split gpg failing after moving appvm from debian 8 to debian 9

25 views
Skip to first unread message

cubit

unread,
Jan 19, 2018, 4:26:18 AM1/19/18
to Qubes Users
Hello qubes-users

I am migrating all my AppVM from Debian 8 template to Debian 9 template  but I am running into little problem with split GPG.

Split GPG has been working on my computer okay with Debian 8 and two appVM;   "work" which has thunderbird and enigmail and "vault" which has my gpg keys.

The issue seems to be if I set the vault to Debian 9,  my work appVM complains that it can not find my private key.  Even though if I run "qubes-gpg-client -K" on the work appVM it shows my keys.  Looking at an encrypted email when "vault" appVM is not running will force it to be started.   The problem exists if even I set work appVM to d8 or d9.     Work VM with Debian9  and vault VM with debian 8 works okay.

I have gone over https://www.qubes-os.org/doc/split-gpg to make sure everything is set up correctly after template change and at each step it is.

Can anyone know how to fix this?

Cubit


cubit

unread,
Mar 1, 2018, 1:28:50 PM3/1/18
to Qubes Users
19. Jan 2018 09:26 by cu...@tutanota.com:

Hello Qubes users,


I am still stuck with this problem of not being able to move from Debian8 to Debian9 for my split GPG.     Is there anyone who know a way to do this or is just split key GPG in Debian 9 broken?



Cubit



Unman

unread,
Mar 1, 2018, 2:36:18 PM3/1/18
to cubit, Qubes Users
It's not broken on debian-9.
How are you calling split-gpg in the work qube?
What is the exact error message?

cubit

unread,
Mar 1, 2018, 2:54:20 PM3/1/18
to Unman, Qubes Users
1. Mar 2018 19:36 by un...@thirdeyesecurity.org:

It's not broken on debian-9.
How are you calling split-gpg in the work qube?
What is the exact error message?


I had:


work qube as debian 8, changed template used to debian 9 and works ok.


vault qube as debian 8 but when I try change the template to debian 9, work template can no longer find private keys.    The work quebe will start the vault qube when encrypted email is looked at so it appears they are talking ok.


- In work qube I am using Thunderbird + enigmail

- enigmail is configured to use "/usr/bin/qubes-gpg-client-wrapper"

- in work qube terminal  "qubes-gpg-client -k" returns all my keys


The only thing changing is the template for vault qube.


Cubit




Unman

unread,
Mar 1, 2018, 3:01:13 PM3/1/18
to cubit, Qubes Users
Which Qubes version are you using?
Do you get the Gpg dialog popup?

cubit

unread,
Mar 1, 2018, 3:14:01 PM3/1/18
to Unman, Qubes Users
1. Mar 2018 20:01 by un...@thirdeyesecurity.org:


Which Qubes version are you using?
Do you get the Gpg dialog popup?

 


Qubes 3.2 with all templates and dom0 updated as of today.   Yes I get pop up asking do I want to give access to keys for the time period defined by QUBES_GPG_AUTOACCEPT in .bash_profile in work qube (if vault qube is not running it will be started).  I say yes to this and it just errors with


"Error - no matching private/secret key found to decrypt message; click on details button for more information"


Clicking on the details button in thunderbird, shows that the message is encrypted to my key


gpg key is a master / sub key set up with the master private key offline if that makes any difference.






cubit

unread,
Mar 5, 2018, 9:36:39 AM3/5/18
to Unman, Qubes Users
1. Mar 2018 20:13 by cu...@tutanota.com:

Here is some type of  answer if anyone else runs into this problem, I did not manage to fix this but did work around it. 


- I created a brand new vault VM based on Debian 9,

- exported all my keys from old vault

- imported into new vault

- updated work VM to call new vault


everything works again.


I guess I'll never know why simply changing my original vault VM template from Debian 8 to 9 did not work.


Cubit






Reply all
Reply to author
Forward
0 new messages