Closed Bug 1693931 Opened 2 years ago Closed 1 year ago

Homebrew's apple silicon native gpgme in /opt/homebrew not found

Categories

(MailNews Core :: Security: OpenPGP, defect)

ARM64
macOS
defect

Tracking

(thunderbird_esr78 fixed, thunderbird91+ fixed)

RESOLVED FIXED
92 Branch
Tracking Status
thunderbird_esr78 --- fixed
thunderbird91 + fixed

People

(Reporter: christian.hawkins-github, Assigned: rjl)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15

Steps to reproduce:

On a new M1 Mac:

  1. Download Nightly Thunderbird
  2. Install homebrew as instructed at https://brew.sh without using rosetta. Homebrew will be installed into /opt/homebrew
  3. Add eval $(/opt/homebrew/bin/brew shellenv) to .zprofile as stated in stdout of install script
  4. brew install gnupg gpgme
  5. Set up https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards

Actual results:

Decryption and signing fails, because thunderbird can't find gpgme libraries. When creating symlinks to /usr/local/lib|bin it starts working. However, this is where homebrew+rosetta2 resides, and overwriting the x86_64 libraries breaks current stable thunderbird (obviously)

Expected results:

Thunderbird should also check the new homebrew path, since for many this will be the default install of gpgme. Thunderbird already has a list of additional library paths for osx, so adding one more might not be introducing too many issues.

https://github.com/mozilla/releases-comm-central/blob/master/mail/extensions/openpgp/content/modules/GPGMELib.jsm#L21

Component: Untriaged → Security: OpenPGP
OS: Unspecified → macOS
Product: Thunderbird → MailNews Core
Hardware: Unspecified → x86_64

Shouldn't hardware be

Hardware: x86_64 → ARM64

For anyone who finds that bug that is affected. Mozilla does not seem to care about Smartcard GPG, so I came up with a workaround.

Assuming Smartcard GPG worked for you before updating to 91.* and assuming you have arm homebrew gpgme installed, you can

sudo mkdir -p /opt/local
sudp ln -s /opt/homebrew/lib /opt/local/lib

to have Thunderbird find your gpgme located in /opt/homebrew/lib

For Apple Silicon, Homebrew installs to /opt/homebrew by default.

Assignee: nobody → rob
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

If there is a PIN on the smartcard, will you get a prompt?

I was told in the past that using GPGME from homebrew might not work in this scenario, because no default app to bring up GUI prompts for a PIN are installed.

Could you please investigate that before we consider the patch?

Flags: needinfo?(christian.hawkins-github)

Well, independent of my concern, we already look for libs in those directories, which will already find those homebrew libs on Intel Macs. So taking the patch isn't making things worse.

Yes, but you have to install pinentry-mac and configure it in your gpg-agent.conf

Flags: needinfo?(christian.hawkins-github)

this should be safe to uplift to 78, too

Rob, are we using thunderbird91 or thunderbird_esr91 tracking flags? Is it thunderbird91 while it's still in beta?

Target Milestone: --- → 92 Branch

Pushed by thunderbird@calypsoblue.org:
https://hg.mozilla.org/comm-central/rev/f8ac674397dd
Add addition homebrew library path for using GPG smartcards. r=kaie

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED

In reply to Kai Engert (:KaiE:) from comment #8)

Rob, are we using thunderbird91 or thunderbird_esr91 tracking flags? Is it thunderbird91 while it's still in beta?

Use tracking_thunderbird91 while still in beta.

(In reply to christian.hawkins-github from comment #2)

For anyone who finds that bug that is affected. Mozilla does not seem to care about Smartcard GPG,

Please don't say that. We added the possibility to use external GnuPG specifically because we care about smartcard users.

(In reply to christian.hawkins-github from comment #6)

Yes, but you have to install pinentry-mac and configure it in your gpg-agent.conf

The Thunderbird project depends on community contributions like your bug report and your expertise. Would you be willing to help edit the https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards page and add this information? Thanks

This is already covered by the first line of this snippet.

You're responsible for installing all software that is required to use your Smartcard. You must use the appropriate tools to prepare
your smartcard for use, for example, the card must contain an appropriate key pair. You must make note of the primary key ID of the
smartcard's key that you'd like to use. It has 16 characters. It is the same as the last 16 characters of your primary key's fingerprint.

Here is the snippet for those that can't:

$ cat .gnupg/gpg-agent.conf 
pinentry-program /opt/homebrew/bin/pinentry-mac

Comment on attachment 9231398 [details]
Bug 1693931 - Add addition homebrew library path for using GPG smartcards. r=kaie

[Approval Request Comment]
Regression caused by (bug #): no, specific to Apple Silicon
User impact if declined: less automatism with OpenPGP smartcards
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): very low

Attachment #9231398 - Flags: approval-comm-esr91?
Attachment #9231398 - Flags: approval-comm-esr91? → approval-comm-beta?

Comment on attachment 9231398 [details]
Bug 1693931 - Add addition homebrew library path for using GPG smartcards. r=kaie

should be safe for esr78, too

Attachment #9231398 - Flags: approval-comm-esr78?

Comment on attachment 9231398 [details]
Bug 1693931 - Add addition homebrew library path for using GPG smartcards. r=kaie

[Triage Comment]
Approved for beta

Attachment #9231398 - Flags: approval-comm-beta? → approval-comm-beta+

(In reply to christian.hawkins-github from comment #12)

You're responsible for installing all software that is required to use your Smartcard. You must use the appropriate tools to prepare
your smartcard for use, for example, the card must contain an appropriate key pair. You must make note of the primary key ID of the
smartcard's key that you'd like to use. It has 16 characters. It is the same as the last 16 characters of your primary key's fingerprint.

We should update the wiki page to explain what exactly needs to be done. I just added a section, let me know if you see a mistake.

Comment on attachment 9231398 [details]
Bug 1693931 - Add addition homebrew library path for using GPG smartcards. r=kaie

[Triage Comment]
Approved for esr78

Attachment #9231398 - Flags: approval-comm-esr78? → approval-comm-esr78+
You need to log in before you can comment on or make changes to this bug.