github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3562] Allow gajim to access GPG keys #2234

New issue

Closed

opened 2026-05-05 08:55:33 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 08:55:33 -06:00

Owner

Originally created by @bbhtt on GitHub (Jul 31, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3562

Current master for Gajim https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/gajim.profile doesn't allow to use GPG keys. And gajim-pgp is now installed alongside with gajim on Ubuntu. Add corresponding noblacklist/whitelist, read-only .gnugpg; private-bin needs to be commented to use GPG, because I can't figure out what it needs access to and throws this error with it:

gajim.c.gnupg potential problem: FAILURE: sign <key>
gajim.c.gnupg gpg returned a non-zero error code: 2

Tried adding gpg-agent,which doesn't work. Using firejail --build doesn't show output on terminal,tried with strace, I can't find it. Looking at the raw output of --build from /tmp it is accessing /usr/bin/gpg and a bunch of files under ~/.gnugpg,/etc/gcrypt.

Gajim 1.1.3.

Also like Gajim consider whitelist ${DOWNLOADS} in pidgin, account wide buddy icons are blocked.

Originally created by @bbhtt on GitHub (Jul 31, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3562 Current master for Gajim https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/gajim.profile doesn't allow to use GPG keys. And `gajim-pgp` is now installed alongside with `gajim` on Ubuntu. Add corresponding `noblacklist/whitelist, read-only .gnugpg`; `private-bin` needs to be commented to use GPG, because I can't figure out what it needs access to and throws this error with it: ``` gajim.c.gnupg potential problem: FAILURE: sign <key> gajim.c.gnupg gpg returned a non-zero error code: 2 ``` Tried adding `gpg-agent,which` doesn't work. Using `firejail --build` doesn't show output on terminal,tried with `strace`, I can't find it. Looking at the raw output of `--build` from `/tmp` it is accessing `/usr/bin/gpg` and a bunch of files under `~/.gnugpg`,`/etc/gcrypt`. Gajim 1.1.3. Also like Gajim consider `whitelist ${DOWNLOADS}` in pidgin, account wide buddy icons are blocked.

gitea-mirror closed this issue

2026-05-05 08:55:34 -06:00

gitea-mirror commented

2026-05-05 08:55:36 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 31, 2020):

Open a PR 🙃 🤓 . The question is whether we want to make it opt-in, since PGP is not the easiest / common way to encrypt XMPP.

@rusty-snake commented on GitHub (Jul 31, 2020): Open a PR :upside_down_face: :nerd_face: . The question is whether we want to make it opt-in, since PGP is not the easiest / common way to encrypt XMPP.

gitea-mirror commented

2026-05-05 08:55:37 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Aug 2, 2020):

The question is whether we want to make it opt-in, since PGP is not the easiest / common way to encrypt XMPP.

Let's do opt-in; someone who is using GPG is probably technically skilled enough that enabling it wouldn't be a big deal, and otherwise we don't expose any sensitive info unnecessarily.

@Fred-Barclay commented on GitHub (Aug 2, 2020): > The question is whether we want to make it opt-in, since PGP is not the easiest / common way to encrypt XMPP. Let's do opt-in; someone who is using GPG is probably technically skilled enough that enabling it wouldn't be a big deal, and otherwise we don't expose any sensitive info unnecessarily.

gitea-mirror commented

2026-05-05 08:55:38 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Aug 2, 2020):

Let's do opt-in;

Yes, especially because OMEMO > PGP for XMPP

@SkewedZeppelin commented on GitHub (Aug 2, 2020): > Let's do opt-in; Yes, especially because OMEMO > PGP for XMPP

gitea-mirror commented

2026-05-05 08:55:38 -06:00

Author

Owner

@bbhtt commented on GitHub (Aug 2, 2020):

OMEMO > PGP

OMEMO is based on device trust,different than PGP and I don't need the extra features it gives. Also the default gajim-pgp that is installed alongside gajim on Ubuntu is based on XEP0027 which has been obsoleted by XEP0373 long ago,idk why Ubuntu includes gajim-pgp but not gajim-openpgp as default.I'll add in a PR later once I test some other plug-ins like Latex. private-bin started working again,guess it's a problem with gpg agent. I'll check on a new system.Close this,thanks.

@bbhtt commented on GitHub (Aug 2, 2020): OMEMO > PGP OMEMO is based on device trust,different than PGP and I don't need the extra features it gives. Also the default `gajim-pgp` that is installed alongside `gajim` on Ubuntu is based on XEP0027 which [has been obsoleted](https://mail.jabber.org/pipermail/standards/2016-January/030755.html) by XEP0373 long ago,idk why Ubuntu includes `gajim-pgp` but not `gajim-openpgp` as default.I'll add in a PR later once I test some other plug-ins like Latex. `private-bin` started working again,guess it's a problem with gpg agent. I'll check on a new system.Close this,thanks.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2234

No description provided.

Rows
Columns