-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mutt: cannot decrypt ~/.muttrc.gpg #5619
Comments
Do you mean that it used to work on 0.9.70? There was an email-related refactor done in 0.9.72 (#5571), but I don't
mutt.profile allows access to ~/.config/mutt. Does it work if you store it somewhere like ~/.config/mutt/muttrc.gpg instead?
Note that mutt.profile allows access to ~/.gnupg and
Do you know what is the path to the smartcard device in /dev? Does adding this to ~/.config/firejail/mutt.local work?
|
Thanks for the reply. I'm now trying with the file in ~/.config/mutt/.muttrc.gpg (and ~/.muttrc updated to point here) and a ~/.config/firejail/mutt.profile that has:
But on startup mutt still shows a default config.
Don't know the /dev node for the Nitrokey. I'd be glad to try any other suggestions. |
The instruction was to add the two lines to |
In order for the
Though as @rusty-snake mentioned, unless you actually want to override the
Try plugging/unplugging it and running Or doing # (disconnect it)
ls /dev | LC_ALL=C sort -u >before
# (connect it)
ls /dev | LC_ALL=C sort -u >after
diff before after |
Using ~/.config/firejail/mutt.local with only the two ignore lines mentioned above gets further, but now mutt prompts to insert the smartcard corresponding to the key for decryption of the .muttrc.gpg file. |
There's no difference in the /dev list with the device plugged in or unplugged, even after a reboot. |
What's about stuff deeper in /dev like /dev/input? |
with and without gives me only one line of diff, "189:641"
with and without gives me
|
Does it work with noprofile.profile is intended to allow as much as possible (and so is not If so, the problem most certainly lies in mutt.profile (rather than in firejail |
Yes, works fine with that.
If you have any specific ones you want me to try, I'll be glad to. Reading the default mutt.profile, I see a comment about "Add the next lines to your mutt.local for oauth.py,S/MIME support." but the options are related to perl and python, neither of which I'm using for anything. (All of those "mkdir" and "mkfile" lines in mutt.profile are extremely annoying and I have to clean up my home directory after every attempt to debug this. I didn't need any of those files or directories for mutt functionality.) |
I don't have a Nitrokey and I don't know how it is accessed, so my best guess Maybe strace /usr/bin/mutt 2>&1 | grep open Other than that, what is left is brute force: Comment everything and uncomment
Some seem to be completely unnecessary (like the ones related to text editors), Also, does (/can) mutt itself modify any path other than these?
Are all other paths expected to always be created/modified manually from Note that if mutt creates a path in the home directory that is not whitelisted, |
strace -e %file -f -o mutt.strace /usr/bin/mutt |
Using firejail 0.9.72 on Arch, the new mutt profile causes a bit of chaos. My setup is slightly abnormal so it may be an edge case not worth fixing, but I'll describe it anyway:
Mutt has no ability to hash the stored passwords. Anything in .muttrc is in cleartext. To get around this, some people have a ~/.muttrc.gpg file that contains the login/config info in a gpg-encrypted form. In the normal ~/.muttrc, I have:
This decrypts the real config on startup, but now fails because of firejail presumably blocking off access to that .gpg file (or gpg itself, but I assume that's allowed since so many people use gpg with mutt). The simplest fix I would propose is allowing read access to ~/.muttrc* rather than just ~/.muttrc. For now I can just whitelist access to that file.
edit: Whitelisting that file isn't enough because mutt can't read the gpg keyring it seems. Adding ~/.gnupg as read-only doesn't work because then temp files can't be made. Adding ~/.gnupg as read-write doesn't work because mutt can't access the smartcard holding the private key. I'll just have to disable firejail for this program for now.
The text was updated successfully, but these errors were encountered: