Generating a revocation certificate with Enigmail fails
Open thunderbird, open Enigmail>Key Management, select you key pair and open Generate>Revocation Certificate, choose a place to save this certificate.
Enigmail pops up the following error message :
The revocation certificate could not be created.
There is an apparmor DENIED message, I guess related to that, in the logs :
amnesia audit: AVC apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name=<Some very long hexadecimal number> pid=8253 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Since it is not possible to generate a revocation certificate with Seahorse, there is no other options for the user than opening a terminal and starting
gpg --generate-revocation <user-id>
#4 Updated by intrigeri over 1 year ago
Interestingly, on bugfix/15602-efail the Enigmail setup wizard is able to save a revokation certificate to the default location (
~/email@example.com (0x815EBDF9A8A8A268DDDDA8D2AAEA1140B21F1077) rev.asc) => I think this is lower priority than I initially thought (the main path we want users to take is already covered and there's a command-line workaround).
But indeed, trying to do so after the fact fails as goupille reported:
apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name=2F686F6D652F616D6E657369612F7465737432207465737440626F756D2E6F7267202830784141454131313430423231463130373729207265762E617363 pid=7847 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
I was not asked for the passphrase so I think gpg fails to connect to the agent. I've seen these long hex strings before but cannot remember what they're about and how to fix it => I'll need to ask help to my upstream AppArmor team-mates.
#5 Updated by intrigeri over 1 year ago
- Target version changed from Tails_3.8 to Tails_3.9
I've seen these long hex strings before but cannot remember what they're about and how to fix it => I'll need to ask help to my upstream AppArmor team-mates.
Done: https://gitlab.com/apparmor/apparmor-profiles/issues/1. I'll come back to it during next cycle.
#6 Updated by intrigeri over 1 year ago
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 20
Send a MR upstream that fixes this: https://gitlab.com/apparmor/apparmor-profiles/merge_requests/18. Relevant commit is https://gitlab.com/apparmor/apparmor-profiles/merge_requests/18/diffs?commit_id=b5a85063f3a2f087b1838855fbb779ac53381156. IMO it's not worth spending time on importing this patch on our side, let's just fix this upstream and let this flow into Tails by way of Debian and then our patched Thunderbird package.
#7 Updated by intrigeri over 1 year ago
- % Done changed from 20 to 50
- Type of work changed from Research to Wait
Merged upstream and imported into src:thunderbird's Vcs-Git (debian/sid and debian/experimental branches) => we'll get these changes once the Thunderbird package is updated in Debian and we rebuild our own package of top of it.