Closed Bug 1673993 Opened 4 years ago Closed 3 years ago

Thunderbird/RNP cannot use an OpenPGP key, if a user ID binding signature contains a key expiration that is in the past (apparent inconsistency in the key, works with GnuPG)

Categories

(MailNews Core :: Security: OpenPGP, defect)

defect

Tracking

(thunderbird_esr78 affected, thunderbird_esr91 fixed)

RESOLVED FIXED
93 Branch
Tracking Status
thunderbird_esr78 --- affected
thunderbird_esr91 --- fixed

People

(Reporter: mark.caglienzi, Unassigned)

References

Details

(Whiteboard: [fixed by bug 1724393])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

I have two Debian buster installations, and I use Thunderbird as the email
client in both of them.
I have a GPG key with more than one identity.
On the installation where the email address matches the primary identity on the
key, the migration from the older thunderbird + enigmail to the newer thunderbird with GPG integrated support went flawlessly and I am able to send encrypted email messages as I was before.

On the other installation the migration recognized the key and migrated it, but
Thunderbird does not find an eligible key for this account (I tried also to manually re-import it. The manual import went well, but nothing changed: it cannot find a usable key for this account)

Actual results:

Thunderbird does not find a suitable key for the account, despite having imported the GPG key that has this account as a secondary identity.

Expected results:

I expect Thunderbird to allow me to use my GPG key for the account that is a secondary identity on the key.

I forgot to mention that I submitted this bug report to the Debian BTS, and it was suggested to me to submit it here.

The bug report in the Debian BTS is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973042

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

Do you have multiple email accounts and/or identities configured?

If you select an OpenPGP key for an email account (or for the sub-identity of an email account), the configuration applies to that identity, only.

If you attempt to write an email using an identity that hasn't an OpenPGP key configured, the options underneath 'Encryption Technology' are expected to be greyed out.

See Also: → 1674109

Same here: I'm unable to reply to an encrypted mail right now, because the key is associated with multiple addresses, but Thunderbird only matches the first one. Currently with version 78.10.1 - by me the status is very confirmed. Why such a simple issue still exist? Very disturbing issue - practically makes GPG unusable in Thunderbird. It is very common, that people have more than one address in GPG-key.

Why are private keys with multiple mail addresses as User ID used? What's the purpose / benefit / need for that?

Why do I need multiple keys, if GPG supports to add multiple email addresses to one key? Certainly I will do that. If you have key bundle in your pocket, then you probably are interested, how to reduce the quantity of keys. Same happens also with GPG-keys. Spreading even one key is quite painful, so people slowly will adopt the idea, that email can be encrypted. Imagine a situation, where I try to convince to import and trust several keys per one person. This will very rarely happen, if at all. Quite often people are involved into many different activities, which in turn mean different organizations, projects, etc. They all have also different email addresses. Sometimes same people even are involved together into multiple activities. It would be quite overwhelming to spread multiple keys - then appears next issue - which one should be used in which case? Quite often people have different mailboxes for different email addresses. So, if accidentally use wrong key, I or my partner cannot open the mail. Also quite often people redirect mailboxes to another addresses. You never know, what people do with their email addresses, how they use them. Therefore it would be unthinkable to use as many keys as I have email addresses. Quite often there are also email aliases in addition of main address. So, they both need to be on the GPG-key. But currently I cannot put even alias into key - Thunderbird just won't accept it and it won't work. So, having just one email per key practically destroys the system and makes it useless for most of users. I had to make different versions of same key and pay extra effort to install my key to partners using only one address. So far, I could do it only with one partner. I guess I will not do it with others. I just won't use encrypted mail until Thunderbird fixes the issue.

Certainly it might happen, that if Thunderbird refuses to fix it, people start looking other email apps, that support multiple IDs per GPG-key. Is this the purpose of Thunderbird? I guess (hope), not.

(In reply to Arvidt from comment #4)

Why are private keys with multiple mail addresses as User ID used? What's the purpose / benefit / need for that?

I'm sorry, but if you have to ask then you do not understand the public-key encryption ecosystem. This is a fundamental capability that GPG implementations handle as a matter of course.

Replacing Enigmail with built-in GPG "support" was a tremendous step backwards.

IMO with this (classic) attitude on developers' parts ("we didn't do that feature, so you don't need it") I am losing hope that TB will ever be usable for encrypted email. At which point I will make the painful decision to switch to something else. And BTW, I have been a developer my entire career (30+ years) and have always hated the "we're developers, we know what you need" attitude.

Same issue here with the newest Thunderbird Version (78.10.2)
I have a GPG Key with 5 email addresses and it only sees 2 on import.
Now I can't use my GPG key in 3 of 5 Mail accounts.

Enigmail was far superior!

I cannot yet reproduce the problem you have reported.

I just created a fresh key with gnupg, used "gpg --edit-key" and "adduid" to add two more user IDs to it. Exported secret key to file. Imported into Thunderbird. Configured three email accountsm one for each of the separate email addresses the key contains. Thunderbird account settings, end-to-end encryption offered the key for each of my accounts.

If it doesn't work for you, there might be some kind of special property that prevents it from being used. I suggest that you send me a copy of your public key by email to kaie@kuix.de - then I can try to investigate.

Thanks to Martin who sent me a copy of an affected public key.
An RNP API claims that several user IDs are invalid.
I've reported the issue with RNP at https://github.com/rnpgp/rnp/issues/1510 let's wait for their investigation.

Summary: Thunderbird doesn't recognize GPG key if the address is not the primary identity on the key → Thunderbird doesn't allow the use of certain user IDs of OpenPGP keys, which are acceptable to GnuPG

Woohooo <3

They said that should be fixed with rnp v0.16.0
Which thunderbird version should contain it?

Status: UNCONFIRMED → NEW
Ever confirmed: true

rnp v0.16.0 is not released yet. Let's wait for that.

Summary: Thunderbird doesn't allow the use of certain user IDs of OpenPGP keys, which are acceptable to GnuPG → Thunderbird/RNP cannot use an OpenPGP key, if a user ID binding signature contains a key expiration that is in the past (apparent inconsistency in the key, works with GnuPG)

JFYI: we rescheduled this for the v0.15.2 release.

RNP v0.15.2 was released today, including a fix for this issue.

Depends on: 1724393
See Also: → 1730979

With released Thunderbird 91.x this bug seems fixed, I see 5 user IDs for Martin's key.

I temporarily switched back to the older RNP, and only see 2 user IDs. So the RNP library upgrade fixes the issue.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

fixed in 91.0.3 by bug 1724393

Whiteboard: [fixed by bug 1724393]
Target Milestone: --- → 93 Branch
You need to log in before you can comment on or make changes to this bug.