Enigmail with gpg-split-domain

[Iestyn Best]

Hi,

I was just going through the guides for setting up gpg-split-domain and have got it all setup so that I have the master keys stored offline, subkeys stored in a gpg vm with no network access and the personal domain setup to use the gpg domain for, well you know.

After I got my key setup and working the way I wanted, with multiple uids for different email accounts, I tried to configure EnigMail to use the qubes-gpg-client-wrapper as shown in the user doc but EnigMail comes back with an error about the GPG executable being the wrong version and it is expecting gpg 2.x.x.

Is this a known problem or something that is just starting to happen.

Your assistance would be greatly appreciated.

Regards,
Iestyn Best


P.S.
Is recommended to start signing my post. What is the best way to do that?

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Mar 24, 2015 at 09:49:39PM -0700, Iestyn Best wrote:
> Hi,
>
> I was just going through the guides for setting up gpg-split-domain and
> have got it all setup so that I have the master keys stored offline,
> subkeys stored in a gpg vm with no network access and the personal domain
> setup to use the gpg domain for, well you know.
>
> After I got my key setup and working the way I wanted, with multiple uids
> for different email accounts, I tried to configure EnigMail to use the
> qubes-gpg-client-wrapper as shown in the user doc but EnigMail comes back
> with an error about the GPG executable being the wrong version and it is
> expecting gpg 2.x.x.
>
> Is this a known problem or something that is just starting to happen.

I didn't seen this before, perhaps some new enigmail requires gpg 2.x.
You can change that in /etc/qubes-rpc/qubes.Gpg - there is a path which
gpg should be used - simply change /usr/bin/gpg to /usr/bin/gpg2. To
have that change persistent do that in the template.

There can be some further problems if gpg2 have different command line
arguments, but AFAIR most of them are the same, so there is a chance
this will work :)

> Your assistance would be greatly appreciated.
>
> Regards,
> Iestyn Best
>
>
> P.S.
> Is recommended to start signing my post. What is the best way to do that?

As google groups tamper message body (adding some footer), it's better
to use inline gpg.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVErsNAAoJENuP0xzK19csyAwH/isAGi1FEFZDgzMyzHDksoJC
B2TSZr5IrNyy5mEw0/3RLmHDxpaL8XXFZTAOVpk3bOC717Y6gnOgOY8TNsJdA4V0
V3c9cZqRnjeYv9Rgj64W186s3jeih9sfAudNXu7v1/1wTTpi3d90BD+9gpGD6QFM
vvM4maL2T9suMZpVZQW5AjmcW2AfWilNgf9JG5yOfo+7/a1WRd3F0MfPusYmcstz
/ExZcBHJNcdQhFme/NExUmaSte/slZdi+Xy+RPtXlFaF1AV473gSk2ajnWEPokaJ
ri00dmhIlHgx9DIWeyFlVFIVrZGpe6KjtwRiavYmWA8keV3mqAfLR+ct8y6P0ok=
=X8v2
-----END PGP SIGNATURE-----

[Micah Lee]

On 03/25/15 09:41, Marek Marczykowski-Górecki wrote:
> I didn't seen this before, perhaps some new enigmail requires gpg 2.x.
> You can change that in /etc/qubes-rpc/qubes.Gpg - there is a path which
> gpg should be used - simply change /usr/bin/gpg to /usr/bin/gpg2. To
> have that change persistent do that in the template.

This just happened last weekend. A new version of Enigmail was released,
and it's the last version that will support gnupg 1.x in favor of moving
over to gnupg 2.x in the future.

I've still been using gpg1 with it, and one bug that I've noticed with
split GPG is that it returns weird errors when trying to save an
encrypted draft. I haven't had time to open a bug report yet though, or
test it further to see if the problem persists if I switch to gpg2. But
I wouldn't be surprised if the new Enigmail is causing various other
problems for split GPG.

--
Micah Lee
OpenPGP: 0B1491929806596254700155FD720AD9EBA34B1C

[Micah Lee]

On 03/25/15 09:41, Marek Marczykowski-Górecki wrote:

> I didn't seen this before, perhaps some new enigmail requires gpg 2.x.
> You can change that in /etc/qubes-rpc/qubes.Gpg - there is a path which
> gpg should be used - simply change /usr/bin/gpg to /usr/bin/gpg2. To
> have that change persistent do that in the template.

Actually, this doesn't appear to be working for me. Even after updating
qubes.Gpg to use /usr/bin/gpg2, it still appears to be using
/usr/bin/gpg for some reason.

[user@email ~]$ cat /etc/qubes-rpc/qubes.Gpg
notify-send "Keyring access from domain: $QREXEC_REMOTE_DOMAIN"
/usr/lib/qubes-gpg-split/gpg-server /usr/bin/gpg2 $QREXEC_REMOTE_DOMAIN
[user@email ~]$ qubes-gpg-client --version
gpg (GnuPG) 1.4.19
Copyright (C) 2015 Free Software Foundation, Inc.

In my gpgvm if I run "gpg --version" it returns "gpg (GnuPG) 1.4.19",
and if I run "gpg2 --version" it returns "gpg (GnuPG) 2.0.25".

[J.M. Porup]

Micah Lee:

> On 03/25/15 09:41, Marek Marczykowski-Górecki wrote:
>> I didn't seen this before, perhaps some new enigmail requires gpg 2.x.
>> You can change that in /etc/qubes-rpc/qubes.Gpg - there is a path which
>> gpg should be used - simply change /usr/bin/gpg to /usr/bin/gpg2. To
>> have that change persistent do that in the template.
>
> Actually, this doesn't appear to be working for me. Even after updating
> qubes.Gpg to use /usr/bin/gpg2, it still appears to be using
> /usr/bin/gpg for some reason.

Try changing qubes.Gpg in the vault vm, not in the enigmail vm. This
worked for me.

cheers
Jens

[J.M. Porup]

J.M. Porup:

My apologies, I meant of course in the template.

Jens

[Iestyn Best]

I seem to have it working that the Key Management in EnigMail can see the keys, but when I go into the account settings and tell it to use a specific UID for an email account it cannot see them.

I have 3 email addresses set up with matching UIDs in the gpg key configuration.

Any help would be appreciated.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 25, 2015 at 08:10:46PM -0700, Iestyn Best wrote:
> I seem to have it working that the Key Management in EnigMail can see the
> keys, but when I go into the account settings and tell it to use a specific
> UID for an email account it cannot see them.
>
> I have 3 email addresses set up with matching UIDs in the gpg key
> configuration.

Try to update the qubes-gpg-split package from current-testing repo:
yum install --enablerepo=qubes-vm-r2-current-testing qubes-gpg-split
This bug was fixed there (but for gpg 1.x).

@Joanna: can you commit that package to the current repo?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVE92VAAoJENuP0xzK19csgMgIAIbqdBD6j4e07S0zAoPYvoLA
Ffy6laW3LJG74MbVoXu/H7tG2CX/34xbU8DUMhlpJ7NzxPdvnDc6tAsa01Ew5/Ct
sp908UHjuVHPD+w4a/JDIXwoXrsqLX5C45DJQIqFZ9ES/ZB9e/o5djSEGtM2kRvd
euvCQVU7MpGkif05oXkvS37GollRtLW5IxcKaPv1//JweLR6Mq+0G0qoTVpmb4B6
6YlIo+f9v77dZ+95/aQ43cmwTEV/ZbKy2ZB0HojFwt3PsZnLgpbVzxtGB8Ft3Kd6
xizY86pFKrvjK44RJI+VQ0v/615UQvFmWzXYUCnxR4DD01xk6TWo5G940cCYIlE=
=bxS4
-----END PGP SIGNATURE-----

[Iestyn Best]

Hi,

Sorry for the delay, that seems to have worked.

Thank you for all your support.

[Iestyn Best]

Hi All,

I was just trying to swap my gpg domain to use the fedora minimal template but I was not able to get it working

When I enter "qubes-gpg-client-wrapper --version" in a terminal from my personal domain I just get EOF.

I checked the /etc/qubes-rpc/qubes.Gpg file and tried it with both gpg and gpg2 with the same results.

Just curious if it is worth changing it over to the minimal template.

Regards,
Iestyn Best

[Iestyn Best]

Also, I have some more question:

Firstly, with the split-gpg setup is there an easy way to import keys since the gpg domain does not have internet access?

Secondly, is there an easy way to sign these post or do I just need to do it manually via cli each time?

Regards,
Iestyn Best

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Make sure you have split-gpg and gpg itself installed in minimal
template.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVGz3NAAoJENuP0xzK19csQ5cH/2h5XMKrQ1CgVQxHfoMb3V6z
bU4qMooqxx6KqZyu/GduKjJ3WIXZvcwpQ4C9k23JLo9Pl6XN0GMIKgWQu7i4BN6v
15JRDWUeG5uynlJtgfEOQOr7pq4v2eI3ANQvN8xY1lxg62599DUVJfaPDDDwbCY5
STku6HTELFivMUpiPwm0gk5IsMU1xM9ryIIOVsaV4vhZCCfq6Of+jEqN4soVmomv
h06gn4VTbptClxtiTOw4nEG8QHu9Fco6+9s5o8iuV2t5XpFgbeNmCz8EsFP/S0jx
GBfk39GbNqdADLi0gwjB7shhKstaThO4bHQdoRvhTD/d6rRqajPAQ9njzEvpfcU=
=Y248
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Mar 31, 2015 at 04:45:14PM -0700, Iestyn Best wrote:
> Also, I have some more question:
>
> Firstly, with the split-gpg setup is there an easy way to import keys since
> the gpg domain does not have internet access?

There is a tool for that: gpg-import-key. You need to download the key
manually, then use this command to import it into gpg domain.

> Secondly, is there an easy way to sign these post or do I just need to do
> it manually via cli each time?

If you're using mail client to send the messages, it should just work
with enigmail. I don't know any way to do that using web interface.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVGz6oAAoJENuP0xzK19cs9OEH/iwbeakpmcelplAuzirsry8T
OceSGiy7jTmP3kwvESV8jiYPRS668p66Dit/UcYD8o0Nu2z8X6QrKfz/fF0qIU/l
CI4ZNXLI3a6ebYwG9wwRly29meTq+3jwfFIvXO5lDj4kZohv0cg+9LgJtsK5wRlx
yhO/UZr73YeGnL6ZG4IQJnIfsZiDcHC7EqzbHaRUWSe+sur+98i1qsvkKZaxyp5I
i1YA8Msuqn5F8IFxqUKD6wwzs08i4rXd6VCmPAhLCaagHHaQyZ2/fD9yWBlii5hl
NOJxwGgq8PT2u2oGgroq97fkPFcvaUAJpO7dtMx/4efDF1iJnFTxrnFEXceF1DE=
=ThTt
-----END PGP SIGNATURE-----

[Iestyn Best]

Hi Marek,

Thank you for all the info. So for the importing of a public key, I have the following process:

• Use personal domain to receive key
• export key to file
• use qubes-gpg-import-key to import key into gpg domain
  

Would that be the correct way to do it or is there some way to stream line that even further?

I tried piping the gpg --receive-key command through qubes-gpg-import-key, but it didn't work.

Regards,
Iestyn Best

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Mar 31, 2015 at 08:54:22PM -0700, Iestyn Best wrote:
> Hi Marek,
>
> Thank you for all the info. So for the importing of a public key, I have
> the following process:
>

> - Use personal domain to receive key
> - export key to file
> - use qubes-gpg-import-key to import key into gpg domain

>
> Would that be the correct way to do it or is there some way to stream line
> that even further?
>
> I tried piping the gpg --receive-key command through qubes-gpg-import-key,
> but it didn't work.

"gpg -a --export ... | qubes-gpg-import-key" should work. gpg
- --receive-key needs to be a separate step (as you can't export the key
in the same gpg call).

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVHHUCAAoJENuP0xzK19csV8gH/1Lc5o8KTpP3MirGDRUezbOg
HcOcH0qo4WZi5cibYnYh0/PRG7rudylj/UnhuNBRGmy0kF25vyNwAeijNsoooS9N
BxL2subJxN6d+jIXgO8kpACJ9zoxDLVSELupWg7/Iyf6rkCf5cB3yzrFkPLhchTN
IHeFR+/NzOEE+lOfKU2GAxBSMpeYP3dSN3VBhSDiiKTysDitByMWjmE4640Z214X
RuJzmQPXBzYQ9hNYodugvfVOnDtfWQ3Y02TUuhkE771ogt/oupoSvtcaByv8x+qs
de9dVWAzNTZqQB+4GK+GM9xTILp5qtQGxx3NfvRCi5Ml41RqWCGMV2RBCuy/YhY=
=w9I1
-----END PGP SIGNATURE-----

[Iestyn Best]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/02/15 09:45, Marek Marczykowski-Górecki wrote:
> On Tue, Mar 31, 2015 at 08:54:22PM -0700, Iestyn Best wrote:
>> Hi Marek,
>
>> Thank you for all the info. So for the importing of a public key,
>> I have the following process:
>
>> - Use personal domain to receive key - export key to file - use
>> qubes-gpg-import-key to import key into gpg domain
>
>> Would that be the correct way to do it or is there some way to
>> stream line that even further?
>
>> I tried piping the gpg --receive-key command through
>> qubes-gpg-import-key, but it didn't work.
>
> "gpg -a --export ... | qubes-gpg-import-key" should work. gpg

> --receive-key needs to be a separate step (as you can't export the
> key in the same gpg call).
>
>

Thank you Marek, that seems to work fine.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVHICoAAoJEJIUiUH9/mnlb10P/3wH5CXDT5OrwihZzsxs52E2
JiRH+6pkXOlf5fMXvIsBR3/guT6hId7+pyxxbYIc6eZi8Hk/nL82MimOpK+gL7QB
CUxA6doBdDbH7bFF7AohOQQKMseglZIXL2Qh1MF46lwuvqqZY5GTNgQ/Te3BS/Zi
zzraBPK4M5NGYFGtvNRLDwxttjL4eaeWV19JcSR1tD16pAXKJOXsl+k9L83KjGun
isUOUaAWGd5G1HUAmYdbJ8PU/mJcd8ilylm8YyYCeM6HyFcIPErrKIqNdK5zqs3f
7XdPg27j/mCLgR4JroIvWl1cjx0iLqnrQHgSsjgjlHg8bDBuRX+ItV1e2HhVzJVH
daqqM/XzwUvL004pFn5YcfDCDC4jHCeqZ3Qk90l6niVykuJ9/YrsBCn3isLQ8KCQ
S9fnwnkCS3VsHfBMOmiFDkQ1VcL4v+H0JZDxWVhiltpAi408S9qo8q8+OqW491mx
7zySqPe3pH0LJyfvguw0hb8fXL0S5P2JC06Imxg6F3wlkKsuCd5pLE6tCA6nUqEG
pFaqI61o8BvpeFV9kZHYSPstcooRnHhqomWAFx2lvdjw3ued8/V+l/g9VD5mjcSs
ZgcJemyTVPuk/nkYVaQLOeCvQfFTTWaukO55wrh/Pwshp6I8FYEiI13+8Ctvf/MG
A4pmToNEgr+aUw0x7tJp
=hKQO
-----END PGP SIGNATURE-----

[Todd Lasman]

Did you ever get this sorted out? I'm experiencing the same issue.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You need to edit /etc/qubes-rpc/qubes.Gpg in your gpg backend VM (or
the template on which the VM is based), not the email VM.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVQioeAAoJENuP0xzK19csQuoH/jjNdBrwRyl0hXTxs+SdBi8+
yBwsr1UHNkcUAyFoRx48hVr+y1lBvcxPreLwWAnPx5VgdZDjWI6nKO/IhaKARiHk
8PQ2rGUUaJPPl7EuGNeJ+hw6F5qMqNJI6TkEC2yNMfaiPSEQ/wPHckpG8owq+xp2
3FPbax3qzCE6/dekieGvGeUnuxN3uDWLI7w/njMTT8tV0O1HaneXzgL1xWPA1mPM
xHqI3gFoIjeSIfyOHjlCi41WI8pldWDLcgGZX93lBbg6EVJt1k6a8Vth/bDiB+sY
3dr1ylzAOQCJd45I1GEqRXm0b7JNgmW7QU6B4Sjk+2DPsF78k56g92YQ9D5A2hU=
=Z2xx
-----END PGP SIGNATURE-----

[Todd Lasman]

On 2015-04-30 06:11, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, Apr 29, 2015 at 06:56:19PM -0700, Todd Lasman wrote:
>>
>> On 03/25/2015 12:11 PM, Micah Lee wrote:
>> > On 03/25/15 09:41, Marek Marczykowski-Górecki wrote:
>> >> I didn't seen this before, perhaps some new enigmail requires gpg 2.x.
>> >> You can change that in /etc/qubes-rpc/qubes.Gpg - there is a path which
>> >> gpg should be used - simply change /usr/bin/gpg to /usr/bin/gpg2. To
>> >> have that change persistent do that in the template.
>> > Actually, this doesn't appear to be working for me. Even after updating
>> > qubes.Gpg to use /usr/bin/gpg2, it still appears to be using
>> > /usr/bin/gpg for some reason.
>> >
>> > [user@email ~]$ cat /etc/qubes-rpc/qubes.Gpg
>> > notify-send "Keyring access from domain: $QREXEC_REMOTE_DOMAIN"
>> > /usr/lib/qubes-gpg-split/gpg-server /usr/bin/gpg2 $QREXEC_REMOTE_DOMAIN
>> > [user@email ~]$ qubes-gpg-client --version
>> > gpg (GnuPG) 1.4.19
>> > Copyright (C) 2015 Free Software Foundation, Inc.
>> >
>> > In my gpgvm if I run "gpg --version" it returns "gpg (GnuPG) 1.4.19",
>> > and if I run "gpg2 --version" it returns "gpg (GnuPG) 2.0.25".
>> >
>> Did you ever get this sorted out? I'm experiencing the same issue.
>
> You need to edit /etc/qubes-rpc/qubes.Gpg in your gpg backend VM (or
> the template on which the VM is based), not the email VM.
>

Thanks, Marek. I understood this at the outset, and that's where I
edited the file (that is, in the template).
I shut down the template and restarted my email VM, but it's still using
gpg version 1.4.19.

[Iestyn Best]

I believe it is all working for me.

[user@personal ~]$ qubes-gpg-client-wrapper --version

gpg (GnuPG) 2.0.27

libgcrypt 1.5.3

Copyright (C) 2015 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg

Supported algorithms:

Pubkey: RSA, ELG, DSA

Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,

        CAMELLIA128, CAMELLIA192, CAMELLIA256

Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

Compression: Uncompressed, ZIP, ZLIB, BZIP2

[zabo...@gmail.com]

I'm having a similar problem. Split GPG management seems to work, but Enigmail keeps giving me error messages and won't cooperate. I've tried updating the scripts in the vault template from gpg to gpg2, but that doesn't change anything. These are the messages I get:

++ Enigmail configuration for Qubes, after choosing "override with /usr/bin/qubes-gpg-client-wrapper" in the basic enigmail settings:

Unable to connect to gpg-agent. Your system uses a specialized tool for managing the secret key as gnome-keyring or seahorse-agent. Unfortunately, Enigmail can not control the timeout of the passphrase for your instrument. So its time-out settings in Enigmail are ignored.

++ During the guided configuration of Enigmail:

Enigmail initialization failed. You're using GnuPG version, that is out of date. Enigmail requires GnuPG version 1.4 or later; upgrade your GnuPG installation, or Enigmail will not work.

++ During the guided configuration, when selecting override through qubes-gpg-client-wrapper:

The specified file is not an executable GnuPG. Choose another file.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you try to call qubes-gpg-client-wrapper manually, does it work?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVWP+LAAoJENuP0xzK19csHT8H/3he2UB+OhQj3N3c/ymIHzOI
90M5rUg1iHd3k2vA1tO2duJExlN8BnJ1RUECfm9AoJm1OJrFfFpyBzQ49XqmljaO
8r73GGCvz+1g1C/28H+hcGwGthu7CSlrn+vr5bSlha4NbdYsCeZVboJdw/PEFjfq
L0JBMQ3HvpPH61PTyAkJKaiMepFbfJ9yl61eRx6UlbLGLEjmTK0jLmnSQPaBCeNp
9SFFVUS4P2KqpFFV+fIIL5UNl5owHhUF9ykZ7A7D0qQiFew7ZJC0V8LIgKTckNKL
mzJ6QIoNAJJUB/X7LLw1WyBg2pTXSijIfkgwAapJSBPM3QgxX4cyKge6GwVrAZo=
=AljM
-----END PGP SIGNATURE-----

[Miguel Jacq]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 18/05/15 02:50, zabo...@gmail.com wrote:
> Il giorno mercoledì 25 marzo 2015 05:49:39 UTC+1, Iestyn Best ha
> scritto:
>

> I'm having a similar problem. Split GPG management seems to work,
> but Enigmail keeps giving me error messages and won't cooperate.
> I've tried updating the scripts in the vault template from gpg to
> gpg2, but that doesn't change anything. These are the messages I
> get:
>
> ++ Enigmail configuration for Qubes, after choosing "override with
> /usr/bin/qubes-gpg-client-wrapper" in the basic enigmail settings:
>
> Unable to connect to gpg-agent. Your system uses a specialized tool
> for managing the secret key as gnome-keyring or seahorse-agent.
> Unfortunately, Enigmail can not control the timeout of the
> passphrase for your instrument. So its time-out settings in
> Enigmail are ignored.
>
> ++ During the guided configuration of Enigmail:
>
> Enigmail initialization failed. You're using GnuPG version, that is
> out of date. Enigmail requires GnuPG version 1.4 or later; upgrade
> your GnuPG installation, or Enigmail will not work.
>
> ++ During the guided configuration, when selecting override through
> qubes-gpg-client-wrapper:
>
> The specified file is not an executable GnuPG. Choose another
> file.
>

I saw this error above when attempting to use Debian TemplateVM for my
GPG domain, and when tailing /var/log/syslog, it said 'zenity: command
not found' or similar.

The 'qubes-gpg-client' command itself simply threw 'EOF' as response
at the time.

I installed zenity in the template and I think that sorted this
problem. But I ran into other issues (can't recall specifically what,
sorry, but it was during a period where I was trying to convert lots
of VMs to Debian templates) and I ended up reverting back to Fedora,
where it is all working for me.

Cheers

Mig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVWZP7AAoJEM5kOiC2AzVHPqgP/3XOmFf93TNL2nVtH07G4tTX
G1o6gtqjINfD+JtTaLs22aAoIlllk3QM+xpkzz7YJ7nxv/4l4BU6EcK7UyNqVV9u
boIT36EKPR1hDq36+nNPwT5J4zGdnlhCLdz+N/gFkbrLux64HWXzOevexwVQtG1c
3UnSIYG/wG+H9jvb8aQd83NYn5pAVJz7WWaeMYgvY9dfQ9xBg2Tn8gvfjod8h/Ed
24pKfd/zoSXoa5Qbdof/zRS07zEKtzdKiWtKKibJpnpSoxBd1b2uM4n0H7EkboTs
wTEpN8+ZKeIGfisf8dFvhIhr4mD+CjI2qwxjbdzsQ0DlgJnkuVwz/po0TSPtLpeh
eEi70K0R8dWtXDF2birGi8yRejXzun88TFwGUqHpmLwDTVTsIh2p5gSvarpkWLyV
KLImL0nCBeveWShxs1bOklXODJpXQDU7XEPtaZVhpA1Jk+wOF983z3KY/4aOkBGO
tqP7957VnlBQOKl3gKz7sWz0MRgxM5VQrtbpjwiYGg/ZmMN9pK2ryTutKBKDQpSj
qgl2Tm9FHDDX9V5gsx43LV1Q/PtQDep+J6L4ErK7PF/L2sPWnUFcUQpHjqHFLqLt
Z9ick1FKkufVTOE0MM8Ib3y2hCa/qrIf/xUKCa4XBr+BWP+699XGfzA0hFVyXjtS
lDyBiWWmY3WLvOqyqvOi
=eSm+
-----END PGP SIGNATURE-----

[Miguel Jacq]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 18/05/15 17:25, Miguel Jacq wrote:
>
> I saw this error above when attempting to use Debian TemplateVM for
> my GPG domain, and when tailing /var/log/syslog, it said 'zenity:
> command not found' or similar.
>
> The 'qubes-gpg-client' command itself simply threw 'EOF' as
> response at the time.
>
> I installed zenity in the template and I think that sorted this
> problem. But I ran into other issues (can't recall specifically
> what, sorry, but it was during a period where I was trying to
> convert lots of VMs to Debian templates) and I ended up reverting
> back to Fedora, where it is all working for me.

Oh - and if you are also trying on Debian, I think I had to 'apt-get
install qubes-gpg-split' on the template too (it wasn't there by default
).

Cheers

Mig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVWZWXAAoJEM5kOiC2AzVH12YP/RjnhhfxMW471ngQtfykS0YZ
HNA6pbZrtT7/7e1jfgWWcKZE2OOOCcqskG5RP7ea+x0xIuVGgFylYU+U3+2NCvJe
KHuuMa6UJks3Eoeh62bkIyJFfruSiWCdGawsfAqn0YCjlM3Kr4v8Man2LOD+KR/3
szshTqhu/sb5vZb8nuICMszohbP4FUSMNW84tJxMG3jwUq6OWwiR/y6sjMdQEInJ
A/A83xa2Mv9JZuoLTcKUZgnRNMbY5+ihu6LT9PdhrzgSnS7sLFZuUz1y5tC+t2PS
JoUO4AiqYl6JtBYGIQjigWYJM9OFuxfwzxBQO0lttHS2fEBRUTVfikSt9mjoaD8D
F9wAouCELQKDg/fwoBEBL4lnno1LXLwewSWZ7FMgbKwMq6UTZ6bZYgijR3r2QGIU
RQV9l8u4fn2h1VXNkoZGXDYSE4deFcnTsM4Ed5eDUSC8lbr/T5W8fDDNNfC5mF00
q/GYKZTqf3uPuhIJAduYFX54Q4qYYx8BAznTEc7IlxLPmbGF9waRz/hvHyZ59T8L
n0l2HdU2ctAnEdmM5LpQhgCcqqeDIJDNsYxt4e68rcN2s/DSq/YHwoa7VtUVy22A
IGKeP8dxunP6dv95ItjsRj+HD4RufmJLKRxkStUYDBvmhvRU5u39dsvCPVnK1K2b
KBoGvNiyTu887RI2hnoJ
=Zb0h
-----END PGP SIGNATURE-----

[zabo...@gmail.com]

>
> If you try to call qubes-gpg-client-wrapper manually, does it work?

if i try to call it, it starts without giving me any messages, neither that it is working, nor that it's not.

If I ask the system what is happening with gpg:

ps -ef | grep gpg
user 2384 2163 0 11:47 pts/0 00:00:00 qubes-gpg-client
user 2385 2384 0 11:47 pts/0 00:00:00 qrexec_client_vm vault qubes.Gpg /usr/lib/qubes-gpg-split/pipe-cat /tmp/qubes-gpg-split.fu3Pvi/input /tmp/qubesgpg-split.fu3Pvi/output
user 2386 2385 0 11:47 pts/0 00:00:00 pipe-cat /tmp/qubes-gpg-split.fu3Pvi/input /tmp/qubes-gpg-split.fu3Pvi/output

Even while it runs, the error messages i get from enigmail are the same.
Btw, I'm using Qubes R3 on a Lenovo Thinkpad X250, and I'm using standard Fedora VMs with no tweaks added.

[Unman]

On Mon, May 18, 2015 at 05:25:48PM +1000, Miguel Jacq wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi,
>
> On 18/05/15 02:50, zabo...@gmail.com wrote:

> > Il giorno mercoled?? 25 marzo 2015 05:49:39 UTC+1, Iestyn Best ha

The Debian template has far fewer packages than the Fedora template - more
akin to the fedora minimal. This probably isn't all that clear. So it's
likely that you will have to install some packages straight off to make
the Debian template work for you.

unman

[eldorado]

i had the same issue with Qubes R3 . i updated the template that
thunderbird vm was on it . and i had every error in this topic . after
restart my thunderbird vm everything worked very well :)

[JPL]

Is an updated version of the documentation available yet, or could someone provide a simple step by step version for R3?
Thanks

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Does this answer your question?

https://github.com/QubesOS/qubes-doc/commit/914514b2d535d9e547145987ed3193876c514be4?short_path=5d1d631#diff-5d1d631f6a5d52a91588fc44bcaf304d
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVZK87AAoJEJh4Btx1RPV8M6QQANETGsTFugy9sLdGH9/yEQbD
0izEJAwwHk/Yihhd8573GzeqWhkUGrBwpnPkrhC22U6YN+jPBfkSlbxL4St8LFhU
GXmrvXKQxidg/3UUTTxkOYzb70o48G6xUFpgy6nLQrPZfoP+cixY13GACmXrY78q
ZQtDC4a+KJeJj++CFEoBGYnUHYBdJ4fdgkNMAjO/MJ+1vypDK3JJcEtTIL7PQ21s
+jDb104AiHY+kP5T/Gd2jlSMc0T4jE1dVemwTpkIGMxpHILrlTNMw920xWIHhSr6
FX10SueMTUmiXOHrhPuIPUGDk62YBI0URMT24d72NLsBaKgHrKwRWrJ1WpONr2cl
Es5CYTWBbOqKs1hbptP5JMGPJB0LbHbrx5CduviWxRdLSB23yLDyVzVvmRp2dmnq
sm0GDSD2Eb6naKos2BrhmC3v6oSuQ9mQiXC/aOd6tc5/lc2a8K97zFvkwoz4qZ+Z
qQQpekO/dy6NOv8OWRMHGP2J4rrFAEEPd6SI+Hj/1Q7qBq+TkPrDwZ4fDM5YsL2t
Rr0xq9sXKqBsDmJkVXNowTem8xNXdNNlTnvcODYID8GrMxku+UrmQI0rZHSZW1dk
VrI+G7ZcrZxaYl2HkE5nG6IX7QvuJZ4prYDxPEqqv1UEL1jHKotEido1NmwUYYpt
syvt724yorsHLHVJLBnE
=md+N
-----END PGP SIGNATURE-----

[eldorado]

I followed the documentation . just after you get above errors you should restart Thunderbird AppVM . everything work after restart . 

[JPL]

OK I've got that working - thanks. Still having a few problems which seem to be Qubes-related rather than Thunderbird/Enigmail related though

For example, I can't import public keys via from the keyserver and on trying to refresh:

Enigmail Key Management > Keyserver > Refresh all public keys > [choose a key server]

I get this message

Downloading of keys failed
qubes-gpg-client: unrecognized option '--keyserver'

Is there something I need to tweak to get this working?