Qubes updates (2016-12-04) have added a new apparmor requirement for using qubes-split-gpg.
audit: type=1400 audit(1480979960.153:62): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/dev/xen/privcmd" pid=3371 comm="qrexec-client-v" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
The current profile allows @{PROC}/xen/privcmd rw
. Adding /dev/xen/privcmd rw
fixes the issue.
Don’t know why this change occurred or security implications.
edit: appears that @{PROC}/xen/privcmd rw
is no longer needed.