errors were encountered: