github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5477] claws-mail: seahorse pinentry is blocked #3010

New issue
Open
opened 2026-05-05 09:39:48 -06:00 by gitea-mirror · 13 comments
gitea-mirror commented 2026-05-05 09:39:48 -06:00
Owner
Copy link

Originally created by @Xunil73 on GitHub (Nov 21, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5477

I use claws-mail with the PGP/core PGP/inline and PGP/mime plugins. To pass the pinentry password prompt of the keys i use the "remember password" function of seahorse and the option "use gpg-agent" of claws-mail. The standard firejail profile for claws-mail blocks the pinentry function.
I searched all .profiles for entries like "pinentry" and found things like:
/etc/firejail/psi.profile:# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG
...i guess this is the right way to force claws-mail.profile to accept a pinentry function but i wasn't able to implement it to the profile, i don't know how to enable this.
Is there a way to solve this?

Originally created by @Xunil73 on GitHub (Nov 21, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5477 I use claws-mail with the PGP/core PGP/inline and PGP/mime plugins. To pass the pinentry password prompt of the keys i use the "remember password" function of seahorse and the option "use gpg-agent" of claws-mail. The standard firejail profile for claws-mail blocks the pinentry function. I searched all .profiles for entries like "pinentry" and found things like: `/etc/firejail/psi.profile:# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG` ...i guess this is the right way to force claws-mail.profile to accept a pinentry function but i wasn't able to implement it to the profile, i don't know how to enable this. Is there a way to solve this?
gitea-mirror commented 2026-05-05 09:39:50 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Nov 21, 2022):

Thank you for opening this ticket. Your use case isn't something we've considered when originally creating the claws-mail profile, so we'll need to do some trial-and-error work to get this covered and functioning properly. It's a bit more complicated than usual for me to test this, due to not having 'real world' PGP-encrypted email traffic at hand. But with your help and some Q&A we'll get there.

Looking at the profile the private-bin which mentions some of these pinentry-X options isn't enabled, so those commands are not being blocked. My first guess is it might be something from the seahorse end we need to explicitly allow. Can you try adding the below to a claws-mail.local or email-common.local and report back your findings?

whitelist ${RUNUSER}/keyring
<!-- gh-comment-id:1322332866 --> @ghost commented on GitHub (Nov 21, 2022): Thank you for opening this ticket. Your use case isn't something we've considered when originally creating the claws-mail profile, so we'll need to do some trial-and-error work to get this covered and functioning properly. It's a bit more complicated than usual for me to test this, due to not having 'real world' PGP-encrypted email traffic at hand. But with your help and some Q&A we'll get there. Looking at the profile the `private-bin` which mentions some of these `pinentry-X` options isn't enabled, so those commands are not being blocked. My first guess is it might be something from the seahorse end we need to explicitly allow. Can you try adding the below to a claws-mail.local or email-common.local and report back your findings? ``` whitelist ${RUNUSER}/keyring ```
gitea-mirror commented 2026-05-05 09:39:51 -06:00
Author
Owner
Copy link

@Xunil73 commented on GitHub (Nov 21, 2022):

Thank you for your reply and help! I addend the line above in a .local and the error changed. The original error was "pinentry error" and after adding the line the error switched to (translated) :
"digital signature error: data signing failed, inappropriate IOCTL (I/O-Control) for the device."

<!-- gh-comment-id:1322495410 --> @Xunil73 commented on GitHub (Nov 21, 2022): Thank you for your reply and help! I addend the line above in a .local and the error changed. The original error was "pinentry error" and after adding the line the error switched to (translated) : "digital signature error: data signing failed, inappropriate IOCTL (I/O-Control) for the device."
gitea-mirror commented 2026-05-05 09:39:52 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Nov 21, 2022):

Aha, I've seen that error before. Do you export GPG_TTY=$(tty) on your machine? See this for more info.
Can you post the full output you get from claws-mail, regardless of errors? I happen to read (some) German, very kind and thoughtful of you to provide the translation :-)

<!-- gh-comment-id:1322536110 --> @ghost commented on GitHub (Nov 21, 2022): Aha, I've seen that error before. Do you `export GPG_TTY=$(tty)` on your machine? See [this](https://wiki.archlinux.org/title/GnuPG#Configure_pinentry_to_use_the_correct_TTY) for more info. Can you post the full output you get from claws-mail, regardless of errors? I happen to read (some) German, very kind and thoughtful of you to provide the translation :-)
gitea-mirror commented 2026-05-05 09:39:53 -06:00
Author
Owner
Copy link

@Xunil73 commented on GitHub (Nov 22, 2022):

Until now i have not set the environment. After setting GPG_TTY the error changed again to "Error with signature, data signature failed, file or directory not found".
Regardless of the previous measure names, the output is always the same:

$ firejail claws-mail
Reading profile /etc/firejail/claws-mail.profile
Reading profile /etc/firejail/claws-mail.local
Reading profile /etc/firejail/email-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2437, child pid 2438
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Blacklist violations are logged to syslog
Child process initialized in 259.92 ms

(claws-mail:4): dbind-WARNING **: 08:36:59.840: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-Dtw3D1Ma9y: Datei oder Verzeichnis nicht gefunden

** (claws-mail:4): WARNING **: 08:36:59.842: Unable to connect to dbus: Verbindung ist gescheitert: Keine Berechtigung

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.009: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.009: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.009: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.144: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.144: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.144: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.145: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.145: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.145: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): Claws-Mail-WARNING **: 08:37:00.493: While connecting to session manager: Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed.
Created directory /home/harry/.bogofilter .
Can't open file 'wordlist.db' in directory '/home/harry/.bogofilter'.
error #2 - No such file or directory.

Remember to register some spam and ham messages before you
use bogofilter to evaluate mail for its probable spam status!

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:06.006: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:06.006: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:06.006: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:31.939: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:31.939: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:31.939: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): Gtk-CRITICAL **: 08:37:51.564: IA__gtk_toggle_tool_button_set_active: assertion 'GTK_IS_TOGGLE_TOOL_BUTTON (button)' failed

(claws-mail:4): Gtk-CRITICAL **: 08:37:53.012: IA__gtk_toggle_tool_button_set_active: assertion 'GTK_IS_TOGGLE_TOOL_BUTTON (button)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:54.141: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:54.141: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:54.141: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): Gtk-WARNING **: 08:37:57.257: Failed to set text from markup due to error parsing markup: Fehler in Zeile 6, Zeichen 1: »dj5m@ok.de« ist kein gültiger Name: »@«

(claws-mail:4): Gtk-WARNING **: 08:37:57.257: Failed to set text from markup due to error parsing markup: Fehler in Zeile 6, Zeichen 1: »dj5m@ok.de« ist kein gültiger Name: »@«

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:57.298: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:57.298: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:57.298: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): Gtk-WARNING **: 08:37:57.299: Failed to set text from markup due to error parsing markup: Fehler in Zeile 6, Zeichen 1: »dj5m@ok.de« ist kein gültiger Name: »@«

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:59.664: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:59.664: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 08:37:59.664: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 09:35:51.975: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 09:35:51.975: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(claws-mail:4): GLib-GIO-CRITICAL **: 09:35:51.975: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

as you can see, there is no prompt in console after closing claws-mail.
This error happens if i try to perform a signature and encryption operation on claws-mail in the sandbox.
After CLOSING the claws-mail GUI the console startet from hangs and
two threads of claws-mail persist:

$ ps -ax | grep firejail
   2437 pts/0    S+     0:00 firejail claws-mail
   2438 pts/0    S+     0:00 firejail claws-mail
   2973 pts/1    S+     0:00 grep firejail

Edit by @kmk3: Fix formatting.

<!-- gh-comment-id:1323322964 --> @Xunil73 commented on GitHub (Nov 22, 2022): Until now i have not set the environment. After setting GPG_TTY the error changed again to "Error with signature, data signature failed, file or directory not found". Regardless of the previous measure names, the output is always the same: ```console $ firejail claws-mail Reading profile /etc/firejail/claws-mail.profile Reading profile /etc/firejail/claws-mail.local Reading profile /etc/firejail/email-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 2437, child pid 2438 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Blacklist violations are logged to syslog Child process initialized in 259.92 ms (claws-mail:4): dbind-WARNING **: 08:36:59.840: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-Dtw3D1Ma9y: Datei oder Verzeichnis nicht gefunden ** (claws-mail:4): WARNING **: 08:36:59.842: Unable to connect to dbus: Verbindung ist gescheitert: Keine Berechtigung (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.009: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.009: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.009: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.144: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.144: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.144: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.145: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.145: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:00.145: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): Claws-Mail-WARNING **: 08:37:00.493: While connecting to session manager: Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed. Created directory /home/harry/.bogofilter . Can't open file 'wordlist.db' in directory '/home/harry/.bogofilter'. error #2 - No such file or directory. ``` Remember to register some spam and ham messages before you use bogofilter to evaluate mail for its probable spam status! ``` (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:06.006: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:06.006: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:06.006: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:31.939: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:31.939: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:31.939: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): Gtk-CRITICAL **: 08:37:51.564: IA__gtk_toggle_tool_button_set_active: assertion 'GTK_IS_TOGGLE_TOOL_BUTTON (button)' failed (claws-mail:4): Gtk-CRITICAL **: 08:37:53.012: IA__gtk_toggle_tool_button_set_active: assertion 'GTK_IS_TOGGLE_TOOL_BUTTON (button)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:54.141: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:54.141: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:54.141: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): Gtk-WARNING **: 08:37:57.257: Failed to set text from markup due to error parsing markup: Fehler in Zeile 6, Zeichen 1: »dj5m@ok.de« ist kein gültiger Name: »@« (claws-mail:4): Gtk-WARNING **: 08:37:57.257: Failed to set text from markup due to error parsing markup: Fehler in Zeile 6, Zeichen 1: »dj5m@ok.de« ist kein gültiger Name: »@« (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:57.298: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:57.298: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:57.298: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): Gtk-WARNING **: 08:37:57.299: Failed to set text from markup due to error parsing markup: Fehler in Zeile 6, Zeichen 1: »dj5m@ok.de« ist kein gültiger Name: »@« (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:59.664: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:59.664: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 08:37:59.664: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 09:35:51.975: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 09:35:51.975: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (claws-mail:4): GLib-GIO-CRITICAL **: 09:35:51.975: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed ``` as you can see, there is no prompt in console after closing claws-mail. This error happens if i try to perform a signature and encryption operation on claws-mail in the sandbox. After CLOSING the claws-mail GUI the console startet from hangs and two threads of claws-mail persist: ```console $ ps -ax | grep firejail 2437 pts/0 S+ 0:00 firejail claws-mail 2438 pts/0 S+ 0:00 firejail claws-mail 2973 pts/1 S+ 0:00 grep firejail ``` --- Edit by @kmk3: Fix formatting.
gitea-mirror commented 2026-05-05 09:39:54 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 22, 2022):

(Offtopic)

@Xunil73 See the following links for how to format code blocks in markdown:

<!-- gh-comment-id:1324050693 --> @kmk3 commented on GitHub (Nov 22, 2022): (Offtopic) @Xunil73 See the following links for how to format code blocks in markdown: * <https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks> * <https://github.github.com/gfm/#fenced-code-blocks>
gitea-mirror commented 2026-05-05 09:39:55 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Nov 23, 2022):

Can't open file 'wordlist.db' in directory '/home/harry/.bogofilter'.
error #2 - No such file or directory.

Do you have that wordlist.db file? The profile makes ${HOME}/.bogofilter accessible so this could just be a matter of not (yet) having used/configured the bogofilter plugin. Anyway, this doesn't seem to be related to pinentry being blocked.

At the moment I can't come up with a better strategy than trying to comment lines one by one to find the culprit. One thing you might start with is the apparmor option, but this is pure guessing from my part.

<!-- gh-comment-id:1325445480 --> @ghost commented on GitHub (Nov 23, 2022): > Can't open file 'wordlist.db' in directory '/home/harry/.bogofilter'. error #2 - No such file or directory. Do you have that `wordlist.db` file? The profile makes ${HOME}/.bogofilter accessible so this could just be a matter of not (yet) having used/configured the bogofilter plugin. Anyway, this doesn't seem to be related to pinentry being blocked. At the moment I can't come up with a better strategy than trying to comment lines one by one to find the culprit. One thing you might start with is the `apparmor` option, but this is pure guessing from my part.
gitea-mirror commented 2026-05-05 09:39:56 -06:00
Author
Owner
Copy link

@Xunil73 commented on GitHub (Nov 24, 2022):

I think i have found the solution. Based on your tips, I tried and tried until it finally worked.
With this /etc/firejail/claws-mail.local i can use the signature/encryption plugins with
my keyring and Seahorse's "remember password" function:

$ cat /etc/firejail/claws-mail.local 
   whitelist ${RUNUSER}/keyring
   whitelist ${RUNUSER}/gnupg
   whitelist ${RUNUSER}/gnupg2
   include allow-python2.inc
   include allow-python3.inc
   ignore nonewprivs
   ignore dbus-user none
   ignore dbus-system none

Annotation: only the entry ignore nonewprivs made sure that all associated processes terminated properly when the program was terminated. Without this, two processes always continued to run in the terminal after closing claws-mail.

@glitsj16 many thanks for your help!

<!-- gh-comment-id:1326775875 --> @Xunil73 commented on GitHub (Nov 24, 2022): I think i have found the solution. Based on your tips, I tried and tried until it finally worked. With this ``` /etc/firejail/claws-mail.local ``` i can use the signature/encryption plugins with my keyring and Seahorse's "remember password" function: ~~~ $ cat /etc/firejail/claws-mail.local whitelist ${RUNUSER}/keyring whitelist ${RUNUSER}/gnupg whitelist ${RUNUSER}/gnupg2 include allow-python2.inc include allow-python3.inc ignore nonewprivs ignore dbus-user none ignore dbus-system none ~~~ Annotation: only the entry ``` ignore nonewprivs ``` made sure that all associated processes terminated properly when the program was terminated. Without this, two processes always continued to run in the terminal after closing claws-mail. @glitsj16 many thanks for your help!
gitea-mirror commented 2026-05-05 09:39:56 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Nov 25, 2022):

@Xunil73 Thanks for digging into this! I've been doing some experimenting with claws-mail too here and have some remarks/pointers. I use a custom GTK2 build with support for the plugins I actually use, so your mileage may vary.

whitelist ${RUNUSER}/gnupg2

Does that path exist on your machine? It doesn't on my Arch Linux box, so it might not be needed.

ignore dbus-user none
ignore dbus-system none

If disabling D-Bus restrictions is needed for your use case(s), that's fine. Note that this creates a weaker sandbox though, especially allowing access to the system bus. I managed to get encrypting/signing working without allowing it:

dbus-user.talk org.freedesktop.secrets
dbus-user.talk org.gnome.keyring
dbus-user.talk org.gnome.keyring.PrivatePrompter
dbus-user.talk org.gnome.seahorse
dbus-user.talk org.gnome.seahorse.Application

Maybe you can experiment with these, and hopefully keep a tighter sandbox while using these plugins.

Annotation: only the entry ignore nonewprivs made sure that all associated processes terminated properly when the program was terminated. Without this, two processes always continued to run in the terminal after closing claws-mail.

Ignoring nonewprivs is not something I like to do. Again, it weakens the sandbox considerably. Try adding deterministic-shutdown. That might help with this.

I'll keep an eye on this thread so we can add appropriate comments in the relevant profiles for other users who might face this specific problem. IMO it's an important use case we should support 'out of the box'. Thanks again for bringing it to our attention!

<!-- gh-comment-id:1327024698 --> @ghost commented on GitHub (Nov 25, 2022): @Xunil73 Thanks for digging into this! I've been doing some experimenting with claws-mail too here and have some remarks/pointers. I use a custom GTK2 build with support for the plugins I actually use, so your mileage may vary. > whitelist ${RUNUSER}/gnupg2 Does that path exist on your machine? It doesn't on my Arch Linux box, so it might not be needed. > ignore dbus-user none ignore dbus-system none If disabling `D-Bus` restrictions is needed for your use case(s), that's fine. Note that this creates a weaker sandbox though, especially allowing access to the system bus. I managed to get encrypting/signing working without allowing it: ``` dbus-user.talk org.freedesktop.secrets dbus-user.talk org.gnome.keyring dbus-user.talk org.gnome.keyring.PrivatePrompter dbus-user.talk org.gnome.seahorse dbus-user.talk org.gnome.seahorse.Application ``` Maybe you can experiment with these, and hopefully keep a tighter sandbox while using these plugins. > Annotation: only the entry ignore nonewprivs made sure that all associated processes terminated properly when the program was terminated. Without this, two processes always continued to run in the terminal after closing claws-mail. Ignoring nonewprivs is not something I like to do. Again, it weakens the sandbox considerably. Try adding `deterministic-shutdown`. That _might_ help with this. I'll keep an eye on this thread so we can add appropriate comments in the relevant profiles for other users who might face this specific problem. IMO it's an important use case we should support 'out of the box'. Thanks again for bringing it to our attention!
gitea-mirror commented 2026-05-05 09:39:57 -06:00
Author
Owner
Copy link

@Xunil73 commented on GitHub (Nov 28, 2022):

ok, thanks for this info! But now i'm really confused, i tried firejail->claws-mail now again with a fresh installed Debian and ArchLinux on an laptop. In both cases all encryption and signing works WITHOUT any workaround on the basic claws-mail.profile . I don't know why, it is the same debian distribution with the same installed packages as on the machine i had the problems with the plugins. Let's see if i can figure it out...

<!-- gh-comment-id:1329413781 --> @Xunil73 commented on GitHub (Nov 28, 2022): ok, thanks for this info! But now i'm really confused, i tried firejail->claws-mail now again with a fresh installed Debian and ArchLinux on an laptop. In both cases all encryption and signing works WITHOUT any workaround on the basic ```claws-mail.profile``` . I don't know why, it is the same debian distribution with the same installed packages as on the machine i had the problems with the plugins. Let's see if i can figure it out...
gitea-mirror commented 2026-05-05 09:39:58 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Nov 29, 2022):

@Xunil73 Interesting. These things happen, although I cannot explain. Maybe something stale in claws-mail configuration that is now gone. Anyway, I hope it keeps working as expected, in which case we don't need to change our related profiles. I keep checking this encrypting/signing functionality now too as claws-mail is my default mail program on Arch Linux. I'll keep this issue open for now though, just in case.

<!-- gh-comment-id:1330715452 --> @ghost commented on GitHub (Nov 29, 2022): @Xunil73 Interesting. These things happen, although I cannot explain. Maybe something stale in claws-mail configuration that is now gone. Anyway, I hope it keeps working as expected, in which case we don't need to change our related profiles. I keep checking this encrypting/signing functionality now too as claws-mail is my default mail program on Arch Linux. I'll keep this issue open for now though, just in case.
gitea-mirror commented 2026-05-05 09:39:59 -06:00
Author
Owner
Copy link

@marek22k commented on GitHub (Feb 24, 2023):

I also get:

Could not queue message for sending:

Signature failed: Data signing failed, pinentry error

Is there a workaround currently? It works without firejail.

Debug logs:

sgpgme.c:594:sgpgme_setup_signers: OpenPGP protocol
sgpgme.c:601:using default gnupg key
prefs_gpg.c:668:unset GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1
pgpmime.c:540:gpgme_op_sign error : 5000056
alertpanel.c:253:Creating alert panel dialog...
alertpanel.c:211:called inc_lock (lock count 2)
alertpanel.c:221:called inc_unlock (lock count 1)
compose.c:5430:called inc_unlock (lock count 0)

Adding the following does not help:

   whitelist ${RUNUSER}/keyring
   whitelist ${RUNUSER}/gnupg
   whitelist ${RUNUSER}/gnupg2
   include allow-python2.inc
   include allow-python3.inc
   ignore nonewprivs
   ignore dbus-user none
   ignore dbus-system none

dbus-user.talk org.freedesktop.secrets
dbus-user.talk org.gnome.keyring
dbus-user.talk org.gnome.keyring.PrivatePrompter
dbus-user.talk org.gnome.keyring.SystemPrompter
dbus-user.talk org.gnome.seahorse
dbus-user.talk org.gnome.seahorse.Application
dbus-user.talk org.mozilla.*
dbus-user.talk org.gnome.keyring.SystemPrompter
<!-- gh-comment-id:1442948706 --> @marek22k commented on GitHub (Feb 24, 2023): I also get: ``` Could not queue message for sending: Signature failed: Data signing failed, pinentry error ``` Is there a workaround currently? It works without firejail. Debug logs: ``` sgpgme.c:594:sgpgme_setup_signers: OpenPGP protocol sgpgme.c:601:using default gnupg key prefs_gpg.c:668:unset GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1 pgpmime.c:540:gpgme_op_sign error : 5000056 alertpanel.c:253:Creating alert panel dialog... alertpanel.c:211:called inc_lock (lock count 2) alertpanel.c:221:called inc_unlock (lock count 1) compose.c:5430:called inc_unlock (lock count 0) ``` Adding the following does not help: ``` whitelist ${RUNUSER}/keyring whitelist ${RUNUSER}/gnupg whitelist ${RUNUSER}/gnupg2 include allow-python2.inc include allow-python3.inc ignore nonewprivs ignore dbus-user none ignore dbus-system none dbus-user.talk org.freedesktop.secrets dbus-user.talk org.gnome.keyring dbus-user.talk org.gnome.keyring.PrivatePrompter dbus-user.talk org.gnome.keyring.SystemPrompter dbus-user.talk org.gnome.seahorse dbus-user.talk org.gnome.seahorse.Application dbus-user.talk org.mozilla.* dbus-user.talk org.gnome.keyring.SystemPrompter ```
gitea-mirror commented 2026-05-05 09:40:00 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 24, 2023):

@marek22k

Adding the following does not help:

If you're on Firejail 0.9.72 the following options are already present (either in claws-mail.profile or email-common.profile):

whitelist ${RUNUSER}/gnupg
dbus-user.talk org.freedesktop.secrets
dbus-user.talk org.gnome.keyring
dbus-user.talk org.gnome.keyring.PrivatePrompter
dbus-user.talk org.gnome.keyring.SystemPrompter (BTW, this appears twice in your post)
dbus-user.talk org.gnome.seahorse.Application

Also, 'dbus-user none' isn't used, so ignoring it won't do anything useful.

Assuming you have it working on a non-firejailed claws-mail, what you can try is disabling dbus-user filter, to rule out if what you're seeing is indeed D-Bus related: ignore dbus-user filter.

<!-- gh-comment-id:1443380765 --> @ghost commented on GitHub (Feb 24, 2023): @marek22k > Adding the following does not help: If you're on Firejail 0.9.72 the following options are already present (either in claws-mail.profile or email-common.profile): whitelist ${RUNUSER}/gnupg dbus-user.talk org.freedesktop.secrets dbus-user.talk org.gnome.keyring dbus-user.talk org.gnome.keyring.PrivatePrompter dbus-user.talk org.gnome.keyring.SystemPrompter (BTW, this appears twice in your post) dbus-user.talk org.gnome.seahorse.Application Also, 'dbus-user none' isn't used, so ignoring it won't do anything useful. Assuming you have it working on a non-firejailed claws-mail, what you can try is disabling dbus-user filter, to rule out if what you're seeing is indeed D-Bus related: `ignore dbus-user filter`.
gitea-mirror commented 2026-05-05 09:40:00 -06:00
Author
Owner
Copy link

@marek22k commented on GitHub (Feb 24, 2023):

That works. Thanks for the help!

<!-- gh-comment-id:1443431056 --> @marek22k commented on GitHub (Feb 24, 2023): That works. Thanks for the help!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3010
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?