OpenPGP with split GPG doesn't find public keys in gpg qube keyring

After updating Thunderbird to v. 78 in the Fedora 32 template - and following instructions here - Thunderbird decrypts and signs emails, but doesn’t encrypt them.

Thunderbird can see the private key in the keyring in the gpg qube, but can’t see the public keys, and the keymanager in Thunderbird only includes the public key imported for signing according to the instructions in the official docs

I had to export the public keys in the keyring in the gpg qube and re-import them in the work qube - so now the split gpg works only for my private key but not for the rest of my keys. Is this the expected behaviour?

Yes, it’s actually described right in the section you linked. I think you might have missed this part:

For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn’t fetch the public key from /usr/bin/qubes-gpg-client-wrapper, you must manually import it. Export the key as follow (assuming the key ID would be 777402E6D301615C): […]

This is unfortunate functionality, but of course we have no control over Thunderbird.

I see thanks. I suggest to include in the official documentation a paragraph in bold at the beginning of the guide on Thunderbird 78 clarifying that the GPG Split functionality does not work anymore as it did and that what we can do now is only use the gpg qube to store 1 private key. The documentation should explain clearly that the rest of the keyring cannot be protected any longer.

1 Like

Possibly explore some other email clients…

hi all,

so just to restate and clarify – with Thunderbird 78 all public keys now need to live in your online TB qube rather than in your offline split-gpg qube. this is certainly a change from previously and I’ll propose an edit to the documentation to make this explicit.

I totally agree it’s a mess, it is honestly a miracle that OpenPGP (and split-gpg) even survived the transition to TB 78.


Thanks for the PR, @michael. I’ve merged it.

@regina, in case you (or any others reading this) are not already aware, the documentation is a community effort, and everyone is welcome to contribute. (That’s how things like this get updated!) So, if you’d like to get involved with the project, this is a great way to do it. You can read more about how to submit documentation changes here:

1 Like