Closed Bug 1665548 Opened 4 years ago Closed 4 years ago

TB 78.2.2 - pgp private key import fails, when there is no key signing subkey

Categories

(MailNews Core :: Security: OpenPGP, defect)

defect

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: snafu, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0

Steps to reproduce:

Try to import a private pgp key without key signing subkey. It doesn't matter if the import is done by the migration utility or if I try to import it by hand.
Keys with key signing subkey seem to work, which leads me to believe that the missing subkey is causing the issue.

Actual results:

I get asked for the key's passwort over and over again (even if I paste the correct password). The export during the migration works fine

Expected results:

The private key should be imported.

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

Does your set of keys require more than one password to unlock? We don't support that yet.

Does your key use an offline (absent) primary key? We don't support that yet.

The keys (there are multiple keys with this issue) do require one password (per key).

They do fit the absent primary key description, as that afaict is the only way of disabling the ability to sign other keys (no exporting the primary key and using a dedicated signing subkey). Is there a roadmap on when this feature is planned to be made available? Any info would be nice because we depend on this and either need to change business processes or get it to work by the end of november (when tb 78 will be used for all clients wihtin our infrastructure). If you have pointers on what is missing we may also be able to contribute...

I have the same problem. I deliberately have dedicated subkeys for signing or encryption and do not store my primary key in the gpg keyring. When I export this secret key and try to import to Thundebird 78, I find the same issue as :snafu.

Is there any way around this?

So far my workaround is using an older TB 68 and Enigmail for these keys. Its not that sustainable, I guess. if anyone has pointers on where to look to get it working with TB 78 I am grateful for hints.
I'd consider to hack on it myself unless some tells me that he or she will add support somewhat soonish.

(In reply to CrfzdPQM6 from comment #3)

I deliberately have dedicated subkeys for signing or encryption and do not store my primary key in the gpg keyring. When I export this secret key and try to import to Thundebird 78, I find the same issue as :snafu.

Is there any way around this?

(In reply to snafu from comment #4)

if anyone has pointers on where to look to get it working with TB 78 I am grateful for hints.

There is a solution (at least for the time being), but you really have to be lucky to find it: https://bugzilla.mozilla.org/show_bug.cgi/?id=1654893#c5

Thank you(In reply to Markus Ueberall from comment #5)

(In reply to CrfzdPQM6 from comment #3)

I deliberately have dedicated subkeys for signing or encryption and do not store my primary key in the gpg keyring. When I export this secret key and try to import to Thundebird 78, I find the same issue as :snafu.

Is there any way around this?

(In reply to snafu from comment #4)

if anyone has pointers on where to look to get it working with TB 78 I am grateful for hints.

There is a solution (at least for the time being), but you really have to be lucky to find it: https://bugzilla.mozilla.org/show_bug.cgi/?id=1654893#c5

Thank you! How can I debug the connection between external gnupg and thunderbird? I'm able to encrypt a message to myself using the imported public key (as described at that link, trivially), but when I try to open it I see my key amongst the list of those to which the message was encrypted (primary (absent) key and, in brackets, encrypting subkey ID), but I always get the message "Th esecret key that is required to decrypt this message is not available, even though it's right there in my gpg keychain.

I'm also not prompted for a passphrase, whilst encrypting a file using gpg in the terminal does trigger a passphrase request. Any tips?

(In reply to CrfzdPQM6 from comment #6)

How can I debug the connection between external gnupg and thunderbird?

For external GnuPG Thunderbird uses GPGME so this might help:
https://gnupg.org/documentation/manuals/gpgme/Debugging.html

I'm able to encrypt a message to myself using the imported public key (as described at that link, trivially), but when I try to open it I see my key amongst the list of those to which the message was encrypted (primary (absent) key and, in brackets, encrypting subkey ID), but I always get the message "Th esecret key that is required to decrypt this message is not available, even though it's right there in my gpg keychain.

You say it fails to decrypt a message that you sent to yourself?

Thunderbird tries to decrypt using RNP. If that fails, and if external GnuPG is allowed, we ask GPGME to decrypt, without giving more details. In my understanding GnuPG will then try to find the matching secret key amongst all the ones that are available to GnuPG. If that doesn't work, it sounds like GnuPG doesn't have the secret key available.

The error message is general, and is used when we cannot decrypt. Trying the GPGME debug log seems like a good idea, hopefully it will tell you why gnupg cannot decrypt?

I'm also not prompted for a passphrase, whilst encrypting a file using gpg in the terminal does trigger a passphrase request. Any tips?

Why does using gpg to encrypt trigger a passphrase request? It's reasonable to expect if you both sign and encrypt, but I wouldn't expect it when encrypting, only.

(In reply to Kai Engert (:KaiE:) from comment #7)

(In reply to CrfzdPQM6 from comment #6)

How can I debug the connection between external gnupg and thunderbird?

For external GnuPG Thunderbird uses GPGME so this might help:
https://gnupg.org/documentation/manuals/gpgme/Debugging.html

I'm able to encrypt a message to myself using the imported public key (as described at that link, trivially), but when I try to open it I see my key amongst the list of those to which the message was encrypted (primary (absent) key and, in brackets, encrypting subkey ID), but I always get the message "Th esecret key that is required to decrypt this message is not available, even though it's right there in my gpg keychain.

You say it fails to decrypt a message that you sent to yourself?

Thunderbird tries to decrypt using RNP. If that fails, and if external GnuPG is allowed, we ask GPGME to decrypt, without giving more details. In my understanding GnuPG will then try to find the matching secret key amongst all the ones that are available to GnuPG. If that doesn't work, it sounds like GnuPG doesn't have the secret key available.

The error message is general, and is used when we cannot decrypt. Trying the GPGME debug log seems like a good idea, hopefully it will tell you why gnupg cannot decrypt?

I'm also not prompted for a passphrase, whilst encrypting a file using gpg in the terminal does trigger a passphrase request. Any tips?

Why does using gpg to encrypt trigger a passphrase request? It's reasonable to expect if you both sign and encrypt, but I wouldn't expect it when encrypting, only.

Thank you, @kai. Sorry for the delay - decryption began to work and I wasn't sure why. It seems that Thunderbird is finding the external key to decrypt my messages now (thanks! major step forward!) but is not triggering the gui popup to enter a passphrase (gui pinentry?) to unlock the private key. I discovered that if I do something externally (decrypt a file on the command line, which does trigger the passphrase request) then the unlocked key can afterwards be successfully used by Thunderbird. Do you know why Thunderbird fails to trigger the passphrase request?

Then a few small follow-ups to things that you suggested earlier, but which might be best followed up elsewhere:

  1. Thanks for the pointer to gpgme debugging. I think this would be useful if I were able to launch Thunderbird from the command line but, as a relative newbie (to archlinux in particular), I still haven't succeeded to do that. "thunderbird" is not in my path and I can't seem to see what the launcher icon points to! This is something I should follow up offline, I think.
  2. You're right, there's no reason why encrypting should trigger a passphrase request. I think I meant to write decrypting, where of course the request is made (see above). Not sure why thunderbird doesn't trigger the same behaviour.

Many thanks again for your help!

It seems that Thunderbird is finding the external key to decrypt my messages now (thanks! major step forward!) but is not triggering the gui popup to enter a passphrase (gui pinentry?) to unlock the private key. I discovered that if I do something externally (decrypt a file on the command line, which does trigger the passphrase request) then the unlocked key can afterwards be successfully used by Thunderbird. Do you know why Thunderbird fails to trigger the passphrase request?

It isn't Thunderbird who triggers the passphrase request. TB simply asks GPGME to decrypt. If a key needs to be unlocked, then GPGME handles bringing up the prompt. This happened in my testing. I don't understand why it doesn't happen in your scenario, but I think that's a GPGME issue.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME

(In reply to Kai Engert (:KaiE:) from comment #9)

It seems that Thunderbird is finding the external key to decrypt my messages now (thanks! major step forward!) but is not triggering the gui popup to enter a passphrase (gui pinentry?) to unlock the private key. I discovered that if I do something externally (decrypt a file on the command line, which does trigger the passphrase request) then the unlocked key can afterwards be successfully used by Thunderbird. Do you know why Thunderbird fails to trigger the passphrase request?

It isn't Thunderbird who triggers the passphrase request. TB simply asks GPGME to decrypt. If a key needs to be unlocked, then GPGME handles bringing up the prompt. This happened in my testing. I don't understand why it doesn't happen in your scenario, but I think that's a GPGME issue.

Thanks Kai. Strange. For me, a simple "gpg -d mytestfile.txt.gpg" triggers pinentry-gtk to open a passphrase prompt. But Thunderbird does not do the same thing. If I have already decrypted something on the command line, Thunderbird afterwards does succeed to decrypt e-mails.

However, I found that if I save the passphrase in the password-manager (a check-box on the pinentry prompt) then Thunderbird (well, gpgme as you point out) can decrypt without needing the first step of the command-line decrypt.

(I tried to follow the gpgme debugging script you suggested, but couldn't get that to work - no entry in the logfile after a command-line decrypt, for example.)

You need to log in before you can comment on or make changes to this bug.