Closed Bug 1786916 Opened 2 years ago Closed 2 years ago

PGP key discovery doesn't work in Thunderbird 102.2.0 for keys with a single user ID

Categories

(MailNews Core :: Security: OpenPGP, defect)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
defect

Tracking

(thunderbird_esr102+ fixed, thunderbird105 fixed)

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
thunderbird_esr102 + fixed
thunderbird105 --- fixed

People

(Reporter: smichaud, Assigned: mkmelin)

References

(Regression)

Details

(Keywords: regression, reproducible)

Attachments

(1 file)

Bug 1786916 - Fix off by one error(s) preventing OpenPGP discovery to work properly. r=kaie
48 bytes, text/x-phabricator-request
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr102+
Details | Review

The error is "We couldn’t find any usable key matching the specified search criteria".

STR:

  1. Open an email to/from the person whose public key you're trying to import into Thunderbird (for example to send them encrypted email).

  2. Right-click on their email address and choose "Discover OpenPGP Key".

This always fails for me, even when I choose an email address for someone I know has (and currently uses) a gpg/pgp keypair.

The person whose email address I've been testing with is Gabriele Svelto. He signs his email messages to me with his gpg/pgp private key, and includes his public key in the message. When I search on https://keys.openpgp.org/ using his email address (his Mozilla email address), I get a result that exactly matches the public key in his emails. (Under the hood Thunderbird seems to use the keys.openpgp.org keyserver exclusively, as reflected in the default value for temp.openpgp.keyserver in about:config.)

What I'm doing should work, at least with Gabriele Svelto. Can you tell me why it doesn't?

I get the same error when I click on the OpenPGP button in one of Gabriele's emails and choose "Discover".

I get exactly the same failures with the current Thunderbird Daily.

Summary: Discover OpenPGP Key doesn't work in Thunderbird 102 → Discover OpenPGP Key doesn't work in Thunderbird

Error messages from Thunderbird 102's "error console":

When I right-click on Gabriele Svelto's Mozilla email address and choose "Discover OpenPGP Key":

XHRGEThttps://www.mozilla.org/en-US/.well-known/openpgpkey/hu/zy9qa9be75btmh6cps67yodqweadz5g6?l=[Gabriele Svelto]
[HTTP/2 404 Not Found 145ms]

When I right-click on the OpenPGP button in an email Gabriele has signed and choose "Discover":

searchKeysOnInternet no wkd data for [Gabriele Svelto] keyLookupHelper.jsm:210:15

Edit: Oops, these errors both appear when I right-click on Gabriele Svelto's email address and choose "Discover OpenPGP Key". I don't see anything in the error console when I right-click on the OpenPGP button -- though of course that also fails.

This document advises you to add a CNAME alias (named "openpgpkey") to "wkd.keys.openpgp.org" to your DNS server. I did this (I run my own private network), but it made no difference.

I've now tested with Thunderbird 102 on macOS 10.15.7, Windows 10 and Ubuntu Linux on my local private network. I get the same failures with all of them.

The email server(s) I'm interacting with are also on my local network (bagend.private). I'm beginning to wonder if that makes a difference. Gabriele Svelto doesn't see any PGP key discovery errors testing with a signed message from me (running Thunderbird 102 on Linux).

PGP key discovery works fine in Thunderbird 91.11.0, even for me (on my private network).

Summary: Discover OpenPGP Key doesn't work in Thunderbird → PGP key discovery doesn't work in Thunderbird
Summary: PGP key discovery doesn't work in Thunderbird → PGP key discovery doesn't work in Thunderbird 102

"Discover OpenPGP Key" still worked on Gabriele Svelto's email address in Thunderbird 102.1.2. It doesn't work in Thunderbird 102.2.0. I'll look for the regression range in the Thunderbird dailies.

Summary: PGP key discovery doesn't work in Thunderbird 102 → PGP key discovery doesn't work in Thunderbird 102.2.0

I've found the revision that triggered this bug (at least on Thunderbird dailies):

The first bad revision is:
changeset:   36294:1aa03693518b
user:        Kai Engert <[email address]>
date:        Sat Jul 16 19:21:18 2022 +1000
summary:     Bug 1778867 - Don't offer importing a new key that lacks user ID. r=mkmelin
Regressed by: 1778867

I've found that the STR from comment #0 work (cause this bug's failures) for anyone with a mozilla.com email address whose PGP public key can be downloaded from https://keys.openpgp.org/ when you search on the address. (The fact that this search works shows that the owner of the address has explicitly uploaded their PGP public key to keys.openpgp.org and responded to an automated email sent (to their address) by keys.openpgp.org. In effect they've verified their own email address. Of course the failures also happen with mozilla.com email addresses that aren't associated with any PGP key, or whose PGP key can't be downloaded from https://keys.openpgp.org/.)

However the STR don't work (don't cause this bug's failures) with my own email address or Kai Engert's email address -- neither of which is a mozilla.com address. Both of our PGP public keys can also be downloaded (via the email address) from keys.openpgp.org.

Note that code in wkdLookup.jsm tries to construct a HTTPS URL using the 'domain' from an email address. Comment #2 records a 404 error at https://www.mozilla.org/en-US/.well-known/openpgpkey/hu/zy9qa9be75btmh6cps67yodqweadz5g6?l=[Gabriele Svelto]. I haven't seen similar failures at websites in other domains. Could it be that www.mozilla.org needs to be changed to add support for this kind of search?

Note also the translation from mozilla.com to mozilla.org. I assume that's the result of a redirection.

The error (in the error console) for someone who doesn't have a PGP public key at keys.openpgp.org looks like this:

XHRGEThttps://keys.openpgp.org/vks/v1/by-email/[email address]
[HTTP/2 404 Not Found 505ms]
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
status-thunderbird105: --- → affected
status-thunderbird_esr102: --- → affected
Target Milestone: --- → 106 Branch

Ah, I finally understand the weirdness here ... at least I think so.

Thunderbird currently uses both the WKD protocol and the VKS protocol to perform PGP key discovery. Before the patch for bug 1778867 landed, a result from either protocol counted as a success. After the patch landed, PGP key discovery only worked for those rare cases where both the WKD and VKS protocols returned viable results. Magnus Melin's patch from comment #12 restores the previous behavior and fixes this bug.

I've tried Magnus's patch in my local comm-central build. Now PGP key discovery works for Gabriele Svelto's Mozilla email address, and those of several others who have registered their PGP public key at https://keys.openpgp.org/.

The https://www.mozilla.org/en-US/.well-known/openpgpkey/hu/... weirdness is part of the WKD protocol.

Summary: PGP key discovery doesn't work in Thunderbird 102.2.0 → PGP key discovery doesn't work in Thunderbird 102.2.0 for keys with a single user ID

Thanks Steven and Magnus, this was a stupid mistake.

Comment on attachment 9291884 [details]
Bug 1786916 - Fix off by one error(s) preventing OpenPGP discovery to work properly. r=kaie

[Approval Request Comment]
Regression caused by (bug #): 1778867
User impact if declined: feature nonworking
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): low

Attachment #9291884 - Flags: approval-comm-esr102?
Attachment #9291884 - Flags: approval-comm-beta?

Pushed by alessandro@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/4d9263ac82f4
Fix off by one error(s) preventing OpenPGP discovery to work properly. r=kaie

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9291884 [details]
Bug 1786916 - Fix off by one error(s) preventing OpenPGP discovery to work properly. r=kaie

[Triage Comment]
Approved for beta

Attachment #9291884 - Flags: approval-comm-beta? → approval-comm-beta+

Comment on attachment 9291884 [details]
Bug 1786916 - Fix off by one error(s) preventing OpenPGP discovery to work properly. r=kaie

[Triage Comment]
Approved for esr102

Rob, to fix this recent regression I'm OK with taking this simple patch without signficant beta testing. As long as you are OK.

Attachment #9291884 - Flags: approval-comm-esr102? → approval-comm-esr102+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: