OpenPGP with split GPG doesn't find public keys in gpg qube keyring

regina · October 12, 2020, 4:54pm

After updating Thunderbird to v. 78 in the Fedora 32 template - and following instructions here https://www.qubes-os.org/doc/split-gpg/#thunderbird-78-and-higher - Thunderbird decrypts and signs emails, but doesn’t encrypt them.

Thunderbird can see the private key in the keyring in the gpg qube, but can’t see the public keys, and the keymanager in Thunderbird only includes the public key imported for signing according to the instructions in the official docs https://www.qubes-os.org/doc/split-gpg/#thunderbird-78-and-higher

I had to export the public keys in the keyring in the gpg qube and re-import them in the work qube - so now the split gpg works only for my private key but not for the rest of my keys. Is this the expected behaviour?

adw · October 13, 2020, 3:37am

Yes, it’s actually described right in the section you linked. I think you might have missed this part:

For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn’t fetch the public key from /usr/bin/qubes-gpg-client-wrapper, you must manually import it. Export the key as follow (assuming the key ID would be 777402E6D301615C): […]

This is unfortunate functionality, but of course we have no control over Thunderbird.

regina · October 13, 2020, 7:52am

I see thanks. I suggest to include in the official documentation a paragraph in bold at the beginning of the guide on Thunderbird 78 clarifying that the GPG Split functionality does not work anymore as it did and that what we can do now is only use the gpg qube to store 1 private key. The documentation should explain clearly that the rest of the keyring cannot be protected any longer.

tasket · October 13, 2020, 9:47am

Possibly explore some other email clients…

michael · October 13, 2020, 10:32am

hi all,

so just to restate and clarify – with Thunderbird 78 all public keys now need to live in your online TB qube rather than in your offline split-gpg qube. this is certainly a change from previously and I’ll propose an edit to the documentation to make this explicit.

I totally agree it’s a mess, it is honestly a miracle that OpenPGP (and split-gpg) even survived the transition to TB 78.

adw · October 16, 2020, 10:02am

Thanks for the PR, @michael. I’ve merged it.

@regina, in case you (or any others reading this) are not already aware, the documentation is a community effort, and everyone is welcome to contribute. (That’s how things like this get updated!) So, if you’d like to get involved with the project, this is a great way to do it. You can read more about how to submit documentation changes here: