Can't use split-gpg2 on Fedora 39 client and Debian 12 server

Question

Can't use split-gpg2 on Fedora 39 client and Debian 12 server

Closed this issue 6 months ago · 0 comments

Software version

R4.2, Fedora 39, Debian 12.

$ gpg-agent --version

Fedora:

gpg-agent (GnuPG) 2.4.4
libgcrypt 1.10.2-unknown

Debian:

gpg-agent (GnuPG) 2.2.40
libgcrypt 1.10.1

Brief summary

Steps to reproduce

On the Qrexec policy, set the target of qubes.Gpg2 to a fedora based qube that has split-gpg2 installed.

On the client:

$ gpg -bsau KEYFPR README.md

Expected behavior

File signed successfully.

Actual behavior

Can't sign files when using Fedora client and Debian server.

gpg: WARNING: server 'gpg-agent' is older than us (2.2.40 < 2.4.4)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with fast path key listing: IPC parameter error - ignored
gpg: skipped "KEYFPR": Unusable secret key
gpg: signing failed: Unusable secret key

It appears as just a warning, but after watching the debug log on the server split-gpg2, it is actually an error. When tested with a fedora based server, it works.

Resolution

Necessary to switch the origin template of tpl-sys-pgp to fedora-minimal instead of debian-minimal, therefore any recent or old client versions can work with sys-pgp.

For anyone that has already created tpl-sys-pgp, just set the template of sys-pgp to any other template, delete tpl-sys-pgp and run the installation steps of sys-pgp.