Enigmail/GnuPG doesn't work

[andrevmatos]

Enigmail complains that ~/.gnupg isn't writable, and that gpg isn't found in the path. Are there any flatpak interfaces to interact with the sockets directly (avoiding exposing private key, for example)? In my case, I use ~/.gnupg/trezor as GNUPGHOME, can we support custom sockets/paths like that?

[TingPing]

In the long term it probably needs to be a portal so all of the decrypting/encrypting happens outside of the sandbox. Probably best discussing here: https://github.com/flatpak/xdg-desktop-portal/issues

[AdrianKoshka]

What would you suggest as an issue name?

[TingPing]

Portal for GPG encryption/decryption

Mention that you don't want to expose the entire gpg directory, keys and all, to applications for it.

[AdrianKoshka]

Made an issue now

[rmader]

This is the by far most import issue to solve to make thunderbird on flatpak useful IMO. Many (security concerned) people I know use thunderbird mostly for Enigmail.

[AdrianKoshka]

I know an ssh agent portal was added recently (it works, probably isn't the most secure, but it works). Hopefully a gpg agent portal will be implemented.

[t2d]

The README says to run

 flatpak override --filesystem=~/.gnupg org.mozilla.Thunderbird

I also had to run

sudo flatpak override --filesystem=/run/user/1000/gnupg/ org.mozilla.Thunderbird

to give access to gpg-agent. Can you (dis-)confirm?

[AdrianKoshka]

I can't confirm, but this sounds like it should work. The worrying thign being, you're giving the sandbox access to your GPG keys directly.

[Erick555]

@t2d thx, I updated README and commit it alongside 68.2.1 soon.

[pjreed]

I've tried setting the overrides as described in the README, but it doesn't work for me. The Key Management dialog lists all of my keys, but when I try to sign a message, I get a popup error that says:

GnuPG cannot query your passphrase via pinentry.

This is a system setup or configuration error that prevents Enigmail from working properly and cannot be fixed automatically.

We strongly recommend that you consult our support web site at https://enigmail.net/faq.

Any ideas what might be wrong? This is with Thunderbird 68.2.2, Enigmail 2.1.3, and gpg 2.2.4.

[Erick555]

@pjreed for unlocking keys protected by pin pinentry would need to be bundled in this flatpak. Currently it's not.

[micahflee]

FYI I got a permission denied when I ran this:

$ flatpak override --filesystem=~/.gnupg org.mozilla.Thunderbird
error: Permission denied

But it worked with sudo:

$ sudo  flatpak override --filesystem=~/.gnupg org.mozilla.Thunderbird

[Erick555]

@micahflee yes, it's noted in readme that it may require sudo.

Specifically, this command require sudo when flatpak is installed system-wide in /var/lib/flatpak. If it's installed only for local user in ~/.local/share/flatpak then it doesn't require sudo.

[Erick555]

@pjreed could you try installing from #97 (comment) and check if pinentry works?

[pjreed]

@Erick555 I've tried running that build, and I still get the same error about pinentry as before. Here's what my overrides look like:

$ flatpak override --user --show org.mozilla.Thunderbird
[Context]
filesystems=xdg-run/gnupg:ro;~/.gnupg;

Should I need to adjust anything else?

[Erick555]

For some reason pinentry doesn't seem working:

$ flatpak run --command=sh --filesystem=~/.gnupg --filesystem=xdg-run/gnupg:ro org.mozilla.Thunderbird 
[📦 org.mozilla.Thunderbird ~]$ pinentry
OK Pleased to meet you
getpin
couldn't create prompt for gnupg passphrase: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
S ERROR gnome3.gcr_system_prompt_open 83886195 2: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
ERR 83886195 Configuration error <Pinentry>

You may check this yourself by running above flatpak command then executing pinentry in terminal and typing getpin then hitting enter.

I don't know what to do next.

[Erick555]

@pjreed I think i got it. You need additionally set:
flatpak override --talk-name=org.gnome.keyring.SystemPrompter org.mozilla.Thunderbird
After that executing pinentry & getpin shows PIN prompt for me. Please try if it works for you.

[pjreed]

That looks good, thanks!

[Erick555]

@pjreed I merged pinentry branch. TB update will be published in flathub in few hours, thx for testing.

[corecontingency]

First time trying flatpak'd Thunderbird. This bug seems to be happening for me. The Key Management dialog lists all of my keys, but when I try to sign a message, I get a popup error that says:

Your GnuPG installation is configured to use the console for pinentry. However, when using Enigmail you need a graphical version of pinentry.

This is a system setup or configuration error that prevents Enigmail from working properly and cannot be fixed automatically.

We strongly recommend that you consult our support web site at https://enigmail.net/faq.

Found this while testing my pull request #106 , but I am also having the same problem with the stable version. I even deleted my test build in case it was causing any interference.

As you can see, I am using the stable version from flathub installed with system:

[user@mycomputer ~]$ flatpak list
Thunderbird           org.mozilla.Thunderbird           68.6.0          stable          flathub        system

Here are my overrides:

[user@mycomputer ~]$ flatpak override --show org.mozilla.Thunderbird
[Context]
filesystems=xdg-run/gnupg:ro;~/.gnupg;/run/user/1000/gnupg/;

[Session Bus Policy]
org.gnome.keyring.SystemPrompter=talk

[michael@linuxlaptop ~]$ flatpak run --command=sh org.mozilla.Thunderbird
[📦 org.mozilla.Thunderbird ~]$ pinentry
OK Pleased to meet you
getpin
D ihbjbobnkn
OK

pinentry works fine, it opens a popup and I can type whatever. As you can see, it gets echoed properly.

Using Arch Linux with GNOME on Xorg. Also have a btrfs root filesystem with subvolumes.

Can anyone confirm this behavior? Any ideas?

[rmader]

Do you have a btrfs subvolume mounted as root? Because apparently there are other programs dealing with flatpak that get confused by that, thinking it must be within a flatpak sandbox and therefore "translate" the path. See e.g. https://gitlab.gnome.org/GNOME/sysprof/issues/34

[corecontingency]

Yes. Here is my fstab, and here is my root btrfs subvolume (subvolid=5).

EDIT: Anyone encountering this issue on a non-btrfs filesystem? I want to make sure it is not something else before we chalk it up to btrfs funkiness.

[Erick555]

openpgp should work be default in TB 78.3.1 (but not enigmail).

[fourstepper]

I also have my root on a btrfs subvolume, running flatpak run --command=sh org.mozilla.Thunderbird and gpg --list-keys works fine and gives me my key on the CLI, but in the GUI, I don't see any keys.

I am not sure if the keys have to be imported somehow or discovered...

I can see that I can import them from a file, but I would expect it to use my keys in .gnupg right away

[Erick555]

@fourstepper thunderbird doesn't use gnupg by default. If you had enigmail installed then there should be some migration tool otherwise you have to import your keys manually.

https://wiki.mozilla.org/Thunderbird:OpenPGP:Migration-From-Enigmail

https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards