Hello all,
i tried to set up split-gpg with the guide from official docs. Doesn’t work. Then i found a
later discussion here https://forum.qubes-os.org/t/confused-about-split-gpg-gui-under-4-2/24533
I followed the guide, but had also the “old” config steps from the original documentation configurated.
My questions to figure it out what happens here are:
-
do i have to uninstall any package from the “old” gpg-split documentation before i install
the split-gpg2-dom0 and split-gpg2 packages?
-
am i right assuming that PRIVATE keys are stored in work-gpg and
PUBLIC keys are stored in the app cube in which my email program runs?
-
i had imported the PRIVATE keys in the network-less work-gpg and after this i removed
the password from this keys with gpg --edit-keys and passwd. Does this work?
Perhaps there is an up-to-date-step-by-step guide for the new policys, but i cannot find it in the
web.
Thanks in advance
HerrHolle
Wilkommen, HerrHolle!
-
Yes, you should uninstall old packages. I’d recommend starting with a new template if it’s not a hassle.
-
Yes.
-
Yes, that should be enough.
I’ll see about getting a community guide out in the coming week. Please let me know if you run into any specific problems.
@XMachina
thank you for your post!
after removing the old packages and solved a typing error in the 30-user-gpg2.policy the
email-cube has access to the work-gpg cube. Encryption and decryption works now. But signing failes with error code: no secret key.
I read that using only one master-key for all purposes (encryption AND signing) will fail on split-gpg. So i created an seperate signing key (RSA) with gpg --edit-key <key-id> and addkey, also without the need to type the password. But the error is still the same.
btw, i have ONLY the private ones in the work-gpg, and ONLY the public ones in the email-cube.
If theres an idea to solve this please let the forum know.
When i find time i want to summarize all steps i have made to get this running, here in this thread, additionally to the community guide comming soon.
There is still an error if i try to sign an email. Encryption, decryption and verifying a signature works as expected, PKSIGN (which is displayed as allowed by split-gpg2) shows the error “no secret key”.
This is the output from gpg --list-secret-keys --keyid-format=long from my work-gpg qube:
/home/user/.gnupg/pubring.kbx
-----------------------------
sec rsa4096/647XXXXXXXXXXXXX 2020-03-02 [C]
XXXXXXXXX487CE43522A2XXXXXXXXXXXX
uid [ultimate] Hxxxx Sxxxxxx <hxxxx.sxxxxx@xxxxx.xx>
uid [ultimate] Hxxxx Sxxxxxx (eigener PGP) <xxxxx.xxxxx@xxxx.xx>
ssb rsa4096/D5A1XXXXXXXXXX 2020-03-02 [E]
ssb rsa4096/2356XXXXXXXXXX 2024-06-26 [S]
sec rsa4096/2FAXXXXXXXXXXX 2020-03-02 [C]
3041XXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid [ultimate] HXXXXXX SXXXXXX (eigener PGP) <XXXXXX@XX.XX>
ssb rsa4096/92XXXXXXXXXXXX 2020-03-02 [E]
ssb rsa4096/FEXXXXXXXXXXXX 2024-06-26 [S]
What are the basic requirements to set up signing with split-gpg2?
now i found something maybe interesting:
in work-gpg in folder
~/.gnupg/private-keys-v1.d/
6 keys are listed - i assume this are my 2 master, 2 encryption and 2 signing keys (which i created new)
in work-gpg in folder
~/.gnupg/qubes-auto-keyring/private-keys-v1.d/
only 4 keys are listed - i assume this is the “old” configuration with a master-key [CS] and a encryption subkey [E]
can it be that this is the reason PKSIGN finds no secret key?
What to do? copy the keys from one to the other folder?
just found the error.
I didn’t know that it is important to update the public keys in the work-email qube when changes of the secret keys in work-gpg where made.
After i edited the secret keys in work-gpg (changed the usage of the masterkey from [SC] to only [C] and created a new only-sign key to match the split-gpg2 requirements) i forgot to update the pub-keys in email qube.
so, a simple export of the pubkeys in work-gpg and import them in the work-email qube solved the problem.
But in the end i dont understand why it is important for signing to have the public keys up to date, i always thougt that the private one is the only important part to sign an message…
1 Like