Open Bug 1765497 Opened 3 years ago Updated 3 years ago

OpenPGP tags *valid* pgp signed mail as "Invalid Digital Signature"

Categories

(MailNews Core :: Security: OpenPGP, defect)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: leo.lanzi, Unassigned)

Details

Attachments

(4 files)

OpenPGP-ThunderbirdAfter91.8.0.jpeg
434.43 KB, image/jpeg
Details
Alert GCSA-22044 - Aggiornamento di sicurezza per Mozilla Firefox e Thunderbird - Security Alert - GARR CERT <cert@garr.it> - 2022-04-06 1330.eml
5.90 KB, message/rfc822
Details
pgp-th1.jpeg
445.36 KB, image/jpeg
Details
pgp-th2.png
96.81 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

Receive a valid PGP-signed mail with Thunderbird after 91.8.0 (checked both on Linux & Windows).
Thunderbird classifies it as "Invalid Digital Signature".
Read the same mail with Evolution (GNOME), or CLAWS for Windows, to confirm that you've received a valid PGP-signed mail.

Actual results:

OpenPGP box (right, on gray part of the Mail window, same line ot "To" field) lights-up the RED triangle.
Start blaming Thunderbird (see above).

Expected results:

Thunderbird shows the right result: display green lights for valid signed messages, red for not valid, other nice colors in other unuseful cases.

Component: Mail Window Front End → Security: OpenPGP
Product: Thunderbird → MailNews Core

Can you attach the message as .eml to this bug?

(In reply to Magnus Melin [:mkmelin] from comment #1)

Can you attach the message as .eml to this bug?
Sure [attached now].
As a detail, also previously "accepted as good" signed mails are now marked as bad.

l

Sorry, I think it's my fault: probably the OpenPGP [implemented in Thunderbird] in last releases started to internally blames DSA 1024 bit key for CSA?
The error message it's not so clear, but it could be a sufficient reason to raise an error.

Thanks for your help

The problem here is with SHA1 hash algorithm, not the DSA. Since TB 91.8.0 (and OpenPGP backend RNP v0.16.0) SHA1 hash in signatures produced after the Jan, 15 2019 is considered as weak, reporting signature as invalid.

Is there a way to show the user a bit more detailed information about the problem (SHA1 hash algorithm)?
I also had the problem with mails from "Bundesamt für Sicherheit in der Informationstechnik (BSI)" (https://www.bsi.bund.de/DE/Service-Navi/Abonnements/Newsletter/Buerger-CERT-Abos/buerger-cert-abos_node.html). Only after a long investigation I found that SHA1 is the problem. A regular user wouldn't be able to find what's the problem. "This message contains a digital signature, but a technical error was detected." is very general.

Attached image pgp-th1.jpeg
Attached image pgp-th2.png

Comment on attachment 9277669 [details]
pgp-th1.jpeg

warning on the verification of the sender

Comment on attachment 9277670 [details]
pgp-th2.png

where is somehing like "accept the sender identity"?

I confirm that with same PGP key but with a SHA256 hash, the red alert disappears.

Anyway, now there is another alert (see attached image pgp-th1) "... you have not yet verified that the key is really owned by the sender".

The problem seems to be that the PGP key is "mine" (of my service inside my organization).
I have obviously also the private part, and I often have to use it [manage identities etc.].
The key is already promoted as a personal key (see attached image pgp-th2).
Also uploaded to keys.openpgp.org (default server for thunderbird) and verified.

Where could I "verify" more that in all these ways that this key is owned by myself and that I trust in my identity.. at least at a digital level :) ?

Thank you all again
l

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: