split-gpg2 doesn’t allow KEYINFO --list
#9529
Labels
affects-4.2
This issue affects Qubes OS 4.2.
C: split-gpg2
split-gpg version 2
diagnosed
Technical diagnosis has been performed (see issue comments).
P: default
Priority: default. Default priority for new issues, to be replaced given sufficient information.
pr submitted
A pull request has been submitted for this issue.
T: bug
Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Comments
DemiMarie
added
T: bug
DemiMarie
added a commit
to DemiMarie/qubes-app-linux-split-gpg2
that referenced
this issue
Oct 22, 2024
Currently, this command is blocked. GnuPG detects that the agent connection is restricted and doesn't try to use it, while Sequoia Chameleon does not implement the fallback and is unable to list secret keys or decrypt messages. Furthermore, gpg prints "gpg: problem with fast path key listing: Forbidden - ignored", which Mutt interprets as a prompt the user must respond to. This causes the user to need to press enter twice to send a signed email. Fix these problems by allowing this request. The request does not work over a restricted connection, so an unrestricted connection must be used. However, the filtering done by split-gpg2 is far stronger than the access checks in gpg-agent so there is no loss of security. Fixes: QubesOS/qubes-issues#9529
DemiMarie
added a commit
to DemiMarie/qubes-app-linux-split-gpg2
that referenced
this issue
Oct 22, 2024
Currently, this command is blocked. GnuPG detects that the agent connection is restricted and doesn't try to use it, while Sequoia Chameleon does not implement the fallback and is unable to list secret keys or decrypt messages. Furthermore, gpg prints "gpg: problem with fast path key listing: Forbidden - ignored", which Mutt interprets as a prompt the user must respond to. This causes the user to need to press enter twice to send a signed email. Fix these problems by allowing this request. The request does not work over a restricted connection, so an unrestricted connection must be used. However, the filtering done by split-gpg2 is far stronger than the access checks in gpg-agent so there is no loss of security. Fixes: QubesOS/qubes-issues#9529
andrewdavidwong
added
the
pr submitted
DemiMarie
added a commit
to DemiMarie/qubes-app-linux-split-gpg2
that referenced
this issue
Oct 25, 2024
Currently, this command is blocked. GnuPG detects that the agent connection is restricted and doesn't try to use it, while Sequoia Chameleon does not implement the fallback and is unable to list secret keys or decrypt messages. Furthermore, gpg prints "gpg: problem with fast path key listing: Forbidden - ignored", which Mutt interprets as a prompt the user must respond to. This causes the user to need to press enter twice to send a signed email. Fix these problems by allowing this request. The request does not work over a restricted connection, so an unrestricted connection must be used. However, the filtering done by split-gpg2 is far stronger than the access checks in gpg-agent so there is no loss of security. Fixes: QubesOS/qubes-issues#9529
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How to file a helpful issue
Qubes OS release
R4.2
Brief summary
split-gpg2 doesn’t allow
KEYINFO --list. This breaks Sequoia Chameleon outright and causes GnuPG to emit a spurious warning on stderr.Steps to reproduce
Try to use Sequoia Chameleon with split-gpg2 after fixing #9483, #9527, and #9528.
Expected behavior
Secret key listing and decryption work.
Actual behavior
Secret key listing and decryption fail.
The text was updated successfully, but these errors were encountered: