kleopatra flatpak issue

Ingo Klöcker kloecker at kde.org
Wed Mar 26 18:10:52 CET 2025 

Hi,

usually we reply with inline comments instead of with a full quote of 
everything.

On Mittwoch, 26. März 2025 16:43:38 Mitteleuropäische Normalzeit kevin via 
Gnupg-users wrote:
> Okay so an update on this issue , if i am correct this may not really be an
> issue with kleopatra flatpak itself and things might be running as
> expected. After posting here I went to the bug kde bug tracking system to
> see similar issues reported  and i saw  an informational bug ticket which
> said "Kleopatra `needs a running gpg-agent from the host to work"`.Bug
> report link https://bugs.kde.org/show_bug.cgi?id=459041 So  from this i
> conclude that flatpak indeed needs to rely on the host gpg-agent to conduct
> the crypto operations.

I have no idea if this is a limitation of flatpaks in general or just of this 
specific flatpak. The warning issued by gpg is a warning that things might go 
wrong if the daemon running outside of the flatpak are too old.

> Possibly reasons could be because gpg-agent daemon
> needs system integration to perform the secret operations in secure manner
> which flatpaks can't probably do with its sandbox approach. I am no expert
> in Linux packaging but this is what i assume something related to this .
> Though i feel the warning messages are incorrect , as killing gpg-agent
> won't use newer versions of gpg-agent automatically.

If your system uses gpg-agent with systemd socket activation then it's almost 
impossible to start a different gpg-agent. I'm not sure whether keeping the 
gpg-agent outside of the flatpak isn't just a workaround for this behavior. In 
any case, it's a good idea to keep the gpg-agent which is the one that handles 
the secret key material outside of the flatpak.

> In a related issue to this issue , can someone tell the proper steps to
> follow for changing all the gpg-agent.service , scdaemon.service and
> keyboxd.service files when manually compiling gpg to updated versions . For
> example i had compiled and installed the latest package and dependencies in
> the directory `/usr/local/bin'  and added this to path . But still the
> older gpg-agent and scdaemon were running despite killing and restarting
> multiple times.

The problem is systemd. You have to disable socket activation for GnuPG's 
sockets. Search the internet for advice. The developers of GnuPG consider this 
socket activation "feature" an abomination. All tools of the GnuPG suite start 
the correct gpg-agent (i.e. the one you have built yourself) on demand.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250326/66932b3d/attachment.sig>

More information about the Gnupg-users mailing list