Split gpg2 gpg: error writing keyring '[keyboxd]': Attempt to write a readonly SQL database

xahare · April 15, 2026, 7:16am

Trying to setup split-gpg2. Following instructions at Split GPG-2 — Qubes OS Documentation

Found out split-gpg2-dom0 is needed from older posts. Started over with new server appvm and deleted clients ~/.gnupg

Got to the import keys and owner trust steps and got this

[user@dev dev-gpg]$ gpg --import public-keys 
gpg: directory '/home/user/.gnupg' created
gpg: error writing keyring '[keyboxd]': Attempt to write a readonly SQL database
gpg: error reading 'public-keys': Attempt to write a readonly SQL database
gpg: import from 'public-keys' failed: Attempt to write a readonly SQL database
gpg: Total number processed: 0

parulin · April 15, 2026, 7:52am

It is not, that’s why you will read that in old posts but not in the docs

I don’t think the error is related to Split GPG 2. Try to import your keys in a fresh qube.

xahare · April 15, 2026, 11:31pm

Thanks, restoring that qube from before got me to the next step

$ gpg -K
/home/user/.gnupg/pubring.kbx

sec#  ed25519 2026-04-15 [SC] [expires: 2029-04-14]
      STRINGOFHEXHERE
uid           [ultimate] User <user@dev.qubes>
ssb   cv25519 2026-04-15 [E] [expires: 2029-04-14]

But when I try to sign a file,

$ gpg --detach-sign fs.txt 
gpg: signing failed: No secret key
gpg: signing failed: No secret key

Really rubbing it in there saying it twice
No sub keys.

xahare · April 16, 2026, 12:51am

Turns out there was a subkey which can only encrypt. Which, as the Subkeys vs primary keys sections warns about, prevents signing. Making a signing sub key fixed it.

Since this is marked as the solution, the solution to the original problem was what @parulin said. New qube. Or restore a backup before importing keys.

xahare · April 16, 2026, 8:38am

Tried this again on a fresh qubes install, and got denied trying to do anything between qubes with the policy file in place. Didn’t work until installing split-gpg2-dom0. Think you really do need it.

parulin · April 16, 2026, 9:58am

On my system (4.3), split-gpg2-dom0 installs two things:

/etc/qubes/policy.d/30-user-gpg2.policy
/usr/lib/python3.13/site-packages/splitgpg2tests

The content of the policy file is full of comments… I removed this package and split GPG 2 still works.

xahare · April 16, 2026, 7:11pm

Saw the file, didnt know about the python tests. Thats why I tried on another laptop with a fresh qubes install. Made the policy file. Then the server qube couldn’t do anything with other qubes. Anything got denied until that policy file was deleted or split-gpg2-dom0 was installed. Doesn’t make sense that permissions on something that may not exist would have that effect. Possible there was a typo, but that was a simple line.

Thought there might be a dependency pulled in, but it only needs /bin/sh and python. So the fact that you can remove it is curious.