Sequoia-PGP
Donate
todo
Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.
Information
[edit]- machine readable sq already exists: sqop
Qubes
[edit]Qubes split-gpg-1 removal
[edit]If you never used split-gpg-1, just make sure to package qubes-gpg-split (split-gpg-1) is not installing by attempting to purge it using APT.
sudo apt purge qubes-gpg-split
If you used split-gpg-1 before, make sure the following envronment variables are no longer set.
- QUBES_GPG_DOMAIN
- QUBES_GPG_AUTOACCEPT
Note, that split-gpg-1 is no longer using qubes-gpg-client-wrapper since split-gpg-2 is nowadays based on gpg-agent. Therefore if any applications such as Thunderbird or any configuration files such as ~/.gitconfig are still using qubes-gpg-client-wrapper, this setting needs to be reverted.
non-existing gpg-g10-code gnupg home folder
[edit]A completely non-existing ~/.gnupg folder is probably causing breakage.
Command.
sq sign --signature-notation testvar testcontent --signer 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA --signature-file=/home/sysmaint/derivative-binary/test_sign_file.asc -- /home/sysmaint/derivative-binary/test_sign_file
Symptom.
Error: 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA was not considered because
it is: missing the secret key
6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 was not considered because
it is: missing the secret key
because: Found no suitable key on 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
Workaround:
gpg-g10code --import /usr/share/keyrings/derivative.asc
subkey has no binding to main key
[edit]sq cert list 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
No bindings matching "6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48" could be
authenticated.
- Warning: 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 appears to be a subkey of
916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
1 binding found.
Skipped 1 binding, which is unusable.
Error: No bindings matching the query could be authenticated.
zsh: exit 1 sq cert list 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
Is this even an issue?
git merge
[edit]git merge branch [redacted]
Symptom:
fatal: Commit [redacted] has an untrusted GPG signature, allegedly by [redacted]
Cause:
sq pki link add is insufficient. Import into gpg(sq) trust store is required.
Note: Replace keyfingerprint with the actual key fingerprint.
echo "keyfingerprint:6:"
key was not considered because it is: missing the secret key
[edit]sq sign --signature-notation testvar testcontent --signer 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA --signature-file=/home/user/derivative-binary/test_sign_file.asc -- /home/user/derivative-binary/test_sign_file
Error: 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA was not considered because
it is: missing the secret key
6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 was not considered because
it is: missing the secret key
because: Found no suitable key on 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
killall gpg-agent in split-gpg-2 server VM and deletion of folder ~/.gnupg/qubes-auto-keyring in split-gpg-2 server VM fixed this.
1. In split-gpg-2 server VM.
2. Kill gpg-agent.
killall gpg-agent
3. Delete folder ~/.gnupg/qubes-auto-keyring.
safe-rm -r -- ~/.gnupg/qubes-auto-keyring
4. Done.
no output from gpg -K in client
[edit]- Seems to occur when
/usr/bin/gpgisgpg-sq, but not when it isgpg-g10code - when running
gpg -Kin a client, if~/.gnupg/qubes-auto-keyringdoes not exist, it is created by something (most likely split-gpg2) - the contents this directory is populated with differ depending on which
gpgis in use on the server when the client callsgpg -K:
[user ~]% cd ~/auto-keyring-old # this is a qubes-auto-keyring generated when gpg is gpg-sq [user ~/auto-keyring-old]% find . ./pubring.cert.d ./pubring.cert.d/_sequoia_signature_verification_cache_v1_on_vault.sqlite ./pubring.cert.d/_sequoia_cert_store_index_v1_on_vault.sqlite ./private-keys-v1.d [user ~/auto-keyring-old]% cd ~/auto-keyring-new # this is a qubes-auto-keyring generated when gpg is gpg-g10code [user ~/auto-keyring-new]% find . ./trustdb.gpg ./pubring.kbx~ ./pubring.kbx ./private-keys-v1.d ./private-keys-v1.d/REDACTED1.key ./private-keys-v1.d/REDACTED2.key
- if "gpg-g10code's version" of qubes-auto-keyring is in place, split-gpg2 works (
gpg -Kfunctions correctly in clients) even when both client and server's gpg is gpg-sq. - if "gpg-sq's version" of qubes-auto-keyring is in place, split-gpg2 breaks (
gpg -Kreturns nothing in clients) even when both client and server's gpg is gpg-g10code. - Caused by missing
--export-secret-subkeysfeature in gpg-sq: https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/158
bugs
[edit]- one time empty password prompt in split-gpg-2 client VM but then OK. Might be a gpg-agent or split-gpg-2 bug. Might not be a sequoia bug.
- sequoia-chameleon-gnupg bug report: gpg --export-secret-subkeys not implemented
- This is the reason why split-gpg2 and gpg-sq cannot to work together out of the box.
Qubes
[edit]unconfirmed bugs
[edit]- potentially only: problem with account sysmaint vs account user?
Thunderbird
[edit]sudo apt install libsequoia-octopus-librnp
https://doc.qubes-os.org/en/latest/user/security-in-qubes/split-gpg-2.html#server-options
Debugging
[edit]gpg-agent --daemon -vv --debug-level guru --log-file ./mylog
tail -f ./mylog
when things are "working", the agent will output some log lines immediately after running gpg -K in a client.
when things are broken, no logging occurs in response to gpg -K in the client.
Forum Discussion
[edit]
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2026 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 14 year success story and maybe DONATE!