github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6352] libreoffice: cannot sign documents with GPG #3244

New issue

Closed

opened 2026-05-05 09:51:11 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 09:51:11 -06:00

Owner

Originally created by @marek22k on GitHub (May 21, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6352

Description

LibreOffice with Firejail cannot sign documents

Steps to Reproduce

Open a Write/Impress document with LibreOffice.
Click in the menu on File -> Digital Signatures -> Digital Signatures... -> Sign Document...

Expected behavior

My private GPG key appears.

Actual behavior

No key appears at all.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

$ LC_ALL=C firejail --noprofile /usr/bin/libreoffice --impress presentation.odp 
Parent pid 258790, child pid 258791
Child process initialized in 7.06 ms
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

Additional context

When I click on "Start Certificate Manager..." Kleopatra appears. With Firejail, Kleopatra appears and does not display any private or public keys. Without Firejail, all my keys are displayed.

Environment

Arch Linux

$ firejail --version
firejail version 0.9.72

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

$ LC_ALL=C firejail /usr/bin/libreoffice --impress presentation.odp 
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/allow-java.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 259461, child pid 259462
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/marek/.ssh/config
Warning: not remounting /run/user/1000/doc
Warning: cleaning all supplementary groups
Child process initialized in 136.03 ms

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

firejail.log

Originally created by @marek22k on GitHub (May 21, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6352 ### Description LibreOffice with Firejail cannot sign documents ### Steps to Reproduce 1. Open a Write/Impress document with LibreOffice. 2. Click in the menu on File -> Digital Signatures -> Digital Signatures... -> Sign Document... ### Expected behavior My private GPG key appears. ### Actual behavior No key appears at all. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ ``` $ LC_ALL=C firejail --noprofile /usr/bin/libreoffice --impress presentation.odp Parent pid 258790, child pid 258791 Child process initialized in 7.06 ms ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ``` ### Additional context When I click on "Start Certificate Manager..." Kleopatra appears. With Firejail, Kleopatra appears and does not display any private or public keys. Without Firejail, all my keys are displayed. ### Environment Arch Linux ``` $ firejail --version firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist  - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` $ LC_ALL=C firejail /usr/bin/libreoffice --impress presentation.odp Reading profile /etc/firejail/libreoffice.profile Reading profile /etc/firejail/allow-java.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 259461, child pid 259462 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /home/marek/.ssh/config Warning: not remounting /run/user/1000/doc Warning: cleaning all supplementary groups Child process initialized in 136.03 ms Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> [firejail.log](https://github.com/netblue30/firejail/files/15394988/firejail.log) </p> </details>

gitea-mirror

2026-05-05 09:51:11 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 09:51:15 -06:00

Author

Owner

@ghost commented on GitHub (May 21, 2024):

Hi, thank you for reporting. Looks like we never considered GPG signing is a thing in LibreOffice. Should be easily fixed. Can you test the below snippets in a ~/.config/firejail/libreoffice.local please? Both try to achieve functioning document signing, but differ in how much we open the profile for doing so.

[1] The less restrictive version:

$ cat ~/.config/firejail/libreoffice.local
noblacklist ${HOME}/.gnupg

[2] The more restrictive version:

$ cat ~/.config/firejail/libreoffice.local
noblacklist ${HOME}/.gnupg
read-only ${HOME}/.gnupg/gpg.conf
read-only ${HOME}/.gnupg/trustdb.gpg
read-only ${HOME}/.gnupg/pubring.kbx
blacklist ${HOME}/.gnupg/random_seed
blacklist ${HOME}/.gnupg/pubring.kbx~
blacklist ${HOME}/.gnupg/private-keys-v1.d
blacklist ${HOME}/.gnupg/crls.d
blacklist ${HOME}/.gnupg/openpgp-revocs.d

Hopefully you can get a working document signing with at least one of the above.

Regards

@ghost commented on GitHub (May 21, 2024): Hi, thank you for reporting. Looks like we never considered GPG signing is a thing in LibreOffice. Should be easily fixed. Can you test the below snippets in a `~/.config/firejail/libreoffice.local` please? Both try to achieve functioning document signing, but differ in how much we open the profile for doing so. [1] The less restrictive version: ```sh $ cat ~/.config/firejail/libreoffice.local noblacklist ${HOME}/.gnupg ``` [2] The more restrictive version: ```sh $ cat ~/.config/firejail/libreoffice.local noblacklist ${HOME}/.gnupg read-only ${HOME}/.gnupg/gpg.conf read-only ${HOME}/.gnupg/trustdb.gpg read-only ${HOME}/.gnupg/pubring.kbx blacklist ${HOME}/.gnupg/random_seed blacklist ${HOME}/.gnupg/pubring.kbx~ blacklist ${HOME}/.gnupg/private-keys-v1.d blacklist ${HOME}/.gnupg/crls.d blacklist ${HOME}/.gnupg/openpgp-revocs.d ``` Hopefully you can get a working document signing with at least one of the above. Regards

gitea-mirror commented

2026-05-05 09:51:16 -06:00

Author

Owner

@marek22k commented on GitHub (May 22, 2024):

Thanks for the quick reply.

Both variants work for me.

@marek22k commented on GitHub (May 22, 2024): Thanks for the quick reply. Both variants work for me.

gitea-mirror commented

2026-05-05 09:51:17 -06:00

Author

Owner

@ghost commented on GitHub (May 22, 2024):

Both variants work for me.

Great. I've opened a PR implementing the more restrictive version. Thanks for testing!

@ghost commented on GitHub (May 22, 2024): > Both variants work for me. Great. I've opened a PR implementing the more restrictive version. Thanks for testing!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3244

No description provided.

Rows
Columns