Closed Bug 1763613 Opened 2 years ago Closed 2 years ago

OpenPGP Key not existing after update - the entry "encryption" in column "fingerprint" is missing

Categories

(MailNews Core :: Security: OpenPGP, defect)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1763641

People

(Reporter: benedikt.kaless, Unassigned)

Details

(Keywords: regression, Whiteboard: [regression 91.7->91.8])

Attachments

(2 files)

signal-2022-04-07-144632_001.png
86.93 KB, image/png
Details
Bildschirmfoto vom 2022-04-08 13-00-24.png
71.67 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0

Steps to reproduce:

I updated Thunderbird to 91.8.0 in Manjaro using the official repositories.

Actual results:

Afterwards my PGP-Key was listed but Thunderbird complains that it couldn't be find. I decided to import my secret key again. The import was reported as successful, the key is available in the key manager but it is not usable in my prfile.

Expected results:

My private key should be availab.e

Component: Untriaged → Security: OpenPGP
Flags: needinfo?(kaie)
Product: Thunderbird → MailNews Core

What did you upgrade from?
When you view the key details (click open from key manager), is there anything in particular that stands out?

Hi,

sorry, my description was not concrete enoufh.

I updated from 91.7.0 to 91.8.0

Afterwards in the Account-Settings in"End-To-End Encryption" the key is listed but a warning "This key could not be found! If you want to use it you must import it to Thunderbird" occurs.

In the details of the key there is nothing outstanded. I imported my profile yesterday

If you delete the key in 91.8.0 and import it again the import process is fine. But afterwards the key is not listed in the account settings.

Please remark: I defined my key for lastname@domain.org and firstname.lastname@domain.org

Best
Benedikt

And in comparison to the properties of the key in 91.7.0 the entry "encryption" in column "fingerprint" is missing.

If you open the key manager and open the key details for it, is the key set for that address?

Keywords: regression
Whiteboard: [regression 91.7->91.8]
Summary: OpenPGP Key not existing after update → OpenPGP Key not existing after update - the entry "encryption" in column "fingerprint" is missing

I get a similar problem when I was auto-upgraded to 91.8.
Only a very old [expired] pgp key is listed. My current one its says cannot be found. In particular it
under "OpenPGP" in the E-2-E Encryption page for every email address I have it says
"This key could not be found! If you want to use it you must import it to Thunderbird"
It was there yesterday before the upgrade :-)

When I try to import it again I get a invalid file error from OpenPGP Key Manager...
"Error! Failed to import file"
The file for import I produced from Kleopatra

Running on Windows BTW

Benedikt, Nigel,

could you please provide the public keys that aren't working with 91.8.0 ?
(If you don't want to attach them to this public bug, you may send them to me by email to kaie@kuix.de - please quote this bug number.)

Note the following potential reason:

Thunderbird 91.8.0 reject OpenPGP keys that use insecure algorithms, such as signatures that involve outdated SHA-1.

Flags: needinfo?(kaie)

I sent you my public key.

Benedikt, yes it looks like your key is rejected because of the use of SHA1.

Only your subkey is valid for encryption. But we decide that you're subkey isn't good (and the key details structure tab doesn't show it).

Your key has a "subkey binding signature" that was used to define an extended validity of your subkey. That signature was creeated on 2021-01-07 with an expiration date set to 2026-04-11.

However, that signature used outdated and insecret SHA-1.
Thunderbird 91.8.0 rejects that.

Which software did you use that still created SHA-1 signatures in 2021? SHA-1 has been declared as obsolete since around 2013.

You could use modern OpenPGP software to extend the validity of your key.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX

Hi Kai,

thanks a lot.

Hmm, let's grab my head ;) The key itself is relatively old, that's true. 2021 I mean I extended the key to <firstname>.<lastname>@domain.org.

So you mean that I just extend the validity of my key via Thunderbird KeyManager and it will be usable again.?

You can try if Thunderbird is willing to set a new expiration date for your key.
(It doesn't offer to do that for complex keys that were created outside of Thunderbird and that may have a mix of validy times for subkeys.)

If that doesn't work, you could try to use external software to extend your key, for example using a current version of GnuPG. Export the secret key from your software, import into gnupg, edit the key to extend it, then export the secret key from gnupg, then import secret key back into thunderbird.

Hmm, I did that using gpg (GnuPG) 2.2.32

Thunderbird doesn't accept the key. Yes, it was created 2014.

So I have to revoke the key completely?

Why revoke? In comment 13 explained how you could extend it using GnuPG and then bring it back into Thunderbird.

Hmm, it's very strange that it doesn't work using gnupg 2.2.32 !

It seems that could need some configuration, some hints are available here: https://unix.stackexchange.com/questions/423109/how-do-i-prevent-gpg-from-including-sha1

Ah sorry, my fault. I didn't exchange the subkey. Now it's working again. Thanks again for your valuable help!

Resolution: WONTFIX → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: