[GH-ISSUE #2786] private-gnupg?

gitea-mirror commented

2026-05-05 08:24:46 -06:00

Owner

Originally created by @msva on GitHub (Jun 19, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2786

Hi there!
I'm trying to customize my chrome profile to allow the usage of BroswerPass plugin (integration with pass password manager, which, in turn, uses gpg).
So, I'd like to create a separate ~/.gnupg directory for the chrome (to not share my own with chrome's jail), but I see no way to do that now.

The only similar way is using private=path, but it is incompatible with psd (profile-sync-daemon, the thing that helps to save SSD from browsers violence), that I am using. So, it looks like not an option.

I also tried to whitelist ~/.gnupg (although, it is definitely not what I want), but still plugin fails to work, complaining on "wrong owner" of ~/.gnupg. :-/

So, is it possible to achieve what I want with current directives, or can we implement something like private-gnupg directive, working like "private", but for ~/.gnupg?

Originally created by @msva on GitHub (Jun 19, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2786 Hi there! I'm trying to customize my chrome profile to allow the usage of `BroswerPass` plugin (integration with `pass` password manager, which, in turn, uses `gpg`). So, I'd like to create a separate `~/.gnupg` directory for the chrome (to not share my own with chrome's jail), but I see no way to do that now. The only similar way is using `private=path`, but it is incompatible with `psd` (`profile-sync-daemon`, the thing that helps to save SSD from browsers violence), that I am using. So, it looks like not an option. I also tried to `whitelist ~/.gnupg` (although, it is **definitely not** what I want), but still plugin fails to work, complaining on "wrong owner" of ~/.gnupg. :-/ So, is it possible to achieve what I want with current directives, or can we implement something like `private-gnupg` directive, working like "private", but for `~/.gnupg`?

gitea-mirror

2026-05-05 08:24:46 -06:00

closed this issue
added the
workaround
label

gitea-mirror commented

2026-05-05 08:24:50 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 19, 2019):

This is actually the exact reason I decided not to use the browser integration, to be honest — I would have to open up my browser profile way too much.

Right now, I can use pass in a way that it never has access to the internet (except for the occasional pass git push). With the setup required for passff or browserpass or whatever, you have to open up your browser profile quite a bit.

I don't think creating a separate ~/.gnupg directory would work. I actually need to use this trick for another piece of software I use (ProtonMail Bridge) and whitelisting ~/.gnupg works just fine (it uses pass for storing credentials), so I'm curious as to why it's breaking on your end. You may have to also use writable-run-user to ensure the gpg-agent socket is available (assuming you have a systemd system which starts gpg-agent as a service listening in /var/run/gnupg or whatever).

@chiraag-nataraj commented on GitHub (Jun 19, 2019): This is actually the exact reason I decided not to use the browser integration, to be honest — I would have to open up my browser profile way too much. Right now, I can use `pass` in a way that it never has access to the internet (except for the occasional `pass git push`). With the setup required for `passff` or `browserpass` or whatever, you have to open up your browser profile quite a bit. I don't think creating a separate `~/.gnupg` directory would work. I actually need to use this trick for another piece of software I use (ProtonMail Bridge) and whitelisting `~/.gnupg` works just fine (it uses `pass` for storing credentials), so I'm curious as to why it's breaking on your end. You may have to also use `writable-run-user` to ensure the `gpg-agent` socket is available (assuming you have a `systemd` system which starts `gpg-agent` as a service listening in `/var/run/gnupg` or whatever).

gitea-mirror commented

2026-05-05 08:24:50 -06:00

Author

Owner

@msva commented on GitHub (Jun 19, 2019):

The idea of separate ~/.gnupg was about to splitting up the key, used to encrypt chrome subdir from another keys, so, if something will escape chrome sandbox (well, actually, not that I trust Google too), it will not have access to all of my case.
That is also why I don't want that it had access to gpg-agent that runs outside of firejail...

@msva commented on GitHub (Jun 19, 2019): The idea of separate `~/.gnupg` was about to splitting up the key, used to encrypt chrome subdir from another keys, so, if something will escape chrome sandbox (well, actually, not that I trust Google too), it will not have access to all of my case. That is also why I don't want that it had access to gpg-agent that runs outside of firejail...

gitea-mirror commented

2026-05-05 08:24:51 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 20, 2019):

@msva workaround to have a private-gnupg option (not testet with chrome + pass; maybe gpg-agent can make problems, but you already say you don't want to use it):
firejail --mkdir=${HOME}/.gnupg_chrome --whitelist=${HOME}/.gnupg_chrome --env=GNUPGHOME=${HOME}/.gnupg_chrome chrome

@rusty-snake commented on GitHub (Jun 20, 2019): @msva workaround to have a `private-gnupg` option (not testet with chrome + pass; maybe gpg-agent can make problems, but you already say you don't want to use it): `firejail --mkdir=${HOME}/.gnupg_chrome --whitelist=${HOME}/.gnupg_chrome --env=GNUPGHOME=${HOME}/.gnupg_chrome chrome`

gitea-mirror commented

2026-05-05 08:24:52 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 26, 2019):

@msva does that work for you?

@rusty-snake commented on GitHub (Jun 26, 2019): @msva does that work for you?

gitea-mirror commented

2026-05-05 08:24:53 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 15, 2019):

@msva I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Jul 15, 2019): @msva I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror commented

2026-05-05 08:24:55 -06:00

Author

Owner

@msva commented on GitHub (Sep 27, 2019):

Sorry for delay in the communication.
Unfortunately, I can't re-ope the issue.

Although, the workaround itself looks fine, it seems, something strange with FJ:

By default, I start chrome as google-chrome-unstable, which resides in /usr/local/bin and is a symlink to firejail.
Also, I doing all the stuff in ~/.config/firejail/google-chrome-unstable.profile. And almost all the things works fine.
Although, if I put

env VAR=val

(not even GNUPGHOME, just any random variable), and then firejail --join=chrome_pid, there is NO such variable.

But if I run firejail --profile=~/.config/firejail/google-chrome-unstable.profile sh -c 'echo $VAR' I can see it's value (although, somewhy both " and ${HOME} stays there, while they shouldn't, IMHO (I suppose, ${HOME} should be interpreted and replaced with proper path, and "" should disappear, for not being interpreted as part of variable value)

@msva commented on GitHub (Sep 27, 2019): Sorry for delay in the communication. Unfortunately, I can't re-ope the issue. Although, the workaround itself looks fine, it seems, something strange with FJ: By default, I start chrome as `google-chrome-unstable`, which resides in /usr/local/bin and is a symlink to firejail. Also, I doing all the stuff in `~/.config/firejail/google-chrome-unstable.profile`. And almost all the things works fine. Although, if I put ``` env VAR=val ``` (not even GNUPGHOME, just any random variable), and then `firejail --join=chrome_pid`, there is NO such variable. But if I run `firejail --profile=~/.config/firejail/google-chrome-unstable.profile sh -c 'echo $VAR'` I can see it's value (although, somewhy both `"` and `${HOME}` stays there, while they shouldn't, IMHO (I suppose, `${HOME}` should be interpreted and replaced with proper path, and `""` should disappear, for not being interpreted as part of variable value)

gitea-mirror commented

2026-05-05 08:24:55 -06:00

Author

Owner

@msva commented on GitHub (Sep 27, 2019):

btw, is it a way for firejail to force exit after "main child" exits?
Say, I run Chrome (or, say, KMail) in FJ, but then gpg-agent spawns inside the jail, and even when I exit KMail or Chrome, that gpg-agent keeps running and keeps the jail...
So, I'd like if there be a way to avoid such orphan jails :-/

@msva commented on GitHub (Sep 27, 2019): btw, is it a way for firejail to force exit after "main child" exits? Say, I run Chrome (or, say, KMail) in FJ, but then `gpg-agent` spawns inside the jail, and even when I exit KMail or Chrome, that gpg-agent keeps running and keeps the jail... So, I'd like if there be a way to avoid such orphan jails :-/

gitea-mirror commented

2026-05-05 08:24:56 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 27, 2019):

Related to #2433? Workaround: maybe something like firejail sh -c "chrome; kill .... Or start gpg-agent by your DE / SessionManager (e.g. systemd --user).

@rusty-snake commented on GitHub (Sep 27, 2019): Related to #2433? Workaround: maybe something like `firejail sh -c "chrome; kill ...`. Or start gpg-agent by your DE / SessionManager (e.g. `systemd --user`).

gitea-mirror commented

2026-05-05 08:24:56 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 27, 2019):

Although, if I put env VAR=val (not even GNUPGHOME, just any random variable), and then firejail --join=chrome_pid, there is NO such variable.

See #907. @chiraag-nataraj any progress on this?

@rusty-snake commented on GitHub (Sep 27, 2019): > Although, if I put `env VAR=val` (not even GNUPGHOME, just any random variable), and then `firejail --join=chrome_pid`, there is NO such variable. See #907. @chiraag-nataraj any progress on this?

gitea-mirror commented

2026-05-05 08:24:57 -06:00

Author

Owner

@msva commented on GitHub (Sep 27, 2019):

Related to #2433?

Yeah, problem looks a bit similar.

Workaround: maybe something like firejail sh -c "chrome; kill ....

Well, that is what I tried to avoid by symlinking /usr/local/bin/chrome-binary-name to firejail... (I mean, "creating additional wrappers").

Or start gpg-agent by your DE / SessionManager (e.g. systemd --user).

It is. But I don't trust chrome to use that agent (with cached GPG auth), so I don't enable writable-run-user option in chrome's profile (so, I guess, that's why gpg called in the jail can't see the running agent and spawns new one).

@msva commented on GitHub (Sep 27, 2019): > Related to #2433? Yeah, problem looks a bit similar. > Workaround: maybe something like `firejail sh -c "chrome; kill ...`. Well, that is what I tried to avoid by symlinking `/usr/local/bin/chrome-binary-name` to `firejail`... (I mean, "creating additional wrappers"). > Or start gpg-agent by your DE / SessionManager (e.g. `systemd --user`). It is. But I don't trust chrome to use that agent (with cached GPG auth), so I don't enable `writable-run-user` option in chrome's profile (so, I guess, that's why `gpg` called in the jail can't see the running agent and spawns new one).

gitea-mirror commented

2026-05-05 08:24:57 -06:00

Author

Owner

@VTimofeenko commented on GitHub (May 16, 2020):

I managed to set up Firefox in firejail+apparmor with browserpass:

Preparation:
- The browser-only password store is at ${HOME}/.websites-passwords
- The gnupg directory with a single key encrypting that password store is at ${HOME}/.gnupg_ff
- There is a wrapper /usr/bin/test_gpg with the following content:
```
#!/bin/sh
/usr/bin/gpg2 --homedir="${HOME}/.gnupg_ff" $@
```
(replace $HOME here with the real home)
FF Addon configuration: /usr/bin/test_gpg is set as custom gpg binary and ${HOME}/.websites-passwords as the custom store location

Firejail profile whitelists the two directories

mkdir ${HOME}/.gnupg_ff
whitelist ${HOME}/.gnupg_ff
mkdir ${HOME}/.websites-passwords
whitelist ${HOME}/.websites-passwords

Apparmor allows executables from /usr/libexec/browserpass-native

/etc/apparmor.d/local/firejail-local
# Site-specific additions and overrides for 'firejail-default'.
# For more details, please see /etc/apparmor.d/local/README.
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}libexec/browserpass-native ix,

Note on dbus:
If the only available pinentry programs are gnome ones, I believe ignore nodbus is required in the profile, otherwise the pinentry window would not appear. As an alternative, pinentry-fltk may be used.

@VTimofeenko commented on GitHub (May 16, 2020): I managed to set up Firefox in firejail+apparmor with browserpass: 1. Preparation: * The browser-only password store is at `${HOME}/.websites-passwords` * The gnupg directory with a single key encrypting that password store is at `${HOME}/.gnupg_ff` * There is a wrapper `/usr/bin/test_gpg` with the following content: ``` #!/bin/sh /usr/bin/gpg2 --homedir="${HOME}/.gnupg_ff" $@ ``` (replace `$HOME` here with the real home) 2. FF Addon configuration: `/usr/bin/test_gpg` is set as custom gpg binary and `${HOME}/.websites-passwords` as the custom store location 3. Firejail profile whitelists the two directories ``` mkdir ${HOME}/.gnupg_ff whitelist ${HOME}/.gnupg_ff mkdir ${HOME}/.websites-passwords whitelist ${HOME}/.websites-passwords ``` 4. Apparmor allows executables from `/usr/libexec/browserpass-native` ``` /etc/apparmor.d/local/firejail-local # Site-specific additions and overrides for 'firejail-default'. # For more details, please see /etc/apparmor.d/local/README. /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}libexec/browserpass-native ix, ``` Note on dbus: If the only available pinentry programs are gnome ones, I believe `ignore nodbus` is required in the profile, otherwise the pinentry window would not appear. As an alternative, `pinentry-fltk` may be used.

gitea-mirror referenced this issue

2026-05-05 10:12:59 -06:00

[PR #1744] [MERGED] fixes for the keepassxc 2.2.5 version #4058

Rows
Columns

[GH-ISSUE #2786] private-gnupg? #1744