Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1689390 - Evolution flatpak in Silverblue cannot gpg-sign outgoing email
Summary: Evolution flatpak in Silverblue cannot gpg-sign outgoing email
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: flatpak
Version: 29
Hardware: Unspecified
OS: Linux
Target Milestone: ---
Assignee: David King
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-15 19:13 UTC by Veteran
Modified: 2019-03-18 17:17 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)
error upon sending (deleted)
2019-03-15 19:13 UTC, Veteran
no flags Details

Description Veteran 2019-03-15 19:13:23 UTC
Created attachment 1544590 [details]
error upon sending

Description of problem:
When trying to send an gpg-signed email from evolution on silverblue, sending fails with error message:

"Could not create message.

You may need to select different mail options.

Detailed error: Output from gpg:
gpg: directory '/home/lelia/.gnupg' created
gpg: keybox '/home/lelia/.gnupg/pubring.kbx' created
gpg: skipped "0x82C0229C6332042B": No secret key
gpg: signing failed: No secret key"

Reading encrypted or signed messages also fails with the message:
"Could not parse PGP/MIME message: Failed to decrypt MIME part: Secret key not found"

Regular signing and encryption with gpg/gpg2/gpgsm works perfectly.

Version-Release number of selected component (if applicable):
Linux silverblue 4.20.15-200.fc29.x86_64 #1 SMP Mon Mar 11 16:01:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Evolution - Manage your email, contacts and schedule                                                                                                    org.gnome.Evolution                    3.32.0   stable  x86_64  flathub  system


How reproducible:
Install Fedora 29 Silverblue. Copy gnupg keyrings to machine. Install flatpak evolution. Try to send encrypted email to yourself.

Steps to Reproduce:
1. Install Fedora 29 Silverblue
2. Copy gnupg keyrings to machine
3. Install Evolution flatpak
4. Try to send encrypted email to yourself

Actual results:
Unable to send or receive encrypted/signed email

Expected results:
Send and receive encrypted/signed email

Additional info:

Comment 1 Milan Crha 2019-03-18 11:05:54 UTC
Thanks for a bug report. I'm kind of surprised it has access to gpg at all, but maybe it's part of the used runtime.

> Regular signing and encryption with gpg/gpg2/gpgsm works perfectly.

What do you mean with 'regular' there, please? Like running a terminal and gpg from there?

I think the problem here is that the flatpak Evolution doesn't have access, or doesn't use, the same gpg keyring as the 'regular' gpg. The flatpak applications run in an isolated environment, with limited access to host system data and binaries. It means that accessing host system's /usr/bin/sendmail, /usr/bin/bogofilter, /usr/bin/spamassassin and /usr/bin/gpg is a no go. While you can configure the flatpak application to have access to certain files, you cannot configure it to have access to binaries in /usr/bin or /bin, as far as I know.

A similar problem with gpg can be when there are installed both gpg1 and gpg2. The command line can use gpg1, but Evolution can use gpg2, or vice versa, while the gpg1 has an independent keyring from the gpg2, which means the keys imported with gpg1 were not accessible from gpg2.

> Detailed error: Output from gpg:
> gpg: directory '/home/lelia/.gnupg' created
> gpg: keybox '/home/lelia/.gnupg/pubring.kbx' created

The above quoted text looks suspicious, I do not understand how it could try to use the /home/lelia/.gnupg keyring. That it did not exist means the 'regular' call possibly uses a different keyring.

I do not know whether flatpak has any workarounds/tweaks specific to gpg, which the evolution-in-flatpak should enable anyhow, thus I move this to flatpak with a plea for help. This can be moved back to Evolution once any solution will be found.

Comment 2 Veteran 2019-03-18 15:03:48 UTC
By regular I mean yes, from a terminal.

Just a point of clarification: Fedora uses gpg and gpg2. Debian based linuxes use gpg1 and gpg2 (gpg generally being aliased/symlinked to gpg2).

I verified that both gnupg and gnupg2 are installed, so the gpg that evolution uses would seem to be gnupg version 1.

I agree that it is using a different keyring. Question is whether it can be tricked into using something I actually can configure.

Thank you for looking at it. I searched over in Flathub's issues section on Github and I did not find any similar bug (nor any indication that things were recently triaged).

Comment 3 Milan Crha 2019-03-18 17:17:06 UTC
Evolution(-data-server, to be precise) code searches for gpg2 and for gpg, in this order. It doesn't search for gpg1 specifically. Users can set which gpg version to use in:
   $ gsettings get org.gnome.evolution-data-server camel-gpg-binary
which expects:
   $ gsettings describe org.gnome.evolution-data-server camel-gpg-binary

Note You need to log in before you can comment on or make changes to this bug.