OpenPGP Key not existing after update - the entry "encryption" in column "fingerprint" is missing
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(Not tracked)
People
(Reporter: benedikt.kaless, Unassigned)
Details
(Keywords: regression, Whiteboard: [regression 91.7->91.8])
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
Steps to reproduce:
I updated Thunderbird to 91.8.0 in Manjaro using the official repositories.
Actual results:
Afterwards my PGP-Key was listed but Thunderbird complains that it couldn't be find. I decided to import my secret key again. The import was reported as successful, the key is available in the key manager but it is not usable in my prfile.
Expected results:
My private key should be availab.e
Updated•2 years ago
|
Comment 1•2 years ago
|
||
What did you upgrade from?
When you view the key details (click open from key manager), is there anything in particular that stands out?
Reporter | ||
Comment 2•2 years ago
|
||
Hi,
sorry, my description was not concrete enoufh.
I updated from 91.7.0 to 91.8.0
Afterwards in the Account-Settings in"End-To-End Encryption" the key is listed but a warning "This key could not be found! If you want to use it you must import it to Thunderbird" occurs.
In the details of the key there is nothing outstanded. I imported my profile yesterday
If you delete the key in 91.8.0 and import it again the import process is fine. But afterwards the key is not listed in the account settings.
Please remark: I defined my key for lastname@domain.org and firstname.lastname@domain.org
Best
Benedikt
Reporter | ||
Comment 3•2 years ago
|
||
Reporter | ||
Comment 4•2 years ago
|
||
Reporter | ||
Comment 5•2 years ago
|
||
And in comparison to the properties of the key in 91.7.0 the entry "encryption" in column "fingerprint" is missing.
Comment 6•2 years ago
|
||
If you open the key manager and open the key details for it, is the key set for that address?
Reporter | ||
Comment 7•2 years ago
|
||
yes, to lastname@domain.org but not to firstname.lastname@domain.org
Updated•2 years ago
|
Comment 8•2 years ago
|
||
I get a similar problem when I was auto-upgraded to 91.8.
Only a very old [expired] pgp key is listed. My current one its says cannot be found. In particular it
under "OpenPGP" in the E-2-E Encryption page for every email address I have it says
"This key could not be found! If you want to use it you must import it to Thunderbird"
It was there yesterday before the upgrade :-)
When I try to import it again I get a invalid file error from OpenPGP Key Manager...
"Error! Failed to import file"
The file for import I produced from Kleopatra
Running on Windows BTW
Comment 9•2 years ago
|
||
Benedikt, Nigel,
could you please provide the public keys that aren't working with 91.8.0 ?
(If you don't want to attach them to this public bug, you may send them to me by email to kaie@kuix.de - please quote this bug number.)
Note the following potential reason:
Thunderbird 91.8.0 reject OpenPGP keys that use insecure algorithms, such as signatures that involve outdated SHA-1.
Reporter | ||
Comment 10•2 years ago
|
||
I sent you my public key.
Comment 11•2 years ago
|
||
Benedikt, yes it looks like your key is rejected because of the use of SHA1.
Only your subkey is valid for encryption. But we decide that you're subkey isn't good (and the key details structure tab doesn't show it).
Your key has a "subkey binding signature" that was used to define an extended validity of your subkey. That signature was creeated on 2021-01-07 with an expiration date set to 2026-04-11.
However, that signature used outdated and insecret SHA-1.
Thunderbird 91.8.0 rejects that.
Which software did you use that still created SHA-1 signatures in 2021? SHA-1 has been declared as obsolete since around 2013.
You could use modern OpenPGP software to extend the validity of your key.
Updated•2 years ago
|
Reporter | ||
Comment 12•2 years ago
|
||
Hi Kai,
thanks a lot.
Hmm, let's grab my head ;) The key itself is relatively old, that's true. 2021 I mean I extended the key to <firstname>.<lastname>@domain.org.
So you mean that I just extend the validity of my key via Thunderbird KeyManager and it will be usable again.?
Comment 13•2 years ago
|
||
You can try if Thunderbird is willing to set a new expiration date for your key.
(It doesn't offer to do that for complex keys that were created outside of Thunderbird and that may have a mix of validy times for subkeys.)
If that doesn't work, you could try to use external software to extend your key, for example using a current version of GnuPG. Export the secret key from your software, import into gnupg, edit the key to extend it, then export the secret key from gnupg, then import secret key back into thunderbird.
Reporter | ||
Comment 14•2 years ago
|
||
Hmm, I did that using gpg (GnuPG) 2.2.32
Thunderbird doesn't accept the key. Yes, it was created 2014.
So I have to revoke the key completely?
Comment 15•2 years ago
|
||
Why revoke? In comment 13 explained how you could extend it using GnuPG and then bring it back into Thunderbird.
Comment 16•2 years ago
|
||
Hmm, it's very strange that it doesn't work using gnupg 2.2.32 !
Comment 17•2 years ago
|
||
It seems that could need some configuration, some hints are available here: https://unix.stackexchange.com/questions/423109/how-do-i-prevent-gpg-from-including-sha1
Reporter | ||
Comment 18•2 years ago
|
||
Ah sorry, my fault. I didn't exchange the subkey. Now it's working again. Thanks again for your valuable help!
Updated•2 years ago
|
Description
•