Issues with split-gpg2 and git commit signing

andreasglashauser · August 6, 2025, 2:19pm

I use saltstack to manage my system, and i’ve setup my gpg server and gpg client vm according the docs.
My gitconfig contains this regarding gpg:

[user]
...
    signingkey =  C1E78CE601392ABCC49072A0B204131BB15B20FE 
...
[gpg]
    format = openpgpg
[commit]
    gpgsign = true
[tag]
    gpgsign = true
...

gpg -K correctly prints my key, however i get this warning:

gpg: WARNING: server 'gpg-agent' is older than us (2.2.40 < 2.4.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with fast path key listing: IPC parameter error - ignored
...
// then follos the expected output

When trying to sign commits, i get this:

error: gpg failed to sign the data:
gpg: WARNING: server 'gpg-agent' is older than us (2.2.40 < 2.4.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with fast path key listing: IPC parameter error - ignored
[GNUPG:] KEY_CONSIDERED C1E78CE601392ABCC49072A0B204131BB15B20FE 2
[GNUPG:] BEGIN_SIGNING H10
gpg: signing failed: No secreted key
[GNUPG:] FAILURE sign 67108881
gpg: signing failed: No secreted key

fatal: failed to write commit objects

Edit:
signing a normal .txt also fails:

gpg: WARNING: server 'gpg-agent' is older than us (2.2.40 < 2.4.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with fast path key listing: IPC parameter error - ignored
gpg: signing failed: No secret key
gpg: signing failed: No secret key

Both when trying to sign a commit message and if i try to sign the file i get a popup asking me if I want to allow it:

split-gpg2: '<client-qube>' wants to execute PKSIGN. Do you want to allow this?

When trying to sign something inside my gpg server, it works.

solene · August 6, 2025, 2:20pm

What if you add this to ~/.gitconfig? When using split-gpg, you need to use a wrapper and not gpg binary directly

[gpg]
	program = qubes-gpg-client-wrapper

andreasglashauser · August 6, 2025, 2:23pm

I thought this isnt necessary anymore with split-gpg2.
Nevertheless, this would lead to the following:

error: cannot run qubes-gpg-client-wrapper: No such file or directory
error: gpg failed to sign the data:
(no gpg output)
fatal: failed to write commit object

solene · August 6, 2025, 2:28pm

Looks like I missed that new split-gpg2 service!

The old documentation Split GPG | Qubes OS is indeed describing my setup.

Do you use the same template in both places? Looks like the GPG server is using an olderer version than the client, this might be the issue.

andreasglashauser · August 6, 2025, 6:05pm

Indeed, my gpg server is based on debian minimal, my dev qube on fedora minimal.
I dont get any warnings if i use a debian-based, but it still doesnt work.
this is my saltstack state i use to setup gpg clients:

configure-cache-dir:
  file.directory:
    - name: /home/user/.cache
    - user: user
    - group: user
    - mode: 755
    - makedirs: True

configure-gpg-import-files:
  file.managed:
    - mode: 644
    - names:
      - /home/user/.cache/public-keys-export:
        - source: salt://sys-gpg/files/public-keys-export
      - /home/user/.cache/ownertrust-export:
        - source: salt://sys-gpg/files/ownertrust-export
 
configure-public-keys-import:
  cmd.run:
    - name: "su - user -c 'gpg --import /home/user/.cache/public-keys-export'"
   
configure-ownertrust-import:
  cmd.run:
    - name: "su - user -c 'gpg --import-ownertrust /home/user/.cache/ownertrust-export'"

In all of them, I installed the split-gpg2 package.