Regression: Unable to (re-)import OpenPGP keys without private primary/master key ("laptop keys")
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(Not tracked)
People
(Reporter: ueberall, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:84.1) Gecko/20100101 Firefox/84.1
Steps to reproduce:
(a) Upgrade from v68.12.0 which is supposed to re-import all OpenPGP keys in use
(b) Manually tried to import OpenPGP keys after re-import failed
Actual results:
OpenPGP keys without private master key could not be imported. Unfortunately, the UI seemingly suggested that the entered passphrase was wrong (no details given on screen.)
Expected results:
OpenPGP keys without private master key should have been (re-)imported. The use of "laptop keys"/an "offline (private) primary/master key" can be considered best practice[*] w.r.t. protection against identity theft (and not only since recently).
Prominent howtos can be found easily; to name a few:
- https://wiki.debian.org/Subkeys
- https://alexcabal.com/creating-the-perfect-gpg-keypair
- https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/
[*] And, what's more, sometimes even company policy--in other words, this simply rules out deployment/use of Thunderbird.
Updated•4 years ago
|
Comment 1•4 years ago
|
||
Hello,
I can confirm this defect - same happened to me.
Comment 2•4 years ago
|
||
Yes this is not yet supported, see bug 1654893.
It's explained in the HOWTO at
https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
You can try to use the external GnuPG configuration.
The Enigmail migration tool should soon get an update to automatically suggest/configure the use of external GnuPG for affected keys.
Reporter | ||
Comment 3•4 years ago
|
||
(See my comment https://bugzilla.mozilla.org/show_bug.cgi?id=1654893#c3 – this should be an S2 regression because no workaround exists; bug 1654893 is currently classified as a mere "enhancement".)
Comment 4•4 years ago
|
||
It's an enhancement, because it never worked in Thunderbird previously. This bugzilla isn't deciding based on previous Enigmail features.
Reporter | ||
Comment 5•4 years ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #4)
It's an enhancement, because it never worked in Thunderbird previously. This bugzilla isn't deciding based on previous Enigmail features.
In other words, you do not care whether existing functionality provided by Thunderbird v68.x and Enigmail <=v2.2 as a whole breaks.
That is a crucial piece of information I – and maybe others? – must have missed in the original announcement (https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp), on the "tb-planning" mailing list (https://mail.mozilla.org/listinfo/tb-planning), and on the wiki page addressing the migration (https://wiki.mozilla.org/Thunderbird:OpenPGP:Migration-From-Enigmail) …
… unless this was meant to be subsumed as "several aspects related to OpenPGP messaging will likely work differently than in today’s Enigmail solution" (emphasis mine, see https://wiki.mozilla.org/Thunderbird:OpenPGP:2020#OpenPGP_engine) as well.
It's a pity because making the above position clear in the first place would have certainly alarmed a number of people earlier. If it has been mentioned in public and was still missed by me, please provide me with a pointer for internal documentation. Thanks in advance.
Description
•