Closed Bug 1654893 Opened 1 year ago Closed 3 months ago

Support configuration with an offline primary OpenPGP key

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

enhancement

Tracking

(thunderbird_esr78 fixed, thunderbird89 fixed)

RESOLVED FIXED
90 Branch
Tracking Status
thunderbird_esr78 --- fixed
thunderbird89 --- fixed

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

(Whiteboard: [fixed-in-rnp])

Attachments

(2 files)

Expert users might want to use a configuration, which uses a primary key that is in secure offline storage. They would then use multiple subkeys, at least two, one for signing and one for encryption.

They would need to import all public keys, but would import only the secret keys of the subkeys into Thunderbird.

At this time we don't want to support creating these key pairs inside Thunderbird. Rather we require that the expert user uses separate software do create the keys.

However, importing these keys into Thunderbird should be possible.
Currently this isn't working.
As a first step, importing the keys with RNP is failing, this is tracked upstream here:
https://github.com/rnpgp/rnp/issues/1217

After we have RNP support, we'll need to implement Thunderbird application level support, to allow treating such a key as a personal key, even with the primary secret key missing.

Duplicate of this bug: 1663447
Duplicate of this bug: 1666124

Please note that bug 1666124 which should be classified as having severity S2 – "(Serious) Major Functionality/product severely impaired and a
satisfactory workaround doesn’t exist" – cannot be considered a duplicate of an "enhancement". This is not a "nice-to-have feature" but prevents users from using Thunderbird where the use of offline primary keys/"laptop keys" is mandatory, thereby breaking existing workflows, configurations.

The moment Thunderbird 68.x is not supported anymore (and 78.x does still not support this as the previous Enigmail add-on did), the application will have to be blacklisted/replaced by Mutt, Evolution, Outlook, or other alternatives that e.g. satisfy company policies prohibiting the use of online primary/master keys or needs of user groups which take matters related to privacy/security – namely, protection against identity theft – very serious.

In case fixing the above will require (much) more time for whatever reason, the only two options to prevent abandoning existing users are

  • the introduction of a compatibility layer which restores the old functionality ("EnigMail-compat"?); because existing users have everything installed/set up already, there are no license problems due to the need to ship additional third-party components
  • ensuring that 68.x /is/ supported until back-to-back tests show that there are no remaining (S2) regressions w.r.t. functionality

MZLA Technologies Corporation should have opted for one or both options in the first place and might well have underestimated that breaking existing functionality related to OpenPGP without providing (temporary) workarounds is not taken kindly, because it forces others to invest time and money to put alternatives in place. (Keep in mind that for a non-profit organization, shrinking/alienating their customers/user base has never been a good strategy.)

(Keep in mind that for a non-profit organization, shrinking/alienating their customers/user base has never been a good strategy.)
Correction: I meant "for-profit organization" here, of course.

(In reply to Markus Ueberall from comment #3)

The moment Thunderbird 68.x is not supported anymore (and 78.x does still not support this as the previous Enigmail add-on did), the
application will have to be blacklisted/replaced ...

For the time being you can treat offline keys like keys on Smartcards. You can't import them into Thunderbird, but you can use them via gpgme.
https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards

(In reply to Christian Riechers from comment #5)

For the time being you can treat offline keys like keys on Smartcards. You can't import them into Thunderbird, but you can use them via gpgme.
https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards

Wow. I can confirm that this really works—would not have found this without your pointer, though a considerable amount of time has been spent on this here. Many, many thanks!

Duplicate of this bug: 1673915
Duplicate of this bug: 1674551
Whiteboard: [fixed-in-rnp]

This seems it might describe my scenario:
https://wiki.debian.org/Subkeys?action=show&redirect=subkeys
However, if it does, it's not fixed in Tb 78.7.0 (64-bit), see screenshot attached here: https://github.com/rnpgp/rnp/issues/1217#issuecomment-783382729.
$ thunderbird --version
Thunderbird 78.7.0
As suggested in https://github.com/rnpgp/rnp/issues/1217
$ uname -a
Linux mymachine 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux

I am getting the same error as Morgan. I am trying to configure an external GPG key without primary secret key.

On trying to send a signed message I get "the configured key id 0123456789ABCDEF was not found in your keyring" (translated), which is confusing as TB shall not take the key from its internal keyring.

Now I imported the public parts of the external secret key into TB’s key store and it seems to work again!

Found on: https://support.nitrokey.com/t/unable-to-sign-e-mails-with-thunderbird-78-3-2-and-nitrokey-start-in-windows-10/2687/3

Please note that the "external gnupg" configuration is outside the scope of this bug.

It is correct that using "external gnupg" is a workaround to be able to use such keys.

However, this tracker here is about adding support for such keys directly to Thunderbird, without having to use external gnupg.

To summarize the scope of this bug: Using a special manual procedure, typically performed using GnuPG, users create a special key file, which consists of a primary key and sub keys, which doesn't contain the secret key for the primary key, but which contains the secret keys for the subkeys.

When Thunderbird attempts to import a secret key file, RNP reports all keys as secret keys, including the primary key with the missing secret key. Thunderbird attempts to unlock it, but RNP reports a failure (because there is no secret key).

How can this be fixed?

With newer versions of RNP, a new function rnp_key_get_protection_type was added, which can allow an application to learn if there is really a secret key. We need to change Thunderbird to use that new function, and skip unlocking/using such unavailable secret keys.

I have an initial patch, I've tested with a key that has valid subkeys for encryption and signing, and it works.

Having this new kind of keys imported, we should improve the logic that decides whether imported secret key is suitable for being used as an email account's personal key. We should ensure that key material for at least one (valid) signing key is available, and for at least one (valid) encryption key.

While working on this code (checking if a code is valid for signing or encryption), I identified some unused scenarios that I didn't want to keep while modifying it - we don't use key flags for invalid or disabled keys.

Also, we should enable users to discover that an imported key lacks some secret (sub)keys. If we want to backport, we should a minimal flag somewhere. I've added a change in the structure tab of the key details dialog. If a key is of type key pair (with secret key), but the secret key material for a key is missing, we show (!) in front of the type of the subkey.

The patch is for comm-esr78.
When applying to comm-central, the change to errorHandling.jsm must be applied to file encryption.jsm because the changed function has moved.

Attachment #9218868 - Attachment description: Bug 1654893 - Example OpenPGP key with offline primary key. r=mkmelin → Bug 1654893 - Test importing an OpenPGP key with an offline primary key. r=mkmelin

Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/0ad4f197152f
Support OpenPGP keys with an unavailable primary secret key. r=PatrickBrunschwig,r=mkmelin
https://hg.mozilla.org/comm-central/rev/3a62d29b5236
Test importing an OpenPGP key with an offline primary key. r=mkmelin DONTBUILD

Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED

Magnus, should we add this feature to esr78 ?

Comment on attachment 9217871 [details]
Bug 1654893 - Support OpenPGP keys with an unavailable primary secret key. r=PatrickBrunschwig

[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined: users require expert workaround to use such keys (external gnupg)
Testing completed (on c-c, etc.): yes
Risk to taking this patch (and alternatives if risky): low, shouldn't affect the use of keys that already work

Attachment #9217871 - Flags: approval-comm-beta?
Attachment #9218868 - Flags: approval-comm-beta?

Comment on attachment 9217871 [details]
Bug 1654893 - Support OpenPGP keys with an unavailable primary secret key. r=PatrickBrunschwig

See above beta approval request for details.

Requesting esr78 approval, however, should wait for at least 2 weeks beta testing.

Attachment #9217871 - Flags: approval-comm-esr78?

Comment on attachment 9218868 [details]
Bug 1654893 - Test importing an OpenPGP key with an offline primary key. r=mkmelin

See above beta approval request for details.

Requesting esr78 approval, however, should wait for at least 2 weeks beta testing.

Attachment #9218868 - Flags: approval-comm-esr78?

We're considering to uplift this enhancement to the stable 78.x release.
It would be good to get help with testing the readyness of the feature.
The intention is that you're able to import your key into Thunderbird, and that it works with Thunderbird's internal OpenPGP engine - in other words: with external gnupg disabled.

To enable you to test more easily, below is a test build, based on 78.10, which also includes this enhancement.

While this could allow you to test the enhancement in your regular Thunderbird environment (profile), I'd like to urge you to create a backup of your Thunderbird directory, should you consider to test this feature.
(At the very least, backup these files: secring.gpg, pubring,gpg, openpgp.sqlite, encrypted-openpgp-passphrase.txt)

If you use the experimental build, import an affected, and then switch back to a Thunderbird 78 that lacks this enhancement, the related OpenPGP functionality might be broken.
So, if you intend to test, please backup the relevant files (while Thunderbird is not running), test the build, and prior to reverting to a regular Thunderbird, restore your backup files.

Also note that if you chose to run this experimental build, you will not get automatic updates.
After testing, you should switch back to a regular Thunderbird build to continue to get updates.

You may download from here:

linux 32bit: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Ys9h5MLbRfeRTms5OAmDqA/runs/0/artifacts/public/build/target.tar.bz2
linux 64bit: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/WdsT49XGQf6tOsYjlf6b0Q/runs/0/artifacts/public/build/target.tar.bz2
win 32bit: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/fYdctww6QqmPWfG51tbEPA/runs/0/artifacts/public/build/target.zip
win 64bit: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/OIJ81Vm2STiMAjoctGAiJQ/runs/0/artifacts/public/build/target.zip
macos: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/MhC5VaccQrqVI4ToLMMcYg/runs/0/artifacts/public/build/target.dmg

For reference, the above build can be seen here, including its patches:
https://treeherder.mozilla.org/jobs?repo=try-comm-central&revision=1a010761513bf231681810f50304362810a2cddc

With the new build I can import an gpg key without private primary key and encrypt and sign messages using that key. OS: Fedora34, Linux64 👌

Comment on attachment 9218868 [details]
Bug 1654893 - Test importing an OpenPGP key with an offline primary key. r=mkmelin

[Triage Comment]
Approved for beta

Attachment #9218868 - Flags: approval-comm-beta? → approval-comm-beta+

Comment on attachment 9217871 [details]
Bug 1654893 - Support OpenPGP keys with an unavailable primary secret key. r=PatrickBrunschwig

[Triage Comment]
Approved for beta

Attachment #9217871 - Flags: approval-comm-beta? → approval-comm-beta+

I downloaded the Linux 64-bit version, and started with a fresh profile.
Set-up a master password and the email account (in that order).
Imported a bunch of public keys (members of an encrypted mailing list) by importing a single .asc file. This includes my own public key.
Then tried to import the corresponding offline primary key. The key was recognized as personal one, and successfully imported.
Turned on OpenPGP encryption for the account.
In the OpenPGP Manager the primary key is prefixed by "(!)" - without the quotes. Does that indicate it actually is an offline primary key?

There's a flip side though. Upon importing the offline primary key the error console shows this:
1 protected and 3 unprotected keys masterpass.jsm:67:13

As a result, Thunderbird allows access to encrypted messages when bypassing the master password prompt. May be not related to this bug, but I thought I'd mention it here.

Kai, any thoughts on Christian's comment 29?

Flags: needinfo?(kaie)

Comment on attachment 9218868 [details]
Bug 1654893 - Test importing an OpenPGP key with an offline primary key. r=mkmelin

[Triage Comment]
Approved for esr78

Attachment #9218868 - Flags: approval-comm-esr78? → approval-comm-esr78+

Comment on attachment 9217871 [details]
Bug 1654893 - Support OpenPGP keys with an unavailable primary secret key. r=PatrickBrunschwig

[Triage Comment]
Approved for esr78

Attachment #9217871 - Flags: approval-comm-esr78? → approval-comm-esr78+

(In reply to Christian Riechers from comment #29)

I downloaded the Linux 64-bit version, and started with a fresh profile.

Thanks for testing.

Set-up a master password and the email account (in that order).
Imported a bunch of public keys (members of an encrypted mailing list) by importing a single .asc file. This includes my own public key.
Then tried to import the corresponding offline primary key. The key was recognized as personal one, and successfully imported.
Turned on OpenPGP encryption for the account.
In the OpenPGP Manager the primary key is prefixed by "(!)" - without the quotes. Does that indicate it actually is an offline primary key?

yes, trying to give a feedback, in a way that's possible on the stable esr78 branch (cannot add strings), the ! prefix "missing secret key".

There's a flip side though. Upon importing the offline primary key the error console shows this:
1 protected and 3 unprotected keys masterpass.jsm:67:13

As a result, Thunderbird allows access to encrypted messages when bypassing the master password prompt. May be not related to this bug, but I thought I'd mention it here.

Yes, that's bug 1710290, and unfortunate regression. We will disclose/open that bug today.

Flags: needinfo?(kaie)

Tried the version for Windows 64bit, works as expected.

I think I'll be using this preview client until the patch get pushed to mainline.

Target Milestone: --- → 90 Branch

(In reply to AndMe? Fikri from comment #35)

I think I'll be using this preview client until the patch get pushed to mainline.

See https://www.thunderbird.net/en-US/thunderbird/78.10.2/releasenotes/

On a related note,
using a key without the primary's private key only works if I import both a private subkey for encryption and a private subkey for signature.

TB will not recognize my key if I import my private subkey for signature, without providing a private subkey for encryption.

However, in my workflow, I don't use encryption (I don't receive encrypted email regularly). Hence, I prefer not to import my encryption subkey.

You need to log in before you can comment on or make changes to this bug.