On 5/16/20 5:42 AM, Robert Spigler wrote:
I have a master private key (Certify Only) stored in Vault, separate Encryption and Sign secrete_subkeys generated in Vault and stored in networkless work-gpg. All public keys stored in a separate AppVM for 'qubes-gpg-client' command to access the work-gpg VM via the Split GPG protocol.I have keys with the same configuration and also struggled with this for a while.I have succesfully tested signing and verifying text with my new key, and decrypting messages to my new key. My one issue has been encrypting messages to other keys:`export QUBES_GPG_DOMAIN=work-gpg` `cat InFile | qubes-gpg-client --encrypt --recipient RECIPIENT` Results in the error: >gpg: There is no assurance this key belongs to the named user >gpg: cannot open '/dev/tty': No such device or addressWell, I can't sign the public key, that is a documented downside of SplitGPG with Subkeys. As for the second, I tried adding `no-tty` to ~/.gnupg/gpg.conf in work-gpgtrying the above command again results in the new error: `EOF` with no change to the file. So I try a new approach:`export QUBES_GPG_DOMAIN=work-gpg` (I'll stop repeating this line so I don't annoy you all)`qubes-gpg-client --output OutFile --encrypt --recipient RECIPIENT InFile` Error: >Only '-' argument supported for --output option ^^I have no idea what that is about. So, remove the output file request and just attempt to write over: `qubes-gpg-client --encrypt --recipient RECIPIENT InFile` Error: >gpg: There is no assurance this key belongs to the names user >gpg: Sorry, no terminal at all requested - can't get input' Let's remove the conf line we added earlier, and run again: Error: >There is no assurance this key belongs to the named user >gpg: cannot open '/dev/tty': No such device or address' I give up! Does anyone have any idea what is going on here? --You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com <mailto:qubes-users+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/19c2623b-100b-4e7b-8618-d00f16dba464%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/19c2623b-100b-4e7b-8618-d00f16dba464%40googlegroups.com?utm_medium=email&utm_source=footer>.
Purchasing an OpenPGP smartcard (yubikey, nitrokey etc) really simplified things for me. I keep the private key(s) in my vault and now I sign, encrypt and authenticate using it wherever I need.
I know that this is not the solution you are looking for. But its a good one to achieve the same end.
-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/219577be-8601-215c-572a-46ec93232171%40threatmodel.io.
publickey - logan@threatmodel.io.asc.pgp
Description: application/pgp-key
signature.asc
Description: OpenPGP digital signature