hw42 / qubes-app-linux-split-gpg2 Goto Github PK
View Code? Open in Web Editor NEWThis project forked from marmarek/qubes-app-linux-split-gpg2
License: GNU General Public License v2.0
This project forked from marmarek/qubes-app-linux-split-gpg2
License: GNU General Public License v2.0
Seems like QUBES_GPG_DOMAIN
setting is being ignored on QubesOS R4.0. Each time I run gpg2 --list-secret-keys
I get a Qubes dialog box asking:
Do you want to allow the following operation?
Select the target domain and confirm with OK.
Source:
Operation: qubes.Gpg2
Target:
Not a huge problem (other than that all works as expected), but kind of annoying.
My .split-gpg2-rc
from the client cube:
$ cat .split-gpg2-rc
# put this file in ~user/.split-gpg2-rc and modify according your needs
#### Settings affecting the client (running gpg2) ####
export QUBES_GPG_DOMAIN=vault
...and from the server cube:
$ cat .split-gpg2-rc
# put this file in ~user/.split-gpg2-rc and modify according your needs
#### Settings affecting the client (running gpg2) ####
export QUBES_GPG_DOMAIN=vault
##### Settings affecting the server (running gpg-agent) ####
export QUBES_SPLIT_GPG2_PKSIGN_AUTOACCEPT_TIME=no
export QUBES_SPLIT_GPG2_PKDECRYPT_AUTOACCEPT_TIME=300
# to enable verbose notifications comment the folloing line out:
export QUBES_SPLIT_GPG2_VERBOSE_NOTIFICATIONS=yes
On my message, zenity displays an assertion failure error message, which somehow gets sent to GPG and interpreted as an invalid IPC command.
split-gpg2 is not security supported (yet). This should be documented.
Right now configuration is done via sourcing shell scripts. This is rather fragile at best, and at worst can easily create misleading expectations regarding security. For instance, setting GNUPGHOME
will sometimes change which keys are available via the agent, but it sometimes will not. It also prevents using socket-based qrexec for improved performance.
If I try to generate a key, I run into a problem due to pinentry: pinentry tries to access the controlling terminal, but there is no such terminal, so it fails with a confusing error.
The simplest solution is to replace the pinentry program with a trivial script that always returns OK
for every command. A better solution is to always set the pinentry mode to loopback, and respond to every passphrase request with an empty response.
Looks like Mailpile relies on GETINFO s2k_count
; however, this is being filtered out by split-gpg2
.
Is this something split-gpg2
could allow, or perhaps should Mailpile reevaluate the need for its use?
Relevant log:
2018-02-11 23:22:25.385615886: 1510: C >>> GETINFO s2k_count
2018-02-11 23:22:25.402996632: 1510: C <<< ERR 67109888 Command filtered by split-gpg2.
The s-expressions passed between from GPG to the agent are actually libgcrypt signing and decryption requests. libgcrypt documents the format of these s-expressions at https://www.gnupg.org/documentation/manuals/gcrypt/Cryptographic-Functions.html. split-gpg2 should validate these s-expressions.
Building Debian packages on Fedora 25 (or a cube based on fedora-25
template) fails, since it's impossible to install a dependencies: dh-systemd
and build-essential:native
(no such packages available on Fedora).
Additionally, even after installing package debhelper
, dpkg-buildpackage
complains about it being unavailable.
Log:
$ dpkg-buildpackage -us -uc
dpkg-buildpackage: source package split-gpg2
dpkg-buildpackage: source version 0.1
dpkg-buildpackage: source distribution experimental
dpkg-buildpackage: source changed by HW42 <[email protected]>
dpkg-buildpackage: host architecture amd64
dpkg-source --before-build split-gpg2
dpkg-source: info: using options from split-gpg2/debian/source/options: --tar-ignore=.git
dpkg-checkbuilddeps: Unmet build dependencies: build-essential:native debhelper (>= 9)
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
dpkg-buildpackage: warning: (Use -d flag to override.)
Trying to override the dependency handling doesn't work, since debhelper
plugin that would normally be provided by dh-systemd
is not available:
$ dpkg-buildpackage -d -us -uc
dpkg-buildpackage: source package split-gpg2
dpkg-buildpackage: source version 0.1
dpkg-buildpackage: source distribution experimental
dpkg-buildpackage: source changed by HW42 <[email protected]>
dpkg-buildpackage: host architecture amd64
dpkg-source --before-build split-gpg2
dpkg-source: info: using options from split-gpg2/debian/source/options: --tar-ignore=.git
fakeroot debian/rules clean
dh clean --with=systemd
dh: unable to load addon systemd: Can't locate Debian/Debhelper/Sequence/systemd.pm in @INC (you may need to install the Debian::Debhelper::Sequence::systemd module) (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 15) line 2.
BEGIN failed--compilation aborted at (eval 15) line 2.
debian/rules:4: recipe for target 'clean' failed
make: *** [clean] Error 2
dpkg-buildpackage: error: fakeroot debian/rules clean gave error exit status 2
Building on Debian-based distros (or cubes based on debian-9
template) works flawlessly.
Looks like Mailpile relies on pinentry-mode=loopback
; however, this is being filtered out by split-gpg2
. This happening regardless of whether or not any secret key is protected by a password.
Is this something split-gpg2
could allow, or perhaps should Mailpile reevaluate the need for its use?
Log:
2018-02-11 23:00:30.485636939: 1180: connected
2018-02-11 23:00:30.618741070: 1180: A >>> OK Pleased to meet you, process 1180
2018-02-11 23:00:30.619058294: 1180: C <<< OK Pleased to meet you, process 1180
2018-02-11 23:00:30.621540647: 1180: C >>> RESET
2018-02-11 23:00:30.621680104: 1180: A <<< RESET
2018-02-11 23:00:30.621822466: 1180: A >>> OK
2018-02-11 23:00:30.621886097: 1180: C <<< OK
2018-02-11 23:00:30.623717083: 1180: C >>> OPTION ttytype=xterm-256color
2018-02-11 23:00:30.623957721: 1180: C <<< OK
2018-02-11 23:00:30.625519086: 1180: C >>> OPTION display=:0
2018-02-11 23:00:30.625686597: 1180: A <<< OPTION display=:0
2018-02-11 23:00:30.626451342: 1180: A >>> OK
2018-02-11 23:00:30.626554322: 1180: C <<< OK
2018-02-11 23:00:30.627776613: 1180: C >>> OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
2018-02-11 23:00:30.628066076: 1180: C <<< OK
2018-02-11 23:00:30.628655543: 1180: C >>> GETINFO version
2018-02-11 23:00:30.628777449: 1180: A <<< GETINFO version
2018-02-11 23:00:30.629661940: 1180: A >>> D 2.1.18
2018-02-11 23:00:30.629775343: 1180: C <<< D 2.1.18
2018-02-11 23:00:30.629863764: 1180: A >>> OK
2018-02-11 23:00:30.629924905: 1180: C <<< OK
2018-02-11 23:00:30.630263938: 1180: C >>> OPTION allow-pinentry-notify
2018-02-11 23:00:30.630395438: 1180: A <<< OPTION allow-pinentry-notify
2018-02-11 23:00:30.630883926: 1180: A >>> OK
2018-02-11 23:00:30.630944135: 1180: C <<< OK
2018-02-11 23:00:30.631328783: 1180: C >>> OPTION agent-awareness=2.1.0
2018-02-11 23:00:30.631472520: 1180: A <<< OPTION agent-awareness=2.1.0
2018-02-11 23:00:30.632166138: 1180: A >>> OK
2018-02-11 23:00:30.632252379: 1180: C <<< OK
2018-02-11 23:00:30.632931094: 1180: C >>> OPTION pinentry-mode=loopback
2018-02-11 23:00:30.645026328: 1180: C <<< ERR 67109888 Command filtered by split-gpg2.
2018-02-11 23:00:30.645747599: 1180: disconnected
Services that should run in the context of a human user (which this does) should run under the user instance of systemd and be installed in /usr/lib/systemd/user
. This also allows it to have a hard dependency on the GPG agent socket unit, which means it can avoid ever having to start the agent manually.
Being a per-user unit also allows one vault qube to expose a different set of GPG keys depending on the calling qube, by using qrexec policy to specify the user the command should run as. While this is suboptimal, there are cases where there is no good alternative โ the user may not have enough memory to run multiple vault qubes, for example.
It should eventually be possible to restrict access to keys based on qrexec policy. This also includes the actual operation to be done, such as signing vs decrypting.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.