Enigmail/GnuPG doesn't work #4
Comments
In the long term it probably needs to be a portal so all of the decrypting/encrypting happens outside of the sandbox. Probably best discussing here: https://github.com/flatpak/xdg-desktop-portal/issues |
What would you suggest as an issue name? |
Portal for GPG encryption/decryption Mention that you don't want to expose the entire gpg directory, keys and all, to applications for it. |
This is the by far most import issue to solve to make thunderbird on flatpak useful IMO. Many (security concerned) people I know use thunderbird mostly for Enigmail. |
I know an ssh agent portal was added recently (it works, probably isn't the most secure, but it works). Hopefully a gpg agent portal will be implemented. |
The README says to run
I also had to run
to give access to gpg-agent. Can you (dis-)confirm? |
I can't confirm, but this sounds like it should work. The worrying thign being, you're giving the sandbox access to your GPG keys directly. |
@t2d thx, I updated README and commit it alongside 68.2.1 soon. |
I've tried setting the overrides as described in the README, but it doesn't work for me. The Key Management dialog lists all of my keys, but when I try to sign a message, I get a popup error that says:
Any ideas what might be wrong? This is with Thunderbird 68.2.2, Enigmail 2.1.3, and gpg 2.2.4. |
@pjreed for unlocking keys protected by pin |
FYI I got a permission denied when I ran this:
But it worked with sudo:
|
@micahflee yes, it's noted in readme that it may require sudo. Specifically, this command require sudo when flatpak is installed system-wide in |
@pjreed could you try installing from #97 (comment) and check if pinentry works? |
@Erick555 I've tried running that build, and I still get the same error about pinentry as before. Here's what my overrides look like: $ flatpak override --user --show org.mozilla.Thunderbird
[Context]
filesystems=xdg-run/gnupg:ro;~/.gnupg; Should I need to adjust anything else? |
For some reason pinentry doesn't seem working:
You may check this yourself by running above flatpak command then executing I don't know what to do next. |
@pjreed I think i got it. You need additionally set: |
That looks good, thanks! |
@pjreed I merged pinentry branch. TB update will be published in flathub in few hours, thx for testing. |
First time trying flatpak'd Thunderbird. This bug seems to be happening for me. The Key Management dialog lists all of my keys, but when I try to sign a message, I get a popup error that says:
Found this while testing my pull request #106 , but I am also having the same problem with the stable version. I even deleted my test build in case it was causing any interference. As you can see, I am using the stable version from flathub installed with system:
Here are my overrides:
Using Arch Linux with GNOME on Xorg. Also have a btrfs root filesystem with subvolumes. Can anyone confirm this behavior? Any ideas? |
Do you have a btrfs subvolume mounted as root? Because apparently there are other programs dealing with flatpak that get confused by that, thinking it must be within a flatpak sandbox and therefore "translate" the path. See e.g. https://gitlab.gnome.org/GNOME/sysprof/issues/34 |
Yes. Here is my fstab, and here is my root btrfs subvolume (subvolid=5). EDIT: Anyone encountering this issue on a non-btrfs filesystem? I want to make sure it is not something else before we chalk it up to btrfs funkiness. |
openpgp should work be default in TB 78.3.1 (but not enigmail). |
I also have my root on a btrfs subvolume, running flatpak run --command=sh org.mozilla.Thunderbird and gpg --list-keys works fine and gives me my key on the CLI, but in the GUI, I don't see any keys. I am not sure if the keys have to be imported somehow or discovered... I can see that I can import them from a file, but I would expect it to use my keys in .gnupg right away |
@fourstepper thunderbird doesn't use gnupg by default. If you had enigmail installed then there should be some migration tool otherwise you have to import your keys manually. https://wiki.mozilla.org/Thunderbird:OpenPGP:Migration-From-Enigmail |
Enigmail complains that
~/.gnupg
isn't writable, and thatgpg
isn't found in the path. Are there any flatpak interfaces to interact with the sockets directly (avoiding exposing private key, for example)? In my case, I use~/.gnupg/trezor
asGNUPGHOME
, can we support custom sockets/paths like that?The text was updated successfully, but these errors were encountered: