Bug 115538 - GnuPG / OpenPGP keys not found on macOS unless from command line
Summary: GnuPG / OpenPGP keys not found on macOS unless from command line
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
6.0.2.1 release
Hardware: All Mac OS X (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: implementationError
: 116638 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-02-08 07:29 UTC by Florian Effenberger
Modified: 2019-02-05 12:39 UTC (History)
7 users (show)

See Also:
Crash report or crash signature:


Attachments
GPGME debug trace (12.06 KB, text/plain)
2018-03-27 17:27 UTC, Tony Kinyua
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Effenberger 2018-02-08 07:29:53 UTC
Description:
Running LibreOffice 6.0 on mac OS 10.13 with GPGTools 2017.3.

No PGP keys/signatures are found when LibreOffice is started from Spotlight or directly via double click on ODF file.

This is both visible in the settings when no predefined PGP key can be chosen, and in the signature dialog, when no PGP is offered.

Regular X.509 certificates work (from within Thunderbird's profile).

Verifying existing signatures yields to an error message with "broken/unknown signature".

Starting LibreOffice via "open /Applications/LibreOffice.app", or "open file.odt" or "/Applications/LibreOffice.app/Contents/MacOS/soffice" does find the key.

I assume it has something to do with the path to GPGTools, but no idea how to chase this. Both PATH and /etc/paths.d seem to contain the right path.

I can confirm above behaviour on two different machines.

Steps to Reproduce:
1. Open LibreOffice
2. Go to Settings, Encryption

Actual Results:  
PGP keys shown as option for default keys

Expected Results:
No PGP keys available


Reproducible: Always


User Profile Reset: Yes



Additional Info:
Version: 6.0.0.3
Build-ID: 64a0f66915f38c6217de274f0aa8e15618924765
CPU-Threads: 8; BS: Mac OS X 10.13.3; UI-Render: Standard; 
Gebietsschema: de-DE (de_DE.UTF-8); Calc: group


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0
Comment 1 Alex Thurgood 2018-02-12 09:22:35 UTC
I can't find my GnuPG key via LibreOffice :

Version: 6.0.0.3
Build ID: 64a0f66915f38c6217de274f0aa8e15618924765
Threads CPU : 8; OS : Mac OS X 10.13.3; UI Render : par défaut; 
Locale : fr-FR (fr_FR.UTF-8); Calc: group

I'm guessing that this is because the gnupg folder is hidden in the file system by default in MacOS.
Comment 2 Alex Thurgood 2018-02-12 09:28:47 UTC
OK, so even after making the gnupg folder visible, LO still can't find any keys.
Comment 3 Alex Thurgood 2018-02-12 09:29:18 UTC
@Thorsten : any ideas ?
Comment 4 Thorsten Behrens (CIB) 2018-02-12 14:53:58 UTC
wow, interesting effect. will need to replicate on OSX & see if we can somehow workaround that. sigh.
Comment 5 Hans-Gerd Ernst 2018-02-13 16:58:28 UTC
Libre Office 6.0.0.3 does not find the GPG-certificate to digitally sign an odt-file. 


Some information about the environment: 

Version: 6.0.0.3
Build ID: 64a0f66915f38c6217de274f0aa8e15618924765
CPU threads: 2; OS: Mac OS X 10.10.5; UI render: default; 
Locale: en-GB (en_GB.UTF-8); Calc: group

GPGTools, 2017(GPL v3)

Firefox 58.0.2
Comment 6 Arturo Candela 2018-03-03 10:14:31 UTC
Hi maybe the bug is related with the cryptography module of LibreOffice in Mac.

If you want, tell me and I will open another bug. I've been trying to sign a document with my software X509 and with my Spanish Identification Smart Card (Known in Spain as DNIe)(PKCS Module). 

LibreOffice Version: 6.0.2.1 with Spanish Translation.

That's what I got:

If I use the Latest Version of Firefox (58.0.2-64bit Mac) profile with the PCKS #11 configured I'm able to view all of my software certificates but not the ones installed in the smartCard. And if I run LibreOffice from the command line I get the following messages:

(pkix_CacheCert_Add: PKIX_PL_HashTable_Add for Certs skipped: entry existed
(pkix_CacheCert_Add: PKIX_PL_HashTable_Add for Certs skipped: entry existed
(pkix_CacheCert_Add: PKIX_PL_HashTable_Add for Certs skipped: entry existed
(pkix_CacheCert_Add: PKIX_PL_HashTable_Add for Certs skipped: entry existed

Instead, if change the security profile to Thunderbird (52.6.0-64bit Mac) profile with the PCKS #11 I'm able to view all of my certificates - LibreOffice asks me for the DNIe key - And I'm able to sign using the certificates from the Smart Card.

In both cases when I reopen LibreOffice, It tells me that the original document has been modified.
Comment 7 Alex Thurgood 2018-03-27 14:17:10 UTC
*** Bug 116638 has been marked as a duplicate of this bug. ***
Comment 8 Tony Kinyua 2018-03-27 14:54:41 UTC
(In reply to Alex Thurgood from comment #7)
> *** Bug 116638 has been marked as a duplicate of this bug. ***

I can confirm that both LO & LODev when opened via the terminal "open "/Applications/LibreOffice.app"" and  "open "/Applications/LibreOfficeDev.app"" do show the PGP signatures/keys.

Ditto to opening a document via the CLI ---> "open "Some_Document.odt"

I went a bit further and checked Preferences--Security--Certificate Path. It seems to be looking for signatures in a Firefox directory something like "/Users/tony/Library/Application Support/Firefox/Profiles/rw7dqdyo.default-1234567890123"

Might be grasping at straws here but does it mean that the certficate/key/signature store for Firefox is being used as default? The directory is the same in both LO and LODev whether opened via CLI or GUI only that when opened in CLI mode we have the OpenPGP keys now present.
Comment 9 Tony Kinyua 2018-03-27 14:59:38 UTC
(In reply to Kysh from comment #8)
> (In reply to Alex Thurgood from comment #7)
> > *** Bug 116638 has been marked as a duplicate of this bug. ***
> 
> I can confirm that both LO & LODev when opened via the terminal "open
> "/Applications/LibreOffice.app"" and  "open
> "/Applications/LibreOfficeDev.app"" do show the PGP signatures/keys.
> 
> Ditto to opening a document via the CLI ---> "open "Some_Document.odt"
> 
> I went a bit further and checked Preferences--Security--Certificate Path. It
> seems to be looking for signatures in a Firefox directory something like
> "/Users/tony/Library/Application
> Support/Firefox/Profiles/rw7dqdyo.default-1234567890123"
> 
> Might be grasping at straws here but does it mean that the
> certficate/key/signature store for Firefox is being used as default? The
> directory is the same in both LO and LODev whether opened via CLI or GUI
> only that when opened in CLI mode we have the OpenPGP keys now present.

Also seeking some clarification on the error "Could not find any certificate manager" when you click on the start certificate manager under Digital Signature, just what is LO looking for as a certificate manager?
Comment 10 Thorsten Behrens (CIB) 2018-03-27 15:22:46 UTC
(In reply to Kysh from comment #8)
> I can confirm that both LO & LODev when opened via the terminal "open
> "/Applications/LibreOffice.app"" and  "open
> "/Applications/LibreOfficeDev.app"" do show the PGP signatures/keys.
> 
> Ditto to opening a document via the CLI ---> "open "Some_Document.odt"

This is helpful feedback.

So how this works internally, is that there's a library called gpgme, that will try & find a system-wide gpg install, by looking for a gpgconf binary in the PATH (and getting everything else from the output of that binary)

It _seems_ relevant that all uses from a shell work, and uses from the Finder do not. Until I manage to setup a debuggable build on Mac, perhaps getting trace output from gpgme might provide further clues: https://www.gnupg.org/documentation/manuals/gpgme/Debugging.html ?
Comment 11 Tony Kinyua 2018-03-27 17:27:49 UTC
Created attachment 140919 [details]
GPGME debug trace
Comment 12 Tony Kinyua 2018-03-27 17:32:59 UTC
(In reply to Kysh from comment #11)
> Created attachment 140919 [details]
> GPGME debug trace

Did a bit more digging and also ran a trace against gpgme.

I see my shell has, as part of the PATH environment, /usr/local/MacGPG2/bin. The trace output when LO opened via CLI also confirms that its using that path for the various binaries for GPG.

I see no output whatsoever on the trace when launched from GUI. Attached the initial trace output as its quite large. Let me know if more output will be needed.
Comment 13 Thorsten Behrens (CIB) 2018-03-27 20:50:47 UTC
(In reply to Kysh from comment #12)
> I see no output whatsoever on the trace when launched from GUI. Attached the
> initial trace output as its quite large. Let me know if more output will be
> needed.

That's unfortunate, since that's the interesting part. Regardless, I'm now reasonably sure it's the missing path for GUI applications - if you could try setting this globally, as per https://serverfault.com/questions/16355/how-to-set-global-path-on-os-x , to /usr/local/MacGPG2/bin and retry (possibly after reboot) ?

If that's confirmed, I'll need to dig a bit how that's implemented for other client code, e.g. EnigMail on OSX...
Comment 14 Thorsten Behrens (CIB) 2018-03-27 20:57:24 UTC
Ah hmm, it appears Apple is changing launchd there frequently.

Now the methods du jour are described here:

* https://apple.stackexchange.com/questions/106355/setting-the-system-wide-path-environment-variable-in-mavericks
* https://apple.stackexchange.com/questions/289060/setting-variables-in-environment-plist
Comment 15 Tony Kinyua 2018-03-27 23:17:23 UTC
(In reply to Thorsten Behrens (CIB) from comment #14)
> Ah hmm, it appears Apple is changing launchd there frequently.
> 
> Now the methods du jour are described here:
> 
> *
> https://apple.stackexchange.com/questions/106355/setting-the-system-wide-
> path-environment-variable-in-mavericks
> *
> https://apple.stackexchange.com/questions/289060/setting-variables-in-
> environment-plist

I can confirm setting the path in environment.plist as suggested above works for both LO and LODev (When launched from Dock and Launchpad)

However one caveat is that this method will not work for launching via Spotlight. When launched via Spotlight no keys are found.
Comment 16 Tony Kinyua 2018-04-01 00:14:31 UTC
Seems there might be a way to set the PATH within LO itself. Was looking at https://superuser.com/questions/476752/setting-environment-variables-in-os-x-for-gui-applications/787415#787415 and also https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/20001431-106825 especially the LSEnvironment key.

Unfortunately my attempts at modifying the Info.plist of LO caused it to be unable to start suggesting that my edits might have been wrongly placed or just not right.

Have had to revert back to the environment.plist method.
Comment 17 Joseph 2018-04-06 14:43:55 UTC
MacOSX LibreOffice version 6.0.2.1 
buildID:  f7f06a8f319e4b62f9bc5095aa112a65d2f3ac89 

does not show gpg key to pick from, during sign action.

In same situation, clicking on the 'Start Certificate Manager' button, gives an "Impossible to find a certificate manager' notification.

On the sistem GPGTools is installed.
Comment 18 Joseph 2018-04-06 14:55:23 UTC
The report I make is valid ONLY on:

1. running LO clicking his icon from or from the docker 
2. running LO from the FileManager (Finder)
3. if double clikked an .odt file.

Only if run via "open /Application/Libreoffice.app" the gpg keys are listed.
Comment 19 Hans-Gerd Ernst 2018-04-06 18:47:05 UTC
I am able to digitally sign an .odt file if I start LibreOffice by "open /Applications/Libreoffice.app"

When I start LibreOffice once again from the CLI and open the signed document, a blue bar appears on top of the document saying  "This document is digitally signed and the signature is valid."

Pressing the "Show Signatures" button the details about this signature are displayed. 

When I start LibreOffice from the dock and open the digitally signed document a red bar is displayed on top of the document saying "The signature is invalid." 

Pressing the "Show Signatures" button the details about this signature are displayed.
Comment 20 Xisco Faulí 2018-04-09 20:35:12 UTC
@Joseph, any reason why you moved the bug to NEEDINFO?
Comment 21 Tony Kinyua 2018-05-29 16:51:01 UTC
Just noticed that after applying the environment.plist hack one can sign the document or view the signature without an error.

Should another document be opened via the File-->Open method, the signature is invalid if it exists or the document cannot be signed with the PGP key.

The same is also evident when one tries to sign an existing PDF document using the File-->Digital Signatures-->Sign existing PDF

Am on:-
Version: 6.0.4.2
Build ID: 9b0d9b32d5dcda91d2f1a96dc04c645c450872bf
CPU threads: 4; OS: Mac OS X 10.13.4; UI render: default; 
Locale: en-GB (en_GB.UTF-8); Calc: group
Comment 22 bunkem 2018-06-18 17:16:14 UTC
I noticed this bug today as I've not tried digitally sign a document.

This problem also exists in 6.2a
Version: 6.2.0.0.alpha0+
Build ID: c8d95ccecfcd31b720fdff67bbd6acbdceaf2546
CPU threads: 8; OS: Mac OS X 10.11.6; UI render: default; 
TinderBox: MacOSX-x86_64@49-TDF, Branch:master, Time: 2018-06-18_00:27:45
Locale: en-CA (en.UTF-8); Calc: group threaded

From the dialog File:Properties:Digital Signatures, there is no certificates listed as identified earlier.  The "Start Certificate Manager" doesn't work either.

It would be helpful to have some documentation so I can help figure out what is happening.  I realize that this request is also a bug.
Comment 23 Gunther Strube 2018-09-26 16:36:50 UTC
I can confirm same problem (no certificate listed) on LO:

Version: 6.1.1.2
Build ID: 5d19a1bfa650b796764388cd8b33a5af1f5baa1b
CPU threads: 8; OS: Mac OS X 10.11.6; UI render: default; 

I can sign if LO is started with open on terminal, however, GPG certificate is not listed for document signing when LO is started from Finder.
Comment 24 Luc Lalonde 2018-11-28 12:54:30 UTC
Can't use PGP certs wether I open from command line or Finder:

Version: 6.1.3.2
Build ID: 86daf60bf00efa86ad547e59e09d6bb77c699acb
CPU threads: 8; OS: Mac OS X 10.14.1; UI render: default; 
Locale: en-CA (en_CA.UTF-8); Calc: group threaded
Comment 25 Frank Fuchs 2018-11-29 13:25:10 UTC
Same Problem here:
GPG Suite Build 2380 (latest nightly)
and LibO 6.1.3.2 on macOS 10.14.1
Comment 26 Doug Nix 2019-01-21 18:20:02 UTC
No PGP keys/signatures are found when LibreOffice is started from Spotlight or directly via double click on ODF file.

This is both visible in the settings when no predefined PGP key can be chosen, and in the signature dialogue, when no PGP is offered.

Steps to Reproduce:
1. Open LibreOffice
2. Go to Settings, Encryption

Actual Results:  
PGP keys are shown as an option for default keys

Expected Results:
No PGP keys available

Reproducible: Always

Additional Info:
Version: 6.1.4.2
Build ID: 9d0f32d1f0b509096fd65e0d4bec26ddd1938fd3
CPU threads: 4; OS: Mac OS X 10.14.2; UI render: GL; 
Locale: en-CA (en_CA.UTF-8); Calc: group threaded
Comment 27 Johan Havermans 2019-01-25 12:59:48 UTC
I think I found a work around that enable LibreOffice version 6.1.4.2 on Mac OS High Sierra to find my PGO key and sign a document. It is still a bug of course when I update LO. My work around is inspired by  https://apple.stackexchange.com/questions/51677/how-to-set-path-for-finder-launched-applications

First, my Mac PGO tools are installed in:
/usr/local/MacGPG2/bin
This path also is shown when doing echo $PATH in Terminal.app


Here is what I did:
Step 1: Close LibreOffice and open in your text editor 
/Applications/LibreOffice.app/Contents/Info.plist 

Step 2: Just above the line 
<key>CFBundleExecutable</key>
I added:

<key>LSEnvironment</key>
<dict>
     <key>PATH</key>
     <string>/usr/local/MacGPG2/bin:</string>
</dict>

Step 3: Save the info.plist

Step 4: Open Terminal.app and execute
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -v -f /Applications/LibreOffice.app

Step 5: Launch LO
Go to LO/Preferences/User Data, and you can select your PGP signing key from the drop down list. When you create a Writer document, and digitally sign it, you can do that too.

Hope this helps to fix this bug upstream
Johan
Comment 28 Tony Kinyua 2019-02-05 12:39:53 UTC
(In reply to Johan Havermans from comment #27)
--snip--
> Here is what I did:
> Step 1: Close LibreOffice and open in your text editor 
> /Applications/LibreOffice.app/Contents/Info.plist 
> 
> Step 2: Just above the line 
> <key>CFBundleExecutable</key>
> I added:
> 
> <key>LSEnvironment</key>
> <dict>
>      <key>PATH</key>
>      <string>/usr/local/MacGPG2/bin:</string>
> </dict>
> 
> Step 3: Save the info.plist
--snip--
Hi Johan,

After you did this have you restarted your Mac? On my end it works but once the machine is restarted then LibreOffice does not start. Tried to open via Dock, Launchpad, Finder but nothing was happening and no error reported. Its only when launched via Terminal that I got an error report

kysh@kysh /p/tmp > open /Applications/LibreOffice.app
LSOpenURLsWithRole() failed with error -10810 for the file /Applications/LibreOffice.app.

Once I remove the changes in Info.plist then LibreOffice starts working.

If I put back the changes it works as well until I restart the machine. I had encountered something similar earlier on in this thread (Comment 16).

@Thorsten: Hopefully this feedback sheds some light towards resolving this issue