split gpg: multiple authorization windows popping, autoaccept not working

[Quentin]

Trying to get split gpg to work with thunderbird.

When I click on write in thunderbird it opens three authorization
windows. First time I give authorization to access my gpg qube, it asks
to give the permission for 5 minutes. After accepting that, there are
still authorization windows popping.


How to give the authorizations to access the gpg qube for 5 minutes?

[Todd Lasman]

From the website, and new in Qubes 4.0:

New qrexec policies in Qubes R4.0 by default require the user to enter the name of the domain containing GPG keys each time it is accessed. To improve usability for Thunderbird+Enigmail, in dom0 place the following line at the top of the file /etc/qubes-rpc/policy/qubes.Gpg:

work-email  work-gpg  allow
where work-email is the Thunderbird+Enigmail AppVM and work-gpg contains your GPG keys.

[alex...@gmail.com]

I am having the same Issue with the Popups for Authentication between VM's. I am running Qubes 4.0.1 fully updated and I have typed in this line in /etc/qubes-rpc/policy/qubes.Gpg

$work-email $work-gpg allow

After this step Thunderbird doesnt see my gpg-key in work-gpg at all. It seen it before I typed that line in fine Other then the Auth popups. So I have went Back a step and re-did this in my Work-email terminal

[user@work-email ~]$ export QUBES_GPG_DOMAIN=work-gpg
[user@work-email ~]$ gpg -K
[user@work-email ~]$ qubes-gpg-client -K
Request refused


I am getting this error "Request refused". It works fine leaving the qrexec policies as

$anyvm $anyvm ask

Any ideas on why this could be happening?

[Dupéron Georges]

I am having the same Issue with the Popups for Authentication between VM's.  I am running Qubes 4.0.1 fully updated and I have typed in this line in /etc/qubes-rpc/policy/qubes.Gpg

$work-email  $work-gpg  allow

After this step Thunderbird doesnt see my gpg-key in work-gpg at all.  It seen it before I typed that line in fine Other then the Auth popups.  So I have went Back a step and re-did this in my Work-email terminal

[user@work-email ~]$ export QUBES_GPG_DOMAIN=work-gpg
[user@work-email ~]$ gpg -K
[user@work-email ~]$ qubes-gpg-client -K
Request refused

I am getting this error "Request refused".  It works fine leaving the qrexec policies as

$anyvm  $anyvm  ask

Try without the $ (the $ is used for special placeholders like $anyvm or $tag:work, after you set the tag via qvm-tags)
work-email  work-gpg  allow

In general, some services (like qvm-copy) don't specify a target VM, so they first try to see if they can match an ask rule, and then realize that they do not need to ask anything because of the `default_target` and `allow`. This doesn't seem to be the case here (thanks to the export QUBES_GPG_DOMAIN=work-gpg), but otherwise you would need:

work-email  work-gpg  ask,default_target=work-gpg
work-email  work-gpg  allow

or:

work-email  $anyvm  ask,default_target=work-gpg # by default, an attempt can be made, and the target is auto-selected to be work-gpg
work-email  work-gpg  allow # allow for work-gpg, without asking

work-email  $anyvm deny # deny for all others, without asking

# Since all cases are covered, it will never actually ask, but it needs the first rule to support operations where the target is unknown, like `qvm-copy somefile'