Closed Bug 1666124 Opened 1 month ago Closed 1 month ago

Regression: Unable to (re-)import OpenPGP keys without private primary/master key ("laptop keys")

Categories

(MailNews Core :: Security: OpenPGP, defect)

defect

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1654893

People

(Reporter: ueberall, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:84.1) Gecko/20100101 Firefox/84.1

Steps to reproduce:

(a) Upgrade from v68.12.0 which is supposed to re-import all OpenPGP keys in use
(b) Manually tried to import OpenPGP keys after re-import failed

Actual results:

OpenPGP keys without private master key could not be imported. Unfortunately, the UI seemingly suggested that the entered passphrase was wrong (no details given on screen.)

Expected results:

OpenPGP keys without private master key should have been (re-)imported. The use of "laptop keys"/an "offline (private) primary/master key" can be considered best practice[*] w.r.t. protection against identity theft (and not only since recently).

Prominent howtos can be found easily; to name a few:

[*] And, what's more, sometimes even company policy--in other words, this simply rules out deployment/use of Thunderbird.

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

Hello,
I can confirm this defect - same happened to me.

Yes this is not yet supported, see bug 1654893.

It's explained in the HOWTO at
https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq

You can try to use the external GnuPG configuration.

The Enigmail migration tool should soon get an update to automatically suggest/configure the use of external GnuPG for affected keys.

Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1654893

(See my comment https://bugzilla.mozilla.org/show_bug.cgi?id=1654893#c3 – this should be an S2 regression because no workaround exists; bug 1654893 is currently classified as a mere "enhancement".)

It's an enhancement, because it never worked in Thunderbird previously. This bugzilla isn't deciding based on previous Enigmail features.

(In reply to Kai Engert (:KaiE:) from comment #4)

It's an enhancement, because it never worked in Thunderbird previously. This bugzilla isn't deciding based on previous Enigmail features.

In other words, you do not care whether existing functionality provided by Thunderbird v68.x and Enigmail <=v2.2 as a whole breaks.

That is a crucial piece of information I – and maybe others? – must have missed in the original announcement (https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp), on the "tb-planning" mailing list (https://mail.mozilla.org/listinfo/tb-planning), and on the wiki page addressing the migration (https://wiki.mozilla.org/Thunderbird:OpenPGP:Migration-From-Enigmail) …
… unless this was meant to be subsumed as "several aspects related to OpenPGP messaging will likely work differently than in today’s Enigmail solution" (emphasis mine, see https://wiki.mozilla.org/Thunderbird:OpenPGP:2020#OpenPGP_engine) as well.

It's a pity because making the above position clear in the first place would have certainly alarmed a number of people earlier. If it has been mentioned in public and was still missed by me, please provide me with a pointer for internal documentation. Thanks in advance.

You need to log in before you can comment on or make changes to this bug.