I recently bought a Librem laptop with Qubes 4.1 preinstalled and setup split-gpg with thunderbird and split-ssh and some other stuff.
Around easter weekend I wanted to upgrade to 4.2 and failed so miserably that I decided to do a clean reinstall of 4.2.4, which worked.
Now I’m trying to setup split-gpg and thunderbird again and had two issues:
when I first setup Thunderbird on 4.1, I remember that some docu (probably the “split-gpg” page) had screenshots of how to configure Thunderbird to use the smart card interface. I don’t find this in Thunderbird anymore, so either I’m missing something or Thunderbird in Fedora is different from Debian.
it seems to be difficult to browse the “old” documentation for 4.1.
Can someone please tell me what I need to do in Thunderbird in order to configure using Smart card access for my private keys?
qubes-gpg-client -u <bla> -b <some file> works fine (launches gpg backend qube, asks for selecting backend qube with pre-filled dialog, and asks for permission and then signs the file)
Bonus points for telling me a convenient way to browse the 4.1 documentation on github without cloning the repo
We have had a discussion about it recently (here: Help setting up split-gpg)
The qubes team has made the decision to switch the docu from split-gpg1 (the old one, that you remember) to split-gpg2. But unfortunally, the thunderbird part of the docu has dissapeared and also i have found, that the setup with thunderbird, split-gpg and smartcard-based private key does not work anymore.
So i switched my setup back to split-gpg1 (i know, thats working).
If you follow these guide: SplitGpg
then you have almost all, what you need.
The last steps are:
go into thunderbird
import your public key (only these, not the private one!)
go into thunderbird settings
navigate to the bottom of the settings page, there you can find a button (edit config)
than you can set (in the settings for each mail account) the gpg key to external gpg key and there you can define the id (the last 16 bytes of your key_id).
In the meantime I used the wayback machine and learned the missing link (about:config stuff).
I checked your link and configured accordingly – unfortunately the dom0 part is missing in your guide.
Is it necessary to downgrade the packages qubes-gpg-split{,-dom0} to switch back to split-gpg1? What else do I need to configure in dom0?
I’d prefer to get the old behaviour back: starting Thunderbird auto-starts the gpg backend vm, prompts me for access permission, so I notice access attempts. I don’t remember the exact setup in the dom0:/etc/qubes/policy.d part, the current setup does not work.
In dom0, I have:
/etc/qubes/policy.d/30-user-splitgpg.policy qubes.Gpg * @anyvm vault ask default_target=vault
The default_target here has the vault vm preselected when the dialog appears after using qubes-gpg-client -K
/etc/qubes/policy.d/50-config-splitgpg.policy
The latter is auto-generated and has qubes.Gpg * @anyvm vault ask
Which one(s) do I require, and how do I configure the autmation for starting up the backend VM after launching Thunderbird?
@murdock knows more than me, but qubes.Gpg2 policy is for the new split-gpg2. It shouldn’t interfere with the legacy split-gpg setup. 30-user-splitgpg and 50-config-splitgpg should both do what you want. I believe the one with the lower number will take precedence.
If your inter-VM clipboard stops working, that’s a sign that you have a syntax error in one of your policies. You can see what the policies are doing by checking out /var/log/qubes/qrexec.vm-email.log
split-gpg and split-gpg2 can, as far as i see on my system, coexists.
The dom0 pack, that you need is “qubes-gpg-split-dom0” (split-gpg). It is installed as default in dom0 (afaik). If you have that pack installed and use the gui-editor for the policy file, you have all, that you need, in dom0.
The policy file, that is managed by the gui is /etc/qubes/policy.d/50-config-splitgpg.policy, so your 30-user-splitgpg.policy maybe is a manual edited one. Please check and delete that and recreate the default file with the gui editor.
Thanks alot. I like the concept behind split-gpg2, it uses the standard gpg binary and there is no need for a specialized gpg-wrapper script anymore.
As far, as it works with smartcard-based gpg private keys (like the often recommended yubikeys), i would immediately switch to split-gpg2. Until then, the old one works well and there is no need to hurry.
Thank you all for your helpful hints.
I finally figured out what I messed up, and it is not really related to Qubes at all. In fact it is so stupid that writing it down hurts.
As I said above, if I called qubes-gpg-client -K in a shell, it worked as it should, even started the GPG backend qube if not running already. So why did Thunderbird refuse to decrypt the test message? Turns out Thunderbird config editor behaves strange – at least for my brain. I set the property mail.openpgp.alternative_gpg_path to /usr/bin/qubes-gpg-client-wrapper, hit return and closed the editor. Just as it works with other settings that take effect immediately. But in textentry forms one is supposed to click the button to the right of the text instead. I checked again this morning and found the setting was missing, and did click the button this time, and now Thunderbird cooperates again, just as it did before.
Sorry to bother you, but thanks @murdock for the link to the 4.1 documentation, which helped me setup Thunderbird accordingly.
