[GH-ISSUE #5619] mutt: cannot decrypt ~/.muttrc.gpg

gitea-mirror commented

2026-05-05 09:41:39 -06:00

Owner

Originally created by @hyder365 on GitHub (Jan 25, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5619

Using firejail 0.9.72 on Arch, the new mutt profile causes a bit of chaos. My setup is slightly abnormal so it may be an edge case not worth fixing, but I'll describe it anyway:

Mutt has no ability to hash the stored passwords. Anything in .muttrc is in cleartext. To get around this, some people have a ~/.muttrc.gpg file that contains the login/config info in a gpg-encrypted form. In the normal ~/.muttrc, I have:

source "gpg -dq ~/.muttrc.gpg |"

This decrypts the real config on startup, but now fails because of firejail presumably blocking off access to that .gpg file (or gpg itself, but I assume that's allowed since so many people use gpg with mutt). The simplest fix I would propose is allowing read access to ~/.muttrc* rather than just ~/.muttrc. For now I can just whitelist access to that file.

edit: Whitelisting that file isn't enough because mutt can't read the gpg keyring it seems. Adding ~/.gnupg as read-only doesn't work because then temp files can't be made. Adding ~/.gnupg as read-write doesn't work because mutt can't access the smartcard holding the private key. I'll just have to disable firejail for this program for now.

Originally created by @hyder365 on GitHub (Jan 25, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5619 Using firejail 0.9.72 on Arch, the new mutt profile causes a bit of chaos. My setup is slightly abnormal so it may be an edge case not worth fixing, but I'll describe it anyway: Mutt has no ability to hash the stored passwords. Anything in .muttrc is in cleartext. To get around this, some people have a ~/.muttrc.gpg file that contains the login/config info in a gpg-encrypted form. In the normal ~/.muttrc, I have: source "gpg -dq ~/.muttrc.gpg |" This decrypts the real config on startup, but now fails because of firejail presumably blocking off access to that .gpg file (or gpg itself, but I assume that's allowed since so many people use gpg with mutt). The simplest fix I would propose is allowing read access to ~/.muttrc* rather than just ~/.muttrc. For now I can just whitelist access to that file. edit: Whitelisting that file isn't enough because mutt can't read the gpg keyring it seems. Adding ~/.gnupg as read-only doesn't work because then temp files can't be made. Adding ~/.gnupg as read-write doesn't work because mutt can't access the smartcard holding the private key. I'll just have to disable firejail for this program for now.

gitea-mirror added the

needinfo

label 2026-05-05 09:41:39 -06:00

gitea-mirror commented

2026-05-05 09:41:42 -06:00

Author

Owner

@kmk3 commented on GitHub (Jan 26, 2023):

@hyder365 on Jan 25:

Using firejail 0.9.72 on Arch, the new mutt profile causes a bit of chaos.

Do you mean that it used to work on 0.9.70?

There was an email-related refactor done in 0.9.72 (#5571), but I don't
remember any changes related to these issues.

My setup is slightly abnormal so it may be an edge case not worth fixing, but
I'll describe it anyway:

Mutt has no ability to hash the stored passwords. Anything in .muttrc is in
cleartext. To get around this, some people have a ~/.muttrc.gpg file that
contains the login/config info in a gpg-encrypted form. In the normal
~/.muttrc, I have:
source "gpg -dq ~/.muttrc.gpg |"
This decrypts the real config on startup, but now fails because of firejail
presumably blocking off access to that .gpg file (or gpg itself, but I assume
that's allowed since so many people use gpg with mutt). The simplest fix I
would propose is allowing read access to ~/.muttrc* rather than just
~/.muttrc. For now I can just whitelist access to that file.

mutt.profile allows access to ~/.config/mutt.

Does it work if you store it somewhere like ~/.config/mutt/muttrc.gpg instead?

edit: Whitelisting that file isn't enough because mutt can't read the gpg
keyring it seems. Adding ~/.gnupg as read-only doesn't work because then temp
files can't be made.

Note that mutt.profile allows access to ~/.gnupg and ${RUNUSER}/gnupg, so it
should have access to the keyring (unless it's stored somewhere else).

Adding ~/.gnupg as read-write doesn't work because mutt can't access the
smartcard holding the private key. I'll just have to disable firejail for
this program for now.

Do you know what is the path to the smartcard device in /dev?

Does adding this to ~/.config/firejail/mutt.local work?

ignore nou2f
ignore private-dev

@kmk3 commented on GitHub (Jan 26, 2023): @hyder365 [on Jan 25](https://github.com/netblue30/firejail/issues/5619#issue-1557382682): > Using firejail 0.9.72 on Arch, the new mutt profile causes a bit of chaos. Do you mean that it used to work on 0.9.70? There was an email-related refactor done in 0.9.72 (#5571), but I don't remember any changes related to these issues. > My setup is slightly abnormal so it may be an edge case not worth fixing, but > I'll describe it anyway: > > Mutt has no ability to hash the stored passwords. Anything in .muttrc is in > cleartext. To get around this, some people have a ~/.muttrc.gpg file that > contains the login/config info in a gpg-encrypted form. In the normal > ~/.muttrc, I have: > > ``` > source "gpg -dq ~/.muttrc.gpg |" > ``` > > This decrypts the real config on startup, but now fails because of firejail > presumably blocking off access to that .gpg file (or gpg itself, but I assume > that's allowed since so many people use gpg with mutt). The simplest fix I > would propose is allowing read access to ~/.muttrc* rather than just > ~/.muttrc. For now I can just whitelist access to that file. mutt.profile allows access to ~/.config/mutt. Does it work if you store it somewhere like ~/.config/mutt/muttrc.gpg instead? > edit: Whitelisting that file isn't enough because mutt can't read the gpg > keyring it seems. Adding ~/.gnupg as read-only doesn't work because then temp > files can't be made. Note that mutt.profile allows access to ~/.gnupg and `${RUNUSER}/gnupg`, so it should have access to the keyring (unless it's stored somewhere else). > Adding ~/.gnupg as read-write doesn't work because mutt can't access the > smartcard holding the private key. I'll just have to disable firejail for > this program for now. Do you know what is the path to the smartcard device in /dev? Does adding this to ~/.config/firejail/mutt.local work? ``` ignore nou2f ignore private-dev ```

gitea-mirror commented

2026-05-05 09:41:43 -06:00

Author

Owner

@hyder365 commented on GitHub (Jan 26, 2023):

Thanks for the reply. I'm now trying with the file in ~/.config/mutt/.muttrc.gpg (and ~/.muttrc updated to point here) and a ~/.config/firejail/mutt.profile that has:

include /etc/firejail/mutt.profile
ignore nou2f
ignore private-dev

But on startup mutt still shows a default config.

Reading profile /home/me/.config/firejail/mutt.profile
gpg: decryption failed: No secret key

Don't know the /dev node for the Nitrokey. I'd be glad to try any other suggestions.

@hyder365 commented on GitHub (Jan 26, 2023): Thanks for the reply. I'm now trying with the file in ~/.config/mutt/.muttrc.gpg (and ~/.muttrc updated to point here) and a ~/.config/firejail/mutt.profile that has: include /etc/firejail/mutt.profile ignore nou2f ignore private-dev But on startup mutt still shows a default config. Reading profile /home/me/.config/firejail/mutt.profile gpg: decryption failed: No secret key Don't know the /dev node for the Nitrokey. I'd be glad to try any other suggestions.

gitea-mirror commented

2026-05-05 09:41:43 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 26, 2023):

The instruction was to add the two lines to mutt.local. Using mutt.profile (the way you did) does not work. Can you re-check with mutt.local.

@rusty-snake commented on GitHub (Jan 26, 2023): The instruction was to add the two lines to <code>mutt.<strong>local</strong></code>. Using `mutt.profile` (the way you did) does not work. Can you re-check with `mutt.local`.

gitea-mirror commented

2026-05-05 09:41:44 -06:00

Author

Owner

@kmk3 commented on GitHub (Jan 26, 2023):

@hyder365 on Jan 26:

Thanks for the reply. I'm now trying with the file in
~/.config/mutt/.muttrc.gpg (and ~/.muttrc updated to point here) and a
~/.config/firejail/mutt.profile that has:
include /etc/firejail/mutt.profile
ignore nou2f
ignore private-dev
But on startup mutt still shows a default config.

In order for the ignores to work, they have to appear before the commands in
question, so redirects should always appear last:

ignore nou2f
ignore private-dev

# Redirect
include ${CFG}/mutt.profile

Though as @rusty-snake mentioned, unless you actually want to override the
entire default profile, it's easier to just add commands to the .local file
(which is included by the .profile file in /etc).

Don't know the /dev node for the Nitrokey. I'd be glad to try any other
suggestions.

Try plugging/unplugging it and running dmesg -H to see if it says anything
about the device.

Or doing ls /dev with it plugged/unplugged and comparing the results.
Example:

# (disconnect it)
ls /dev | LC_ALL=C sort -u >before
# (connect it)
ls /dev | LC_ALL=C sort -u >after
diff before after

@kmk3 commented on GitHub (Jan 26, 2023): @hyder365 [on Jan 26](https://github.com/netblue30/firejail/issues/5619#issuecomment-1405462400): > Thanks for the reply. I'm now trying with the file in > ~/.config/mutt/.muttrc.gpg (and ~/.muttrc updated to point here) and a > ~/.config/firejail/mutt.profile that has: > > ``` > include /etc/firejail/mutt.profile > ignore nou2f > ignore private-dev > ``` > > But on startup mutt still shows a default config. In order for the `ignore`s to work, they have to appear before the commands in question, so redirects should always appear last: ``` ignore nou2f ignore private-dev # Redirect include ${CFG}/mutt.profile ``` Though as @rusty-snake [mentioned][1], unless you actually want to override the entire default profile, it's easier to just add commands to the .local file (which is included by the .profile file in /etc). > Don't know the /dev node for the Nitrokey. I'd be glad to try any other > suggestions. Try plugging/unplugging it and running `dmesg -H` to see if it says anything about the device. Or doing `ls /dev` with it plugged/unplugged and comparing the results. Example: ```sh # (disconnect it) ls /dev | LC_ALL=C sort -u >before # (connect it) ls /dev | LC_ALL=C sort -u >after diff before after ``` [1]: https://github.com/netblue30/firejail/issues/5619#issuecomment-1405473598

gitea-mirror commented

2026-05-05 09:41:44 -06:00

Author

Owner

@hyder365 commented on GitHub (Jan 26, 2023):

Using ~/.config/firejail/mutt.local with only the two ignore lines mentioned above gets further, but now mutt prompts to insert the smartcard corresponding to the key for decryption of the .muttrc.gpg file.

@hyder365 commented on GitHub (Jan 26, 2023): Using ~/.config/firejail/mutt.local with only the two ignore lines mentioned above gets further, but now mutt prompts to insert the smartcard corresponding to the key for decryption of the .muttrc.gpg file.

gitea-mirror commented

2026-05-05 09:41:45 -06:00

Author

Owner

@hyder365 commented on GitHub (Jan 26, 2023):

There's no difference in the /dev list with the device plugged in or unplugged, even after a reboot.

@hyder365 commented on GitHub (Jan 26, 2023): There's no difference in the /dev list with the device plugged in or unplugged, even after a reboot.

gitea-mirror commented

2026-05-05 09:41:45 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 26, 2023):

What's about stuff deeper in /dev like /dev/input?

@rusty-snake commented on GitHub (Jan 26, 2023): What's about stuff deeper in /dev like /dev/input?

gitea-mirror commented

2026-05-05 09:41:45 -06:00

Author

Owner

@hyder365 commented on GitHub (Jan 26, 2023):

What's about stuff deeper in /dev like /dev/input?

ls -R /dev | sort -u

with and without gives me only one line of diff, "189:641"

dmesg -H

with and without gives me

+[Jan26 15:01] usb 6-1: new full-speed USB device number 3 using uhci_hcd
+[  +0.190387] usb 6-1: New USB device found, idVendor=20a0, idProduct=4211, bcdDevice= 2.00
+[  +0.000009] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[  +0.000005] usb 6-1: Product: Nitrokey Start
+[  +0.000006] usb 6-1: Manufacturer: Nitrokey
+[  +0.000003] usb 6-1: SerialNumber: FSIJ-xxx

@hyder365 commented on GitHub (Jan 26, 2023): > What's about stuff deeper in /dev like /dev/input? ls -R /dev | sort -u with and without gives me only one line of diff, "189:641" dmesg -H with and without gives me +[Jan26 15:01] usb 6-1: new full-speed USB device number 3 using uhci_hcd +[ +0.190387] usb 6-1: New USB device found, idVendor=20a0, idProduct=4211, bcdDevice= 2.00 +[ +0.000009] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[ +0.000005] usb 6-1: Product: Nitrokey Start +[ +0.000006] usb 6-1: Manufacturer: Nitrokey +[ +0.000003] usb 6-1: SerialNumber: FSIJ-xxx

gitea-mirror commented

2026-05-05 09:41:46 -06:00

Author

Owner

@kmk3 commented on GitHub (Jan 27, 2023):

@hyder365 on Jan 26:

Using ~/.config/firejail/mutt.local with only the two ignore lines mentioned
above gets further, but now mutt prompts to insert the smartcard
corresponding to the key for decryption of the .muttrc.gpg file.

Does it work with firejail --profile=noprofile mutt?

noprofile.profile is intended to allow as much as possible (and so is not
secure).

If so, the problem most certainly lies in mutt.profile (rather than in firejail
itself). In which case, a way to debug it is to comment all of mutt.profile
and then uncomment lines until it breaks again. I'd suggest trying that and
then posting the lines causing the issue.

@kmk3 commented on GitHub (Jan 27, 2023): @hyder365 [on Jan 26](https://github.com/netblue30/firejail/issues/5619#issuecomment-1405478942): > Using ~/.config/firejail/mutt.local with only the two ignore lines mentioned > above gets further, but now mutt prompts to insert the smartcard > corresponding to the key for decryption of the .muttrc.gpg file. Does it work with `firejail --profile=noprofile mutt`? noprofile.profile is intended to allow as much as possible (and so is not secure). If so, the problem most certainly lies in mutt.profile (rather than in firejail itself). In which case, a way to debug it is to comment all of mutt.profile and then uncomment lines until it breaks again. I'd suggest trying that and then posting the lines causing the issue.

gitea-mirror commented

2026-05-05 09:41:46 -06:00

Author

Owner

@hyder365 commented on GitHub (Jan 27, 2023):

Does it work with firejail --profile=noprofile mutt?

Yes, works fine with that.

If so, the problem most certainly lies in mutt.profile (rather than in firejail itself). In which case, a way to debug it is to comment all of mutt.profile and then uncomment lines until it breaks again. I'd suggest trying that and then posting the lines causing the issue.

If you have any specific ones you want me to try, I'll be glad to.

Reading the default mutt.profile, I see a comment about "Add the next lines to your mutt.local for oauth.py,S/MIME support." but the options are related to perl and python, neither of which I'm using for anything.

(All of those "mkdir" and "mkfile" lines in mutt.profile are extremely annoying and I have to clean up my home directory after every attempt to debug this. I didn't need any of those files or directories for mutt functionality.)

@hyder365 commented on GitHub (Jan 27, 2023): > Does it work with `firejail --profile=noprofile mutt`? Yes, works fine with that. > If so, the problem most certainly lies in mutt.profile (rather than in firejail itself). In which case, a way to debug it is to comment all of mutt.profile and then uncomment lines until it breaks again. I'd suggest trying that and then posting the lines causing the issue. If you have any specific ones you want me to try, I'll be glad to. Reading the default mutt.profile, I see a comment about "Add the next lines to your mutt.local for oauth.py,S/MIME support." but the options are related to perl and python, neither of which I'm using for anything. (All of those "mkdir" and "mkfile" lines in mutt.profile are *extremely annoying* and I have to clean up my home directory after every attempt to debug this. I didn't need any of those files or directories for mutt functionality.)

gitea-mirror commented

2026-05-05 09:41:47 -06:00

Author

Owner

@kmk3 commented on GitHub (Jan 27, 2023):

@hyder365 on Jan 27:

Does it work with firejail --profile=noprofile mutt?

Yes, works fine with that.

If so, the problem most certainly lies in mutt.profile (rather than in
firejail itself). In which case, a way to debug it is to comment all of
mutt.profile and then uncomment lines until it breaks again. I'd suggest
trying that and then posting the lines causing the issue.

If you have any specific ones you want me to try, I'll be glad to.

I don't have a Nitrokey and I don't know how it is accessed, so my best guess
would have been those ignore commands.

Maybe strace could help find which paths it tries to access. Example:

strace /usr/bin/mutt 2>&1 | grep open

Other than that, what is left is brute force: Comment everything and uncomment
chunks of lines until the problem is narrowed down.

Reading the default mutt.profile, I see a comment about "Add the next lines
to your mutt.local for oauth.py,S/MIME support." but the options are related
to perl and python, neither of which I'm using for anything.

(All of those "mkdir" and "mkfile" lines in mutt.profile are extremely
annoying and I have to clean up my home directory after every attempt to
debug this. I didn't need any of those files or directories for mutt
functionality.)

Some seem to be completely unnecessary (like the ones related to text editors),
others I'm not sure.

Also, does (/can) mutt itself modify any path other than these?

~/Mail
~/postponed
~/sent

Are all other paths expected to always be created/modified manually from
outside of mutt, including the configuration files?

Note that if mutt creates a path in the home directory that is not whitelisted,
everything in it will be lost after the sandbox is closed.

@kmk3 commented on GitHub (Jan 27, 2023): @hyder365 [on Jan 27](https://github.com/netblue30/firejail/issues/5619#issuecomment-1406901016): > > Does it work with `firejail --profile=noprofile mutt`? > > Yes, works fine with that. > > > If so, the problem most certainly lies in mutt.profile (rather than in > > firejail itself). In which case, a way to debug it is to comment all of > > mutt.profile and then uncomment lines until it breaks again. I'd suggest > > trying that and then posting the lines causing the issue. > > If you have any specific ones you want me to try, I'll be glad to. I don't have a Nitrokey and I don't know how it is accessed, so my best guess would have been those `ignore` commands. Maybe `strace` could help find which paths it tries to access. Example: ```sh strace /usr/bin/mutt 2>&1 | grep open ``` Other than that, what is left is brute force: Comment everything and uncomment chunks of lines until the problem is narrowed down. > Reading the default mutt.profile, I see a comment about "Add the next lines > to your mutt.local for oauth.py,S/MIME support." but the options are related > to perl and python, neither of which I'm using for anything. > (All of those "mkdir" and "mkfile" lines in mutt.profile are _extremely > annoying_ and I have to clean up my home directory after every attempt to > debug this. I didn't need any of those files or directories for mutt > functionality.) Some seem to be completely unnecessary (like the ones related to text editors), others I'm not sure. Also, does (/can) mutt itself modify any path other than these? * ~/Mail * ~/postponed * ~/sent Are all other paths expected to always be created/modified manually from outside of mutt, including the configuration files? Note that if mutt creates a path in the home directory that is not whitelisted, everything in it will be lost after the sandbox is closed.

gitea-mirror commented

2026-05-05 09:41:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 28, 2023):

strace

strace -e %file -f -o mutt.strace /usr/bin/mutt

@rusty-snake commented on GitHub (Jan 28, 2023): > strace ```bash strace -e %file -f -o mutt.strace /usr/bin/mutt ```

Rows
Columns

[GH-ISSUE #5619] mutt: cannot decrypt ~/.muttrc.gpg #3048