Closed Bug 1765740 Opened 4 months ago Closed 3 months ago

GPG Key disappears after update to 91.8.0 - key uses SHA-1 , expiration date has not been changed.

Categories

(MailNews Core :: Security: OpenPGP, defect)

Thunderbird 91
defect

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1763641

People

(Reporter: ralph.staudigl, Unassigned)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

Steps to reproduce:

updating to Thunderbird 91.8.0 / 91.8.1

Actual results:

one of my GPG Keys is no longer shown and cannot be imported again.
When trying to import it again I get the error:
OpenPGP Alert
Importing the keys failed.
Can be reproduced with:
https://keys.openpgp.org/vks/v1/by-fingerprint/07B9BD485A78EAF7B9DBE96C4C423EBF340BD0C2

Expected results:

All present GPG keys should be shown like in TB 91.7.0
Also key should be able to be imported like in TB 91.7.0

Is the key SHA-1? See bug 1763641

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

Yes according to pgpdump

...
Old: Signature Packet(tag 2)(575 bytes)
Ver 4 - new
Sig type - Positive certification of a User ID and Public Key packet(0x13).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA1(hash 2)
...

It seems to be SHA-1.
But in contrast to bug 1763641 the expiration date has not been changed.

Yes according to pgpdump:
...
Old: Signature Packet(tag 2)(575 bytes)
Ver 4 - new
Sig type - Positive certification of a User ID and Public Key packet(0x13).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA1(hash 2)
...
It seems to be SHA-1.
But in contrast to bug 1763641 the expiration date has not been changed.

After switching the key's Hash alg to SHA-512 the import worked as expected.
Since SHA-1 is still supported by current GPG versions it still would be nice if those keys would not disappear with new TB Versions.

Status: UNCONFIRMED → RESOLVED
Closed: 3 months ago
Keywords: regression
Resolution: --- → DUPLICATE
Summary: GPG Key disappears after update to 91.8.0 → GPG Key disappears after update to 91.8.0 - key uses SHA-1 , expiration date has not been changed.
Duplicate of bug: 1763641

Ralph, did you use GnuPG to create your key in 2019, or other software?

If it was GnuPG, do you know which version you had used?

I think all versions of GnuPG from 2.0.13 (2009) used something better than SHA-1.
Did you have a GnuPG configuration file that requests the use of SHA-1 ?

Hello Kai,
when I created the key in 2019, I was using Linux Solus, and I didn't have gpg.conf. Since 2020 I switched to Fedora (back then 33) and currently 35. In order to change the digest of the key and the subkeys now, I had to exclude SHA1 in the gpg.conf.
Best, Ralph

You need to log in before you can comment on or make changes to this bug.