User Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
Steps to reproduce:
After updating Thunderbird from 60.5.0 to 60.5.1 the handling of validating S/MIME signed and encrypted mails has changed.
- Thunderbird version: 60.5.1, 32 bit, "en-US", maintenance service not installed
- OS: Win 7, 64 bit, patch level 2019-02
- (POP / IMAP): POP
S/MIME signed and encrypted mails received from Outlook clients (v15 and v16) are marked as "signature is not valid" now.
When selecting the envelope symbol the following warning message appears:
This message includes a digital signature, but the signature is invalid.
The signature does not match the message content correctly.
The message appears to have been altered after the sender signed it.
- The S/MIME encryption part is marked as valid.
- It doesn't matter what kind of certificates have been used for signing. Externally signed certificates (e.g. Comodo/Sectigo free S/MIME certificates) are affected as well as various certificates derived from self signed CAs.
- "Signed only" mails are not affected (using the same certificate that causes trouble when using sign and encrypt).
- S/MIME signed and encrypted mails received from Thunderbird clients are not affected.
- After downgrading to Thunderbird 60.5.0 S/MIME signed and encrypted mails will be handled as expected again.
Maybe this is an unintended side effect of "CVE-2018-18509: S/MIME signature spoofing".
Properly S/MIME signed and encrypted mails sent from Outlook clients should not be marked as "signature is not valid".