Split-gpg doc questions and confusions

General Discussion
,
1

Recently I setup split-gpg following the docs. However, I recognized some level of disparity between what the docs say and the way qubesOS works today.

  1. When I do qubes-gpg-client -K on a qube of mine for the purposes of reaching the gpg backend qube, I get TWO confirmation dialogs instead of the documentation’s singular one. The first one that pops-up is following:

ss1

In the above conf dialog, I simply click on the Target: box, hit down arrow key, and select by gpg backend qube, and hit Enter. This confirms my desire to allow the red qube to reach the black (offline) qube for the GPG operations.

But after that, I get a follower conf dialog which is the one that’s visible in the Split-GPG doc of QubesOS website:

ss2

Here, I, once again, have to click “Yes” in order to get the split-gpg operation go through. This seems redundant, because, if I don’t allow the first confirmation box, I don’t get to the second one anyways. Furthermore, the thing that makes the second confirmation dialog doubly-redundant is that even if the second one claims that “allow now and for the following 5 minutes” I get the first dialog box each and everytime I try to use qubes-gpg-client command on the split-gpg client qube (which is what I like, btw, I like to be visibly asked for confirmation each and everytime a qube of mine wants to reach the split-gpg backend.)

  1. The docs mentions modifying the file /etc/qubes-rpc/policy/qubes.Gpg. However, QubesOS 4.2’s UI doesn’t seem to use that file? Q Menu → Cogwheel icon → Qubes Tools → Qubes Global Config → Split GPG: Select Enabled. This creates a file in dom0, /etc/qubes/policy.d/50-config-splitgpg.policy. So, the doc seems to mention some older directory location for this file?

  2. When I manually edit the file in dom0 /etc/qubes/policy.d/50-config-splitgpg.policy and insert in it a singular line:

qubes.Gpg * <GPG-CLIENT-QUBE> <GPG-BACKEND-QUBE> ask target=<GPG-BACKEND-QUBE>

I get the working behavior which is very similar to what I already have with Split-SSH config which is nice and good (what I want). However, upon visiting the Q Menu → Cogwheel icon → Qubes Tools → Qubes Global Config → Split GPG window, I see the error: Some policy rules cannot be parsed. They are correct but are too complicated for this tool to handle. These rules will be discarded on save. The following rules were affected.

Well, I don’t want my rules to be discarded, and I don’t see them being discarded, I guess this is because upon seeing this message I immediately leave the Split GPG window without clicking on Apply button?

All these 3 points are confusing to me as a first time user of split-gpg config. Any comments about these points? Is there something wrong with my split-gpg setup that makes me shoot myself on my own foot?

2

I recommend to use the Split GPG GUI as it’s quite effective and easy to use, you can’t make mistakes with it, I’m not even sure you can do more manually than what the GUI offers.

Maybe you have the first confirmation because you have multiple GPG vault allowed for the qube? I never had this one when using split GPG, as I just have a dedicated GPG qube for each key, and my qubes are only allowed to reach a single GPG keyring per qube.

3

well, see my 3rd point, as the GUI itself seems to say that I am doing a more sophisticated setup than it can parse.

I prefer to use commandline configurations as the GUI tools seem to change their design every now and then, making me confused about how to relate to the new UI and the workings of the mechanisms they affect.

No I don’t have multiple GPG vaults. I only have a single one (yet, and currently).

I will also have multiple GPG backend qubes for my anonyous, pseudonymous and public indetities in the near future.

4

maybe the issue is in the RPC rule then, if you define a default target, you need to use allow instead of ask in your rule.

5

Perhaps you are right. However, in my experience, using ask with target= is a good middle ground between speed and security, as in, I get to be asked which qube and the selection list in the dialog box contains only the target= specified qube’s name. So, I click on the Target: box, hit down arrow key once, and hit Enter, and I know exactly the intended backend qube will be selected.

6

so you want to get ride of the 2nd confirmation?

Not sure it’s possible, maybe with

QUBES_GPG_AUTOACCEPT

set to 0 ?

7

This is one of the points in my OP. There are two other points that also have disparity with the current QubesOS behavior and cause confusion.