SplitGPG with Subkeys Encryption Error
85 views
Skip to first unread message
Robert Spigler
May 16, 2020, 1:42:45 AM5/16/20
to qubes-users
I have a master private key (Certify Only) stored in Vault, separate Encryption and Sign secrete_subkeys generated in Vault and stored in networkless work-gpg. All public keys stored in a separate AppVM for 'qubes-gpg-client' command to access the work-gpg VM via the Split GPG protocol.
I have succesfully tested signing and verifying text with my new key, and decrypting messages to my new key. My one issue has been encrypting messages to other keys:
`export QUBES_GPG_DOMAIN=work-gpg`
`cat InFile | qubes-gpg-client --encrypt --recipient RECIPIENT`
Results in the error:
>gpg: There is no assurance this key belongs to the named user
>gpg: cannot open '/dev/tty': No such device or address
Well, I can't sign the public key, that is a documented downside of SplitGPG with Subkeys. As for the second, I tried adding `no-tty` to ~/.gnupg/gpg.conf in work-gpg
trying the above command again results in the new error:
`EOF` with no change to the file. So I try a new approach:
`export QUBES_GPG_DOMAIN=work-gpg` (I'll stop repeating this line so I don't annoy you all)
`qubes-gpg-client --output OutFile --encrypt --recipient RECIPIENT InFile`
Error:
>Only '-' argument supported for --output option
^^I have no idea what that is about.
So, remove the output file request and just attempt to write over:
`qubes-gpg-client --encrypt --recipient RECIPIENT InFile`
Error:
>gpg: There is no assurance this key belongs to the names user
>gpg: Sorry, no terminal at all requested - can't get input'
Let's remove the conf line we added earlier, and run again:
Error:
>There is no assurance this key belongs to the named user
>gpg: cannot open '/dev/tty': No such device or address'
I give up!
Does anyone have any idea what is going on here?
Logan
May 16, 2020, 11:08:08 AM5/16/20
to qubes...@googlegroups.com
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com
> <mailto:qubes-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/19c2623b-100b-4e7b-8618-d00f16dba464%40googlegroups.com
> <https://groups.google.com/d/msgid/qubes-users/19c2623b-100b-4e7b-8618-d00f16dba464%40googlegroups.com?utm_medium=email&utm_source=footer>.
I have keys with the same configuration and also struggled with this for
a while.
Purchasing an OpenPGP smartcard (yubikey, nitrokey etc) really
simplified things for me. I keep the private key(s) in my vault and now
I sign, encrypt and authenticate using it wherever I need.
I know that this is not the solution you are looking for. But its a good
one to achieve the same end.
Robert Spigler
May 16, 2020, 4:53:46 PM5/16/20
to qubes-users
I'm considering posting in qubes-issues, but I want to make sure this isn't something I'm doing wrong myself/a stupid mistake before I do so. Looked around online, asked here and on twitter/reddit, and I'll continue to wait a few more days.
unman
May 16, 2020, 8:33:02 PM5/16/20
to qubes-users
--trust-model always will avoid checking altogether.
--trusted key <long key id> will treat that key as fully trusted.
From the manpage:
Assume that the specified key (which must be given as a full 8 byte key
ID) is as trustworthy as one of your own secret keys. This option is
useful if you don't want to keep your secret keys (or one of them) online
but still want to be able to check the validity of a given recipient's
or signator's key.
So,
qubes-gpg-client-wrapper -r alice --trusted-key <alice's key id> -e target -o target.gpg
should solve the problem, I think.
unman
Robert Spigler
May 26, 2020, 1:05:53 AM5/26/20
to qubes-users
I apologize for the long absence. I appreciate your help.
While this helped with the 'There is no assurance this key belongs to the named user' error, it still could not complete the encryption.
qubes-gpg-client --output --OUTPUT_PATH.asc --encrypt --recipient --trusted-key <KeyID> InFile
Continues to resut in the weird error:
'Only '-' argument supported for --output option'
Tried it with the other method:
cat InFile | qubes-gpg-client --encrypt --recipient --trusted-key <KeyID>
And I get the new error:
open: No such file or directory
I know there are people who are setup on Qubes with subkeys running splitGPG, it's the only way to truly use GPG securely. Hopefully someone has run into this error before.
unman
May 26, 2020, 6:13:15 AM5/26/20
to qubes-users
When you specify the output you use: `-o file` or `--output file`
You can use a single dash to indicate output to stdout, like `-o -`,
which allows you to redirect output.
You are using a double dash before the filename output. That's wrong:
the "weird error" thinks you are trying to output to stdout and is
telling you how to do it.
Just use the filename, or a single dash.
Stay safe
Robert Spigler
May 26, 2020, 4:46:36 PM5/26/20
to qubes-users
I tried the command with '--output OutPutFilePath.asc':
qubes-gpg-client --output /home/user/Documents/Final.asc --encrypt --recipient --trusted-key <C2C60E279E86F10D5697782535CE0FE6C2141823> '/home/user/Documents/Test_Encryption.txt'
Resulted in the error:
bash: C2C60E279E86F10D5697782535CE0FE6C2141823: No such file or directory
Tried again, realizing I mistook formatting:
qubes-gpg-client --output /home/user/Documents/Final.asc --encrypt --recipient --trusted-key C2C60E279E86F10D5697782535CE0FE6C2141823 '/home/user/Documents/Test_Encryption.txt'
Resulted in the same error I've been getting:
Only '-' argument supported for --output option
Tried with just '-o':
qubes-gpg-client -o /home/user/Documents/Final.asc --encrypt --recipient --trusted-key C2C60E279E86F10D5697782535CE0FE6C2141823 '/home/user/Documents/Test_Encryption.txt'
Results in error:
qubes-gpg-client: invalid option -- 'o'
I should probably note that besides encryption not working, the SplitGPG interface doesn't even pop up when qubes-gpg-client is called, like it does for decryption, signing, and verifying.
Apologizes if I'm doing something stupid.
unman
May 26, 2020, 9:11:44 PM5/26/20
to qubes-users
be substituted. So <key> indicates that you should type the key there.
<> are redirects - When you used the "<" in the first case, it attempted
to INPUT C2C60E279E86F10D5697782535CE0FE6C2141823 to the
qubes-gpg-client command - of course, there is no such file.
I know realise that you are trying to use qubes-gpg-client directly.
Can you try using the wrapper script, as I suggested?
qubes-gpg-client-wrapper -r alice --trusted-key <alice's key id> -e target -o target.gpg
unman
Robert Spigler
May 27, 2020, 3:21:00 PM5/27/20
to qubes-users
qubes-gpg-client-wrapper -r Robert...@ProtonMail.ch --trusted-key <C2C60E279E86F10D5697782535CE0FE6C2141823> -e '/home/user/Documents/Test_Encryption.txt' -o /home/user/Documents/Final.gpg
Still results in:
bash: C2C60E279E86F10D5697782535CE0FE6C2141823: No such file or directory
What is the wrapper? This also does not open the qubes-gpg-client interface, in case that info helps. I should also clarify that I am trying to encrypt the contents of the file, so that I could copy and paste the message for messaging, forums, etc; not encrypt the entire file for sending.
unman
May 27, 2020, 9:59:21 PM5/27/20
to qubes-users
This is simply a bash script, you can inspect for yourself: it's at
/usr/bin/qubes-gpg-client-wrapper
I'm not sure I understand your clarification - in any case, use the
command line I cited without the angle brackets.
Ulrich Windl
Jun 5, 2020, 6:58:01 PM6/5/20
to qubes...@googlegroups.com
On 5/27/20 9:21 PM, Robert Spigler wrote:
> qubes-gpg-client-wrapper -r Robert...@ProtonMail.ch --trusted-key
> <C2C60E279E86F10D5697782535CE0FE6C2141823> -e
> '/home/user/Documents/Test_Encryption.txt' -o /home/user/Documents/Final.gpg
>
> Still results in:
>
> qubes-gpg-client-wrapper -r Robert...@ProtonMail.ch --trusted-key
> <C2C60E279E86F10D5697782535CE0FE6C2141823> -e
> '/home/user/Documents/Test_Encryption.txt' -o /home/user/Documents/Final.gpg
>
> Still results in:
>
> bash: C2C60E279E86F10D5697782535CE0FE6C2141823: No such file or directory
>
I wonder: Did you try to read "HOW TO SPECIFY A USER ID" in "man gpg"?
>
Or maybe see the examples: Try with the simplistic format like this:
EXAMPLES
gpg -se -r Bob file
sign and encrypt for user Bob
Once the simple variant works, try a more complicated one...
> What is the wrapper? This also does not open the qubes-gpg-client
> interface, in case that info helps. I should also clarify that I am
> trying to encrypt the contents of the file, so that I could copy and
> paste the message for messaging, forums, etc; not encrypt the entire
> file for sending.
>
> --
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com
> <mailto:qubes-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/813ab042-f959-497c-8915-9c262c97ef84%40googlegroups.com
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com
> <mailto:qubes-users...@googlegroups.com>.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/qubes-users/813ab042-f959-497c-8915-9c262c97ef84%40googlegroups.com?utm_medium=email&utm_source=footer>.
Robert Spigler
Jun 6, 2020, 9:22:31 PM6/6/20
to qubes-users
>
Read my last message - you dont actually type the angle brackets
This is simply a bash script, you can inspect for yourself: it's at
/usr/bin/qubes-gpg-client-wrapper
I'm not sure I understand your clarification - in any case, use the
command line I cited without the angle brackets.
I tried your suggestion:
qubes-gpg-client-wrapper -r Robert...@ProtonMail.ch --trusted-key C2C60E279E86F10D5697782535CE0FE6C2141823 -e '/home/user/Documents/Test_Encryption.txt' -o /home/user/Documents/Final.gpg
But with the error in terminal:
gpg: C2C60E279E86F10D5697782535CE0FE6C2141823 is not a valid long keyID
However, this time the qubes-gpg-client interface did pop up, as well as the file Final.gpg being created (but it was empty). Seems like we're getting closer. That definitely is the valid keyID, so I don't know what is wrong.
However, this time the qubes-gpg-client interface did pop up, as well as the file Final.gpg being created (but it was empty). Seems like we're getting closer. That definitely is the valid keyID, so I don't know what is wrong.
Robert Spigler
Jun 6, 2020, 10:04:36 PM6/6/20
to qubes-users
Once the simple variant works, try a more complicated one...
Great idea. Just to see if I was being crazy, I created a new AppVM and GPG key to test with. No 'qubes-gpg-client', '--trusted-key', etc.
Like @unman had been suggested, I continued to try:
gpg -r New_Key -e '/home/user/Test Encryption' -o /home/user/Final.asc
I would get errors like:
usage: gpg [options] --encrypt [filename]
Like you suggested, I switched to something simpler I would normally use:
gpg --encrypt --armor -r UserID InFile
This worked perfectly, so I tried to bring this back over to the split-GPG setup.
qubes-gpg-client --encrypt --armor -r C2C60E279E86F10D5697782535CE0FE6C2141823 '/home/user/Documents/Test_Encryption.txt'
Unfortunately, resulted in the error discussed previously:
gpg: 0xF07FADF4DCD92D53: There is no assurance this key belongs to the named user (This is my encryption subkey)
gpg: cannot open '/dev/tty': No such device or address
So, I tried @unman's suggestion the last time this came up:
qubes-gpg-client --encrypt --armor -r Robert...@ProtonMail.ch --trusted-key C2C60E279E86F10D5697782535CE0FE6C2141823 '/home/user/Documents/Test_Encryption.txt'
Gives me the error:
gpg: 'C2C60E279E86F10D5697782535CE0FE6C2141823' is not a valid long keyID
But I know that it is correct :(
unman
Jun 7, 2020, 9:47:19 AM6/7/20
to qubes-users
fingerprints and keyIDs.
fingerprint C2C60E279E86F10D5697782535CE0FE6C2141823
long keyID 35CE0FE6C2141823
short keyID C2141823
I've included "short" only for reference - dont use it.
Robert Spigler
Jul 3, 2020, 7:10:40 PM7/3/20
to qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
That was, I admit, an embarrassing mistake.
Split GPG encryption is now working! Thank you for helpin gme.
Please post a bitcoin address (signed and encrypted); would like to thank you for your time.
My new, secure Split GPG public key fingerprint:
BF0D 3C08 A439 5AC6 11C1 5395 B70B 4A77 F850 548F
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEf4WKHNGE9pWzsby0UsewL8eQ8/AFAl7/ukgACgkQUsewL8eQ
8/BA0A/6Axkidjvpk+av0oreh5MfMlkIXwvEnsdmZanau2C7LBRUH9eVFsUJyqt6
oPCFS/peTO1YYS3W6/4hMWsdrvQlHaXIeHI08BvFWrPaFyLgAlspjMTe2NNXv7c9
2FMFAcK0RXdOFtYdeWDYToWeSZwEWRsbGQkaFfkl6QfvMpCq8J/naQUu02PYKXPo
iWzpVAuX69EiMCf35li6jgEZ/V2HTddVH1ElzHRywbJrp8rWhASCyv8Ju0IUrapP
Zl3PqKcN8bM6vbGGMy9cbOKOUcYkFgvEj9k0iI8ZgW9qMqOKMVNY+Rtntx6l9UGD
FQplKHkrhWnV7stgaMf9DsJD/SlbIGFz+U6ZXEzRF1jM8xuFBQdJlHNfRm3+VycF
s473H56FTb9ETmkhG4oi+fmtT2+7+ImOlHW8PPDB30Wnz75wWUVfzn2oJBRg0KFU
HJ/7R1SY7hYbtzzwDV23erDLPfAEaRlczBPYT2Q6beLEf4O42oeJwYwO85IAlshw
lbPXbSRt9223jqVxQsyCKAI/24qlxW8M8JB6RfNQEnfogvCLJL//40FHMc/DgE9M
EEZEQY36WVTd4BNzmgfg5FimCWVeZOFdPuj5eHnQs0dHEz65eJIAux8MpiVok3XH
uKLBAHDJbgxFvaGp4nOmSG8e4cOLsheF8QN/0EHMCnK0RX6mBU0=
=J94C
-----END PGP SIGNATURE-----
Hash: SHA512
That was, I admit, an embarrassing mistake.
Split GPG encryption is now working! Thank you for helpin gme.
Please post a bitcoin address (signed and encrypted); would like to thank you for your time.
My new, secure Split GPG public key fingerprint:
BF0D 3C08 A439 5AC6 11C1 5395 B70B 4A77 F850 548F
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEf4WKHNGE9pWzsby0UsewL8eQ8/AFAl7/ukgACgkQUsewL8eQ
8/BA0A/6Axkidjvpk+av0oreh5MfMlkIXwvEnsdmZanau2C7LBRUH9eVFsUJyqt6
oPCFS/peTO1YYS3W6/4hMWsdrvQlHaXIeHI08BvFWrPaFyLgAlspjMTe2NNXv7c9
2FMFAcK0RXdOFtYdeWDYToWeSZwEWRsbGQkaFfkl6QfvMpCq8J/naQUu02PYKXPo
iWzpVAuX69EiMCf35li6jgEZ/V2HTddVH1ElzHRywbJrp8rWhASCyv8Ju0IUrapP
Zl3PqKcN8bM6vbGGMy9cbOKOUcYkFgvEj9k0iI8ZgW9qMqOKMVNY+Rtntx6l9UGD
FQplKHkrhWnV7stgaMf9DsJD/SlbIGFz+U6ZXEzRF1jM8xuFBQdJlHNfRm3+VycF
s473H56FTb9ETmkhG4oi+fmtT2+7+ImOlHW8PPDB30Wnz75wWUVfzn2oJBRg0KFU
HJ/7R1SY7hYbtzzwDV23erDLPfAEaRlczBPYT2Q6beLEf4O42oeJwYwO85IAlshw
lbPXbSRt9223jqVxQsyCKAI/24qlxW8M8JB6RfNQEnfogvCLJL//40FHMc/DgE9M
EEZEQY36WVTd4BNzmgfg5FimCWVeZOFdPuj5eHnQs0dHEz65eJIAux8MpiVok3XH
uKLBAHDJbgxFvaGp4nOmSG8e4cOLsheF8QN/0EHMCnK0RX6mBU0=
=J94C
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages