User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
Yesterday found that PGP keys were not suitably authorised by TB78.
I Have read extensive bugzilla reports and possible part-mitigators for this including https://bugzilla.mozilla.org/show_bug.cgi?id=1679330 a comment from Kai, stating
"You can set a master password, which gives you some protection against accidental leakage of your key files."
I set a master password yesterday.
Options --> Master Password --> Set password
And this appeared to work, requiring the master password to a) open Thunderbird (if my memory serves correctly) and b) view PGP emails within thunderbird.
Close down the machine / Thunderbird, restart/reopen. No dialogue requesting Masterpassword is presented. All mailboxes and all PGP messages are available to view.
Today, I load the PC, load thunderbird and both the program as a whole and all PGP emails are freely available to me without needing any master password, checking the options menu, all the details are still correct and enabled .
exiting the options menu, the Thunderbird THEN gives me dialogue requesting the master password to view the PGP email I had just seen seconds earlier without the password.
Exiting Thunderbird and then reentering Thunderbird causes the Dialogue to appear correctly. This may be an issue with only the first load of Thunderbird.
I was led to believe by comments that setting a Master Password would protect my Key from use without the password being accepted.
The documentation [ https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_how-is-my-personal-key-protected ] states:
"How is my personal key protected?
At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. The same automatic password will be used for all OpenPGP secret keys managed by Thunderbird. You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected. "
I expect that a Master Password dialogue box appears on each loading of the Thunderbird Application, including the first load on a boot.