-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
QubesOS R3.2 - up to date.
It seems it was a conscience decision to explicitly block hidden recipients from the
Split GPG feature.
I have configured Split GPG and immediately hit this road block that qubes-gpg-client
does not support hidden recipients in any form.
This is true for any encrypting or decrypting functionality.
$ qubes-gpg-client -esa -R KEYID
qubes-gpg-client: invalid option -- 'R'
^- most other switches are enabled, but -R was not. lowercase -r works, to include the KEYID.
$ qubes-gpg-client < pgp-encoded-text-addressed-to-hidden-recipient.asc
gpg: encrypted with RSA key, ID 00000000
gpg: decryption failed: No secret key
^- this would indicate that it only tries one key, the 00000000
I also tried the qubes-gpg-client-wrapper with the same results.
Could we open a discussion to possibly supporting this in the future?
I'd imagine it was a decision to require a specific KEYID to decrypt-from/encrypt-to possibly
because of the way the qubes utils were written within the "vault" VM? So
instead of iterating over all -K keys with secrets, it instead explicitly tries to access that
one KEYID to encrypt/decrypt.
Could we instead, on the server/vault VM side:
* look for KEYID 00000000 (which indicates a hidden recipient)
* query for all keys with secrets (-K)
* iterate over each, trying each key until decoding succeeds
This is how CLI and Thunderbird worked with multiple pgp keys local to that VM, before
I setup Split GPG.
Thanks!
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcy6ry51h71BXa58r1HXhRIZm5iYFAllvezoACgkQ1HXhRIZm
5iZ56g//cKb8UyfAgSztJBAPuT5dfVpxs2uiYsDWcakRkdUmfRHVnN1TAJSmzplu
5FItsQn7vV2/h4C84da8gel9AHGu9mo3eMWfSb4LFQ/spsW7/6F1kMifajrJnZ7x
uMmqd3fCZ1XNcmExGjTlLSqXk4mLymuSd1RKWWp7sanl/IFCAaNqlXXyQPx4bkVp
EHbsdCJCj411h4DkjFR2AA6MtQZWT5brjHmotr/Jm4yTuV9fLGGiTeMk9M6v/Ubq
VP9tseLm47xdYZBFPLqElz04fCs9ByQ0Wl7/7/r7a7bVB8nV7yA0M0vh5JhIkKky
3OvTAvKdHkSC/EGIGgBCp/B3PreFWTPKIC9RYJhdpKy4vm6xokO2o5fN03nYpCCP
Sgk9F/zSgChy7mzIFFsopWXMQEI5/JWkCO7uM9UwF/NugEttLVUPOpThGEMAP/oZ
G0cg4Bhz1MbhWD2/6w0hCtnaeOT2xN8N3TxAy+0dcXO7uB4rhRFCKoZ0mHBDIpZQ
4zUSTwWXAW0029QEbSb9FaQTjtXHPfmThc3sIu+7g+nU97LAmQBD/OUu+jNnKVb0
1qQGOFHDE+6Tk4gUl11sBWCL3aG5ROHOOSabqzZagD1X9/VEIYfiqA+TIQI2lCfA
N7JWCK0Huhr08uEC93VKwho1DGB9ihM8zx5NtL7lrxg9Vt2uCqk=
=mEwI
-----END PGP SIGNATURE-----