libreoffice: cannot sign documents with GPG

[marek22k]

Description

LibreOffice with Firejail cannot sign documents

Steps to Reproduce

1. Open a Write/Impress document with LibreOffice.
2. Click in the menu on File -> Digital Signatures -> Digital Signatures... -> Sign Document...

Expected behavior

My private GPG key appears.

Actual behavior

No key appears at all.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

$ LC_ALL=C firejail --noprofile /usr/bin/libreoffice --impress presentation.odp 
Parent pid 258790, child pid 258791
Child process initialized in 7.06 ms
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

Additional context

When I click on "Start Certificate Manager..." Kleopatra appears. With Firejail, Kleopatra appears and does not display any private or public keys. Without Firejail, all my keys are displayed.

Environment

Arch Linux

$ firejail --version
firejail version 0.9.72

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

$ LC_ALL=C firejail /usr/bin/libreoffice --impress presentation.odp 
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/allow-java.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 259461, child pid 259462
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/marek/.ssh/config
Warning: not remounting /run/user/1000/doc
Warning: cleaning all supplementary groups
Child process initialized in 136.03 ms

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

firejail.log

[glitsj16]

Hi, thank you for reporting. Looks like we never considered GPG signing is a thing in LibreOffice. Should be easily fixed. Can you test the below snippets in a ~/.config/firejail/libreoffice.local please? Both try to achieve functioning document signing, but differ in how much we open the profile for doing so.

[1] The less restrictive version:

$ cat ~/.config/firejail/libreoffice.local
noblacklist ${HOME}/.gnupg

[2] The more restrictive version:

$ cat ~/.config/firejail/libreoffice.local
noblacklist ${HOME}/.gnupg
read-only ${HOME}/.gnupg/gpg.conf
read-only ${HOME}/.gnupg/trustdb.gpg
read-only ${HOME}/.gnupg/pubring.kbx
blacklist ${HOME}/.gnupg/random_seed
blacklist ${HOME}/.gnupg/pubring.kbx~
blacklist ${HOME}/.gnupg/private-keys-v1.d
blacklist ${HOME}/.gnupg/crls.d
blacklist ${HOME}/.gnupg/openpgp-revocs.d

Hopefully you can get a working document signing with at least one of the above.

Regards

[marek22k]

Thanks for the quick reply.

Both variants work for me.

[glitsj16]

Both variants work for me.

Great. I've opened a PR implementing the more restrictive version. Thanks for testing!