sys-pgp client not showing private keys from sys-pgp
Closed this issue · 29 comments
Commitment
I confirm that I have read the following resources:
- How to troubleshoot Qusal
- How to ask questions The Smart Way
- Writing the perfect question
- Question checklist
- Could you please make my preference the default?
Software version
R4.2.1
Brief summary
gpg-client-vm doesn't list keys with gpg -K, only with gpg --list-keys after public part of the key is imported from sys-pgp.
Checked Qubes.Gpg2 policy following the TROUBLESHOOTING guide - all correct.
Steps to reproduce
Perform upstream doc instruction to generate new key under gpg -- homedir /home/user/.gnupg/split-gpg/gpg-client-vm --gen-key
Expected behavior
Should be able to use gpg keys normally
Actual behavior
Tried testing with echo "test" | gpg --clearsign, to get:
gpg: no default secret key: No secret key
gpg: [stdin]: clearsign failed: No secret keyCan't sign commits or pulls with gpgs.
Thanks!
.
After a quick read there may be a gpg version mismatch, see this issue for versions that come from qusal formulas.
I don't see how git is relevant. It is failing before git, it is failing on the gpg agent level.
Qubes.Gpg2
It is not upper case Q. Verify your policy.
gpg -- homedir /home/user/.gnupg/split-gpg/gpg-client-vm --gen-key
There is no space between -- homedir, it is just --homedir.
On sys-pgp:
cd ~/.gnupg/split-gpg/gpg-client-vm
gpg --homedir . -k
gpg --homedir . -K
It should list the public (K) and private key (K).
echo "test" | gpg --clearsign
Works for me. Please redo the steps.
Follow the debugging steps I gave to the other user: 1, 2.
After a quick read there may be a gpg version mismatch, see this issue for versions that come from
qusalformulas.
Try updating qusal to guarantee you are on the latest version.
I pushed a commit that might be relevant in case you did not enable the service as I deleted the True|1 from the example by mistake.
Yes - I was typing on my mobile so some syntax got screwed up - will get back on that asap
@ben-grande on sys-pgp:
cd ~/.gnupg/split-gpg/gpg-client-vm
gpg --homedir . -k
gpg --homedir . -K
both return correct keys.
on gpg-client-vm:
gpg -k
returns the correct key.
gpg -K
returns nothing.
echo "test" | gpg --clearsignreturns the same error as stated above.
And this debugging step?
On gpg-client-vm:
ls /var/run/qubes-service
Is split-gpg2-client in there?
Another way:
qvm-features gpg-client-vm service.split-gpg2-clienton gpg-client-vm:
ls /var/run/qubes-service
shows split-gpg2-client present
The instructions upstream say to only copy the public part of the key to the gpg-client-vm, which I did through exporting commands (public keys and ownertrust), and then imported to gpg-client-vm through respective --import and --import-ownertrust.
It almost feels like the secret part of the key has a problem "splitting".
And this debugging step?
Third time I ask to do this debugging step...
I there are no problem in that debugging step, try to reproduce it without Qusal being involved, create the qubes by yourself and test.
Sorry, I missed it completely!
$ cat ~/.config/qubes-split-gpg2/qubes-split-gpg2.conf
[DEFAULT]
autoaccept = 86400
pksign_autoaccept = 86400
pkdecrypt_autoaccept = 86400
verbose_notifications = yes
allow_keygen = no
#gnupghome =
isolated_gnupghome_dirs = ~/.gnupg/split-gpg
#debug_log =
#source_keyring_dir =
$ cat ~/.config/sh/profile.d/split-gpg2.sh
export GSK_RENDERER=cairo LIBGL_ALWAYS_SOFTWARE=1
zenity --question --title title --text text
outputs a popup with correct title and text.
Qubes.Gpg2
It is not upper case
Q. Verify your policy.
Last resort is to check your policy logs. Follow the troubleshoot guide for the Qrexec. If the call is allowed, I have no idea of the problem and you can only try to reproduce outside of Qusal.
You got split-gpg2-client working before? #64
Please try this again on gpg-client-vm:
systemctl --user status split-gpg2-clientYou got split-gpg2-client working before? #64
Please try this again on
gpg-client-vm:systemctl --user status split-gpg2-client
The zenity error got fixed on sys-pgp side, I proceeded to hit the issue in question.
To your question:
% systemctl --user status split-gpg2-client
● split-gpg2-client.service - split-gpg2 client
Loaded: loaded (/usr/lib/systemd/user/split-gpg2-client.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-07-01 17:09:18 UTC; 1min 44s ago
Main PID: 537 (socat)
Tasks: 1 (limit: 385)
Memory: 3.2M
CPU: 10ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/split-gpg2-client.service
└─537 socat "unix-listen:'/run/user/1000/gnupg/S.gpg-agent',fork,unlink-early" "exec:qrexec-client-vm @default qubes.Gpg2"
I'll share my notes on this tomorrow to give you full insight into the steps I am making to set it up - maybe that'll help. In the meantime I tried on a new machine spawned from dev template, same issue.
@ben-grande (sorry it took a little longer)
From scratch:
- Run formulas for
sys-pgptheslsroute, nottop:
sudo qubesctl state.apply sys-pgp.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-pgp state.apply sys-pgp.install
sudo qubesctl --skip-dom0 --targets=sys-pgp state.apply sys-pgp.configure
sudo qubesctl state.apply sys-pgp.prefs
- For simplicity, I currently kept the default policy for easier debugging -
80-sys-pgp.policyat/etc/qubes/policy.d/:
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
qubes.Gpg2 * @anyvm @default ask target={{ sls_path }} default_target={{ sls_path }}
qubes.Gpg2 * @anyvm @anyvm deny
## vim:ft=qrexecpolicy
Previously, I had created a 30-user-sys-pgp.policy file at /etc/qubes/policy.d/ with only the following content:
qubes.Gpg2 + gpg-clientvm @default allow target=sys-pgp
- On
sys-pgp:
sys-pgp$ mkdir -m 0700 -p ~/.gnupg/split-gpg/gpg-clientvm
sys-pgp$ cd ~/.gnupg/split-gpg/gpg-clientvm
sys-pgp$ gpg --homedir . --gen-key
- Went through the prompts to set up the keys
- verified with
gpg --homedir . -kand... -Kfor public and secret keys respectively
- On
sys-pgp:
gpg --homedir . --export > public-keys-export
gpg --homedir . --export-ownertrust > ownertrust-export
qvm-copy public-keys-export ownertrust-export
and pointed for gpg-clientvm to receive
- On
dom0:
dom0$ qvm-service gpg-clientvm split-gpg2-client on
and verified on gpg-clientvm with systemctl --user status split-gpg2-client
- On
gpg-clientvm:
gpg --import ~/QubesIncoming/sys-pgp/public-keys-export
gpg --import ~/QubesIncoming/sys-pgp/ownertrust-export
After which I get the following behaviour:
On gpg-clientvm:
% gpg -k
/home/user/.gnupg/pubring.kbx
-----------------------------
pub ed25519/XXXXXXXXXXXXXXXX 2024-06-25 [SC] [expires: 2024-09-23]
Key fingerprint = 1111111111111111
uid [ultimate] Name Surname (key name) <email@example.com>
sub cv25519/XXXXXXXXXXXXX 2024-06-25 [E] [expires: 2024-09-23]
Key fingerprint = 222222222222222
[info some info redacted]
% gpg -K
no output.
% gpg -vvv -K
gpg: using character set 'utf-8'
gpg: using pgp trust model
gpg: key XXXXXXXXXXX: accepted as trusted key
gpg: connection to agent is in restricted mode
Strangely, and probably as a residual from my previous tests:
On dom0, sudo journalctl -fu qubes-qrexec-policy-daemon | cut -d " " -f 7- shows:
qubes.Gpg2+: gpg-clientvm -> @default: allowed to sys-pgp
This is the stage I currently am at (+ the info above).
I hope that helps!
Issue from the first post:
gpg: no default secret key: No secret key gpg: [stdin]: clearsign failed: No secret key
Issue now:
% gpg -vvv -K gpg: using character set 'utf-8' gpg: using pgp trust model gpg: key XXXXXXXXXXX: accepted as trusted key gpg: connection to agent is in restricted mode
Which looks more like #73, so please redo the following step: #73 (comment)
You can try debugging on the agent side now.
On sys-pgp ~/.config/qubes-split-gpg2/qubes-split-gpg2.conf, modify the debug_log line to be uncommented and add as value a temporary log:
debug_log = /tmp/gpg2.log
It can contain private info, don't share without redacting first, try to identify the important parts.
Strangely, and probably as a residual from my previous tests: On
dom0,sudo journalctl -fu qubes-qrexec-policy-daemon | cut -d " " -f 7-shows:qubes.Gpg2+: gpg-clientvm -> @default: allowed to sys-pgpThis is the stage I currently am at (+ the info above). I hope that helps!
Keep the dom0 terminal side by side with dev and sys-pgp logging:
- On dom0, press enter to give some spaces to the journal lines
- Run command on
dev - See if call was made on
dom0, if any call was made, press space to discern them - See
sys-pgplogs, also press pace between calls to discern them
Issue from the first post:
gpg: no default secret key: No secret key gpg: [stdin]: clearsign failed: No secret key
This is still the same issue, just tested.
Issue now:
% gpg -vvv -K gpg: using character set 'utf-8' gpg: using pgp trust model gpg: key XXXXXXXXXXX: accepted as trusted key gpg: connection to agent is in restricted modeWhich looks more like #73, so please redo the following step: #73 (comment)
Keep the dom0 terminal side by side with
devandsys-pgplogging:
- On dom0, press enter to give some spaces to the journal lines
- Run command on
dev- See if call was made on
dom0, if any call was made, press space to discern them- See
sys-pgplogs, also press pace between calls to discern them
On gpg-clientvm:
% gpg -vvv -K
gpg: using character set 'utf-8'
gpg: using pgp trust model
gpg: key XXXXXXXX: accepted as trusted key
gpg: connection to agent is in restricted modeFrom sys-pgp log:
A >>>: OK Pleased to meet you, process 10016
C <<<: OK Pleased to meet you, process 10016
C >>>: RESET
A <<<: RESET
A >>>: OK
C <<<: OK
C >>>: OPTION ttyname=/dev/pts/0
C <<<: OK
C >>>: OPTION ttytype=xterm-256color
C <<<: OK
C >>>: OPTION display=:0
A <<<: OPTION display=:0
A >>>: ERR 67109115 Forbidden <GPG Agent>
C <<<: ERR 67109115 Forbidden <GPG Agent>
C >>>: GETINFO restricted
A <<<: GETINFO restricted
A >>>: OK
C <<<: OK
C >>>: GETINFO version
A <<<: GETINFO version
A >>>: D 2.4.4
C <<<: D 2.4.4
A >>>: OK
C <<<: OK
C >>>: OPTION allow-pinentry-notify
A <<<: OPTION allow-pinentry-notify
A >>>: ERR 67109115 Forbidden <GPG Agent>
C <<<: ERR 67109115 Forbidden <GPG Agent>
C >>>: OPTION agent-awareness=2.1.0
A <<<: OPTION agent-awareness=2.1.0
A >>>: OK
C <<<: OK
C >>>: HAVEKEY XXXXXXXXXXXX
A <<<: HAVEKEY XXXXXXXXXXXX
A >>>: ERR 67108881 No secret key <GPG Agent>
C <<<: ERR 67108881 No secret key <GPG Agent>
C >>>:From dom0:
sudo journalctl -fu qubes-qrexec-policy-daemon | cut -d " " -f 7- shows: qubes.Gpg2+: gpg-clientvm -> @default: allowed to sys-pgp
Which looks more like #73, so please redo the following step: #73 (comment)
Please do the following step quoted above.
Just so you know what you should have got from the split-gpg2 logs:
Using GnuPG home directory /home/user/.gnupg/split-gpg/dev
A >>>: OK Pleased to meet you, process 2532
C <<<: OK Pleased to meet you, process 2532
C >>>: RESET
A <<<: RESET
A >>>: OK
C <<<: OK
C >>>: OPTION ttyname=/dev/pts/3
C <<<: OK
C >>>: OPTION ttytype=screen-256color
C <<<: OK
C >>>: OPTION display=:0
A <<<: OPTION display=:0
A >>>: ERR 67109115 Forbidden <GPG Agent>
C <<<: ERR 67109115 Forbidden <GPG Agent>
C >>>: GETINFO restricted
A <<<: GETINFO restricted
A >>>: OK
C <<<: OK
C >>>: GETINFO version
A <<<: GETINFO version
A >>>: D 2.4.4
C <<<: D 2.4.4
A >>>: OK
C <<<: OK
C >>>: OPTION allow-pinentry-notify
A <<<: OPTION allow-pinentry-notify
A >>>: ERR 67109115 Forbidden <GPG Agent>
C <<<: ERR 67109115 Forbidden <GPG Agent>
C >>>: OPTION agent-awareness=2.1.0
A <<<: OPTION agent-awareness=2.1.0
A >>>: OK
C <<<: OK
C >>>: HAVEKEY REDACTED REDACTED
A <<<: HAVEKEY REDACTED REDACTED
A >>>: ERR 67108881 No secret key <GPG Agent>
C <<<: ERR 67108881 No secret key <GPG Agent>
C >>>: HAVEKEY REDACTED REDACTED
A <<<: HAVEKEY REDACTED REDACTED
A >>>: ERR 67108881 No secret key <GPG Agent>
C <<<: ERR 67108881 No secret key <GPG Agent>
C >>>: HAVEKEY REDACTED REDACTED
A <<<: HAVEKEY REDACTED REDACTED
A >>>: OK
C <<<: OK
C >>>: KEYINFO REDACTED
A <<<: KEYINFO REDACTED
A >>>: ERR 67108891 Not found <GPG Agent>
C <<<: ERR 67108891 Not found <GPG Agent>
C >>>: KEYINFO REDACTED
A <<<: KEYINFO REDACTED
A >>>: S KEYINFO REDACTED D - - - C - - -
C <<<: S KEYINFO REDACTED D - - - C - - -
A >>>: OK
C <<<: OK
C >>>:
On sys-pgp:
$ cat ~/.config/qubes-split-gpg2/qubes-split-gpg2.conf
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# vim: ft=toml
[DEFAULT]
autoaccept = 86400
pksign_autoaccept = 86400
pkdecrypt_autoaccept = 86400
verbose_notifications = yes
allow_keygen = no
#gnupghome =
isolated_gnupghome_dirs = ~/.gnupg/split-gpg
debug_log = /tmp/gpg2.log
#source_keyring_dir =$ cat ~/.config/sh/profile.d/split-gpg2.sh
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
export GSK_RENDERER=cairo LIBGL_ALWAYS_SOFTWARE=1$ zenity --question --title title --text textoutputs a popup correctly.
On gpg-clientvm:
% gpg -vvv -K
gpg: using character set 'utf-8'
gpg: using pgp trust model
gpg: key REDACTED: accepted as trusted key
gpg: connection to agent is in restricted modeNo idea... I tried, but I don't know. Please reproduce it without Qusal. Create a separate PGP server and PGP clients without my files. Only follow https://github.com/qubesos/qubes-app-linux-split-gpg2, report it to Qubes if it doesn't work, report to Qusal if it works.
I'll keep trying - what I'll do is remove all things sys-pgp related and start from scratch
@ben-grande here is the latest discovery:
I reinstalled the sys-pgp formulas, created the folder and generated a key.
After that:
- On
sys-pgp:gpg --homedir . --export > public-keys-export gpg --homedir . --export-ownertrust > ownertrust-export qvm-copy public-keys-export ownertrust-exportand pointed for
gpg-clientvmto receive
- On
dom0:dom0$ qvm-service gpg-clientvm split-gpg2-client onand verified on
gpg-clientvmwithsystemctl --user status split-gpg2-client
At this point, ongpg-clientvm:
% systemctl --user status split-gpg2-client
● split-gpg2-client.service - split-gpg2 client
Loaded: loaded (/usr/lib/systemd/user/split-gpg2-client.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-07-05 11:28:15 UTC; 1h 44min ago
Main PID: 526 (socat)
Tasks: 1 (limit: 385)
Memory: 2.4M
CPU: 16ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/split-gpg2-client.service
└─526 socat "unix-listen:'/run/user/1000/gnupg/S.gpg-agent',fork,unlink-early" "exec:qrexec-client-vm @default qubes.Gpg2"
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: return future.result()
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: ^^^^^^^^^^^^^^^
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: File "/usr/lib/python3.12/site-packages/splitgpg2/__init__.py", line 426, in run
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: await self.client_writer.wait_closed()
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: File "/usr/lib64/python3.12/asyncio/streams.py", line 364, in wait_closed
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: await self._protocol._get_close_waiter(self)
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: File "/usr/lib64/python3.12/asyncio/streams.py", line 177, in _get_close_waiter
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: raise NotImplementedError
Jul 05 11:28:29 gpg-clientvm split-gpg2-client[1279]: NotImplementedError
That's new!
On a different qube, with qusal setup:
% systemctl --user status split-gpg2-client -l
● split-gpg2-client.service - split-gpg2 client
Loaded: loaded (/usr/lib/systemd/user/split-gpg2-client.service; enabled; preset: enabled)
Active: active (running) since Sun 2024-07-14 09:44:59 UTC; 2min 22s ago
Main PID: 2721 (socat)
Tasks: 1 (limit: 268)
Memory: 904.0K
CPU: 8ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/split-gpg2-client.service
└─2721 socat "unix-listen:'/run/user/1000/gnupg/S.gpg-agent',fork,unlink-early" "exec:qrexec-client-vm @default qubes.Gpg2"
Jul 14 09:44:59 personal-dev systemd[506]: split-gpg2-client.service: Main process exited, code=exited, status=143/n/a
Jul 14 09:44:59 personal-dev systemd[506]: split-gpg2-client.service: Failed with result 'exit-code'.
Jul 14 09:44:59 personal-dev systemd[506]: Stopped split-gpg2-client.service - split-gpg2 client.
Jul 14 09:44:59 personal-dev systemd[506]: Started split-gpg2-client.service - split-gpg2 client.I also tried outside the qusal environment, also having issues with the client.
Will keep digging and asking 🤷
@ben-grande I think there is something wrong with the split-gpg2-client service:
On gpg-client-vm, before doing anything with sys-pgp:
$ systemctl --user status split-gpg2-client
● split-gpg2-client.service - split-gpg2 client
Loaded: loaded (/usr/lib/systemd/user/split-gpg2-client.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-07-19 16:58:29 UTC; 27s ago
Main PID: 774 (socat)
Tasks: 1 (limit: 268)
Memory: 2.2M
CPU: 36ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/split-gpg2-client.service
└─774 socat "unix-listen:'/run/user/1000/gnupg/S.gpg-agent',fork,unlink-early" "exec:qrexec-client-vm @default qubes.Gpg2"
, which indicates that everything is fine.
However, after going through the key setup on sys-pgp, on gpg-client-vm:
% gpg -vvv -K
gpg: using character set 'utf-8'
gpg: using pgp trust model
gpg: key REDACTED: accepted as trusted key
gpg: connection to agent is in restricted mode
Then running on gpg-client-vm:
% systemctl --user status split-gpg2-client -l
● split-gpg2-client.service - split-gpg2 client
Loaded: loaded (/usr/lib/systemd/user/split-gpg2-client.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-07-19 16:58:29 UTC; 27s ago
Main PID: 774 (socat)
Tasks: 1 (limit: 268)
Memory: 2.2M
CPU: 36ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/split-gpg2-client.service
└─774 socat "unix-listen:'/run/user/1000/gnupg/S.gpg-agent',fork,unlink-early" "exec:qrexec-client-vm @default qubes.Gpg2"
Jul 19 16:58:55 dev split-gpg2-client[1301]: return future.result()
Jul 19 16:58:55 dev split-gpg2-client[1301]: ^^^^^^^^^^^^^^^
Jul 19 16:58:55 dev split-gpg2-client[1301]: File "/usr/lib/python3.12/site-packages/splitgpg2/__init__.py", line 426, in run
Jul 19 16:58:55 dev split-gpg2-client[1301]: await self.client_writer.wait_closed()
Jul 19 16:58:55 dev split-gpg2-client[1301]: File "/usr/lib64/python3.12/asyncio/streams.py", line 364, in wait_closed
Jul 19 16:58:55 dev split-gpg2-client[1301]: await self._protocol._get_close_waiter(self)
Jul 19 16:58:55 dev split-gpg2-client[1301]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jul 19 16:58:55 dev split-gpg2-client[1301]: File "/usr/lib64/python3.12/asyncio/streams.py", line 177, in _get_close_waiter
Jul 19 16:58:55 dev split-gpg2-client[1301]: raise NotImplementedError
Jul 19 16:58:55 dev split-gpg2-client[1301]: NotImplementedError
The error is only triggered after I try to list the secret keys client-side.
How can I debug this?
How can I debug this?
I get the same error and my private key is listed, so just ignore it. But if you want to see the full output:
gpg -Kjournalctl --user -fu split-gpg2-client -o catNote the DBus notification server missing does not cause the error, it is another thing on the Qubes code site that I don't know what it is but my private key is still listed and encryption and signing still works.
So I went as far as reinstalling the system and moving to R4.2.2, retested with and without qusal - no cigar. I'm curious that there are no issues on Qubes' repo, or the qubes forum. I have no idea where else to look :)
I'm curious that there are no issues on Qubes' repo, or the qubes forum. I have no idea where else to look :)
I doubt the majority of users as using it as Qubes documentation still states about the v1 instead of v2.
- Have you setup a different username in
sys-pgporgpg-clientvm? - Your split-gpg2 logs do not include the following line that my log includes:
Using GnuPG home directory /home/user/.gnupg/split-gpg/gpg-clientvm
Your output is also missing the KEYINFO that my output has:
C >>>: HAVEKEY REDACTED REDACTED
A <<<: HAVEKEY REDACTED REDACTED
A >>>: OK
C <<<: OK
C >>>: KEYINFO REDACTED
A <<<: KEYINFO REDACTED
A >>>: ERR 67108891 Not found <GPG Agent>
C <<<: ERR 67108891 Not found <GPG Agent>
C >>>: KEYINFO REDACTED
A <<<: KEYINFO REDACTED
A >>>: S KEYINFO REDACTED D - - - C - - -
C <<<: S KEYINFO REDACTED D - - - C - - -
A >>>: OK
C <<<: OK
C >>>:
So this means that your server couldn't locate the keys.
I believe this is something you didn't do right on sys-pgp, but it is very difficult to debug without me seeing what you did.
If you are with a new setup, I'd recommend using a separate monitor for the following operations for privacy reasons and select that monitor when screensharing. Create an example PGP key that you don't mind disclosing, hide the other one by creating a new qube if it is more easy for you. Set up video-companion to screenshare dom0, also use video-companion.install-receiver-debug to install cheese, select video and click on the camera icon to record. It will be saved to a file, upload to this issue by attaching a file to a new post. Record the full operation of what you did, from generating the keys to importing the keys to logging the calls etc.
Any updates on this matter?
Closing this issue due to lack of response. Please reopen if you are still facing issues.