libreoffice doesn't list gpg private key for a digital signature due to apparmor

Bug #1886092 reported by zunda
38
This bug affects 7 people
Affects Status Importance Assigned to Milestone
libreoffice (Ubuntu)
Fix Released
Low
Rico Tzschichholz
Focal
Confirmed
Low
Rico Tzschichholz
Groovy
Fix Released
Low
Rico Tzschichholz
Hirsute
Fix Released
Low
Rico Tzschichholz

Bug Description

LibreOffice should be able to digitally sign a document with a GPG private key in the GPG key chain. However, the key is not listed in the list of certificates shown following the menu File - Digital Signatures - Digital Signatures... - Sign Document..., after, e.g., creating and saving a document on LibreOffice Writer.

This seems to be because apparmor doesn't allow LibreOffice to communicate with GPG agent. /var/log/syslog shows lines like:

Jul 1 15:15:14 misoan kernel: [20238.265212] audit: type=1400 audit(1593652514.311:333): apparmor="DENIED" operation="connect" profile="libreoffice-soffice//gpg" name="/run/user/1001/gnupg/S.gpg-agent" pid=23725 comm="gpg" requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=1001

Locally, I could make LibreOffice show the GPG private key with the following change against /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin

--- apparmor.d.20200702/usr.lib.libreoffice.program.soffice.bin 2019-10-03 10:31:21.000000000 -1000
+++ apparmor.d/usr.lib.libreoffice.program.soffice.bin 2020-07-02 08:59:44.516754728 -1000
@@ -223,6 +223,7 @@

     owner @{HOME}/.gnupg/* r,
     owner @{HOME}/.gnupg/random_seed rk,
+ owner /{,var/}run/user/*/** rw,
   }

   # probably should become a subprofile like gpg above, but then it doesn't

Tested with the following packages on Xfce4
$ lsb_release -rd
Description: Ubuntu 20.04 LTS
Release: 20.04
$ apt-cache policy libreoffice-common | grep Installed
  Installed: 1:6.4.3-0ubuntu0.20.04.1
$ apt-cache policy gpg gpg-agent | grep -B1 Installed
gpg:
  Installed: 2.2.19-3ubuntu2
--
gpg-agent:
  Installed: 2.2.19-3ubuntu2
$ apt-cache policy apparmor | grep Installed
  Installed: 2.13.3-7ubuntu5.1

Tags: focal apparmor
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libreoffice (Ubuntu):
status: New → Confirmed
Revision history for this message
mvaldez (mario-mariovaldez) wrote :

On my computer (Ubuntu Mate 20.04) this problem also causes the Tool, Options dialog to hang for around 1 minute while trying to connect to the GPG agent. The /var/log/syslog file lists lots of apparmor DENIED entries and the strace of the soffice program show lots of "gpg: can't connect to the agent" errors for around one minute.

My solution was also to modify the /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin file to add to the gpg profile section (just like zunda user did):

    owner /{,var/}run/user/[0-9]*/gnupg/S.gpg-agent rw,
    owner @{HOME}/.gnupg/* rw,

(the second line seems not to be required to sign the document but is required to use the functions of the Certificate Manager, like adding new keys).

Revision history for this message
Sebastien Bacher (seb128) wrote :

Confirming using those steps on focal
- create a new document in writer and save it
- do file -> digital signature -> digital signature -> signing document
- the dialog lists no key

it correctly lists the key after doing
$ sudo aa-complain usr.lib.libreoffice.program.soffice.bin

tags: added: rls-gg-incoming
tags: added: apparmor focal rls-ff-incoming
removed: rls-gg-incoming
summary: - libreoffice doesn't list gpg private key for a digital signature
+ libreoffice doesn't list gpg private key for a digital signature due to
+ apparmor
Revision history for this message
Gargoyle (g-rgoyle) wrote :

Just upgraded to 20.10 and the bundled LibreOffice version (7.0.2.2) and have the same issue.

I can confirm mvaldez's fix for adding access for the GPG agent worked for me. However, I didn't change the "@{HOME}/.gnupg/*" directive to rw (I don't really want LibreOffice having write access to my gpg stuff!

Seems to work fine for me for choosing my key from tools->options or File->Digital Signatures then "Sign Document". Clicking "Start Certificate Manager" launches seahorse as expected.

Wouldn't it be better to somehow hook this value to GPG_AGENT_INFO or XDG_RUNTIME_DIR though?

Changed in libreoffice (Ubuntu):
importance: Undecided → Low
Changed in libreoffice (Ubuntu):
assignee: nobody → Heather Ellsworth (hellsworth)
tags: added: rls-ff-tracking
removed: rls-ff-incoming
Changed in libreoffice (Ubuntu Focal):
assignee: nobody → Heather Ellsworth (hellsworth)
importance: Undecided → Low
status: New → Confirmed
tags: removed: rls-ff-tracking
Revision history for this message
Bhavan Chahal (bkc1995) wrote :

I just wanted to add that I had this issue for a while too on Ubuntu 20.04.1 LTS. None of the above solutions worked for me but what did work was installing and using gnupg2.

Then edit /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to use gpg2 instead of gpg. So I edit the line /usr/bin/gpg rm to /usr/bin/gpg2 like below:

  # there is abstractions/gnupg but that's just for gpg1...
  profile gpg {
    #include <abstractions/base>

   /usr/bin/gpgconf rm,
   /usr/bin/gpg2 rm,
   /usr/bin/gpgsm rm,

    owner @{HOME}/.gnupg/* r,
    owner @{HOME}/.gnupg/random_seed rk,
  }

  # probably should become a subprofile like gpg above, but then it doesn't
  # work either as it tries to access stuff only allowed above...

I hope this works for others too! My key generation took a while but it worked.

Revision history for this message
Hans Deragon (deragon) wrote :

Confirming that fix suggested by Zunda in the bug description works for me on Ubuntu 20.04.2 LTS and LibreOffice Ubuntu package version: 1:7.1.1~rc2-0ubuntu0.20.04.1~lo1.

Below, the fix I repeated again just to make sure everybody understand exactly what I did.

--- apparmor.d.20200702/usr.lib.libreoffice.program.soffice.bin 2019-10-03 10:31:21.000000000 -1000
+++ apparmor.d/usr.lib.libreoffice.program.soffice.bin 2020-07-02 08:59:44.516754728 -1000
@@ -223,6 +223,7 @@

     owner @{HOME}/.gnupg/* r,
     owner @{HOME}/.gnupg/random_seed rk,
+ owner /{,var/}run/user/*/** rw,
   }

Changed in libreoffice (Ubuntu):
assignee: Heather Ellsworth (hellsworth) → nobody
Changed in libreoffice (Ubuntu Focal):
assignee: Heather Ellsworth (hellsworth) → nobody
Changed in libreoffice (Ubuntu Focal):
assignee: nobody → Rico Tzschichholz (ricotz)
Changed in libreoffice (Ubuntu):
assignee: nobody → Rico Tzschichholz (ricotz)
Changed in libreoffice (Ubuntu Hirsute):
status: Confirmed → In Progress
Changed in libreoffice (Ubuntu Groovy):
assignee: nobody → Rico Tzschichholz (ricotz)
importance: Undecided → Low
Changed in libreoffice (Ubuntu Hirsute):
status: In Progress → Fix Committed
Revision history for this message
zunda (zundan+launchpad) wrote :

Thanks all!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libreoffice - 1:7.1.2~rc2-0ubuntu1

---------------
libreoffice (1:7.1.2~rc2-0ubuntu1) hirsute; urgency=medium

  [ Rico Tzschichholz ]
  * New upstream release candidate
  * Bump yaru source to "2021-03-14" and add yaru-mate styles
  * Fix signing documents with enforced apparmor (LP: #1886092)
  * Disable lto due to insufficient disc space on amd64 builder

  [ Matthias Klose ]
  * Fix lto build, avoiding to pass lto flags to the skia build.

 -- Rico Tzschichholz <email address hidden> Sat, 27 Mar 2021 16:01:35 +0100

Changed in libreoffice (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Marcelo Utida (marcelo-utida) wrote :

Today I upgraded libreoffice via PPA from version 7.1.2 to version 7.1.4 where the digital document signature function stopped working. When informed about the resolution of this bug in version 7.1.2, I didn't find the date of update of libreoffice from version 6.4.7 to 7.1.2 in ubuntu version 20.04, so I decided to test version 7.1.2 via PPA and it worked. With the update via PPA this function was now stopped working with version 7.1.4. Is there any relationship in ubuntu regarding these libreoffice versions?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Marcelo, you can see which versions of libreoffice are packaged in which Ubuntu releases via the libreoffice source package page on launchpad https://launchpad.net/ubuntu/+source/libreoffice

There's a link at the bottom of that page to help you explore versions that might be published in PPAs.

Thanks

Revision history for this message
Rico Tzschichholz (ricotz) wrote :

This bug was fixed in the package libreoffice - 1:7.0.6-0ubuntu0.20.10.1

---------------
libreoffice (1:7.0.6-0ubuntu0.20.10.1) groovy; urgency=medium

  * New upstream release (LP: #1928642)
  * Update yaru icon style "2021-03-14"
  * apparmor: Fix signing documents with enforced apparmor
  * apparmor: Allow one more digit in temp files

 -- Rico Tzschichholz <email address hidden> Tue, 18 May 2021 11:25:50 +0200

Changed in libreoffice (Ubuntu Groovy):
status: New → Fix Released
Revision history for this message
Raphaël Droz (raphael-droz) wrote :

Why such a sensitive software like Libreoffice, particularly exposed (because it's used to open externally provided document) would, by default, grant access to private keys (which are usually on of the most sensitive part of the system).

It's the exact opposite of apparmor's purpose: a complex/exposed software having access to a sensitive, well-identified, private file. The convenience-security trade-off (and the use-cases/typical user modelling seem slightly off)

IMHO ~/.gnupg shouldn't be readable by default but the Apparmor profile made in such a way that it can be easily enabled for users actually signing their documents with GnuPG

Revision history for this message
Claudio (claudio-eterno) wrote :

I've the same problem, my version installed on oct 2024

Linux claudio-u22-04 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Libreoffice version:
Version: 24.8.2.1 (X86_64) / LibreOffice Community
Build ID: 41740883c77b073d14011387305cb18c71aed59b
CPU threads: 8; OS: Linux 6.8; UI render: default; VCL: gtk3
Locale: it-IT (it_IT.UTF-8); UI: it-IT
Calc: threaded

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.