Summary: OpenPGP secret key backup silently fails from OpenPGP key manager
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(thunderbird_esr102 unaffected, thunderbird_esr115 fixed, thunderbird115+ wontfix, thunderbird116 fixed)
| Tracking | Status | |
|---|---|---|
| thunderbird_esr102 | --- | unaffected |
| thunderbird_esr115 | --- | fixed |
| thunderbird115 | + | wontfix |
| thunderbird116 | --- | fixed |
People
(Reporter: afranchuk, Assigned: mkmelin)
References
(Regression)
Details
(Keywords: leave-open, regression, Whiteboard: [TM:115.0.+])
Attachments
(1 file, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-esr115+
|
Details | Review |
I'm trying to export my secret keys (to import into 115.0b1), however after entering a password to protect the secret key file, the dialog is dismissed but no file is created. I definitely have secret keys, so a file should be created.
|
Assignee | |
Comment 1•2 years ago
|
||
Just tried exporting in 102. Seems to work fine for me.
|
Reporter | |
Comment 2•2 years ago
|
||
I wasn't sure, but maybe platform is relevant? I'm on x86_64 Linux.
|
|
Reporter | |
Comment 3•2 years ago
|
||
Aha, the console log shows
JavaScript error: chrome://openpgp/content/modules/RNP.jsm, line 3426: Error: rnp_key_unlock failed
|
|
Assignee | |
Comment 4•2 years ago
|
||
Actually, I backup from the account manager is apparently not working, for a more clear case.
(Your may or may not be different, I don't get that error.)
|
|
Assignee | |
Comment 5•2 years ago
|
||
Uncaught (in promise) Error: key/fingerprint identifier of unexpected length: 0xE310D0BA02D5529DAB088296797E2FEBBD98B299
_getKeyHandleByKeyIdOrFingerprint chrome://openpgp/content/modules/RNP.jsm:3167
getKeyHandleByKeyIdOrFingerprint chrome://openpgp/content/modules/RNP.jsm:3200
getKeyHandleByIdentifier chrome://openpgp/content/modules/RNP.jsm:3215
backupSecretKeys chrome://openpgp/content/modules/RNP.jsm:4228
exportSecretKey chrome://messenger/content/am-e2e.js:1532
onDialogAccept chrome://openpgp/content/ui/backupKeyPassword.js:43
_fireButtonEvent chrome://global/content/elements/dialog.js:515
_doButtonCommand chrome://global/content/elements/dialog.js:494
_hitEnter chrome://global/content/elements/dialog.js:525
connectedCallback chrome://global/content/elements/dialog.js:112
openPgpExportSecretKey chrome://messenger/content/am-e2e.js:1509
|
|
Assignee | |
Comment 6•2 years ago
|
||
We ended up with 0x0x<keyId>. Prevent that.
|
|
Assignee | |
Comment 7•2 years ago
|
||
Working in 102. Not sure what caused this.
|
||
Comment 8•2 years ago
|
||
I'm checking the recent changes that added or removed a "0x" string.
In bug 1679278
I had recently added "0x" to the ID argument in getKeyHandleByIdentifier here:
https://hg.mozilla.org/comm-central/rev/66c5ab097834#l1.2109
It seems that's the only place.
I suggest that we add the check (necessary to add or not) at this place, and leave other places unchanged.
|
|
||
Comment 9•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
||
Comment 10•2 years ago
|
||
|
|
||
Comment 11•2 years ago
|
||
(In reply to Alex Franchuk from comment #0)
I'm trying to export my secret keys (to import into 115.0b1), however after entering a password to protect the secret key file, the dialog is dismissed but no file is created. I definitely have secret keys, so a file should be created.
Alex, can you confirm that it failed when you started the backup from within the account settings?
Backup using the OpenPGP key manager appears to be working, you could use that as a workaround, until we uplift the fix to 115. Does that work for you?
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 12•2 years ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #11)
(In reply to Alex Franchuk from comment #0)
I'm trying to export my secret keys (to import into 115.0b1), however after entering a password to protect the secret key file, the dialog is dismissed but no file is created. I definitely have secret keys, so a file should be created.
Alex, can you confirm that it failed when you started the backup from within the account settings?
Backup using the OpenPGP key manager appears to be working, you could use that as a workaround, until we uplift the fix to 115. Does that work for you?
I was previously backing up from the OpenPGP key manager, not the account settings. It does not work for me. Each time I attempt a backup from the OpenPGP key manager, I see the error mentioned in the earlier comment printed.
I don't know exactly what you are referring to when you say "backup from within the account settings"; I've gone through the tabs of account settings but haven't seen anything related to backup.
|
|
Assignee | |
Comment 13•2 years ago
|
||
Under account settings | End to End encryption, when you click on the key you're using there are controls to do various actions with the key, like backup
|
|
||
Comment 14•2 years ago
|
||
(In reply to Alex Franchuk from comment #3)
Aha, the console log shows
JavaScript error: chrome://openpgp/content/modules/RNP.jsm, line 3426: Error: rnp_key_unlock failed
It's strange that you get that, because apparently that code is reached when performing generation of a new key, apparently.
Are you using a non-standard configuration?
The experimental feature for individual passphrases, which was recently added?
Did you install the Octopus replacement software for RNP?
|
|
Reporter | |
Comment 15•2 years ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #14)
It's strange that you get that, because apparently that code is reached when performing generation of a new key, apparently.
Are you using a non-standard configuration?
The experimental feature for individual passphrases, which was recently added?
Did you install the Octopus replacement software for RNP?
It's an entirely vanilla install. I also thought that weird (as I looked at where it was produced as well).
|
|
Reporter | |
Comment 16•2 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #13)
Under account settings | End to End encryption, when you click on the key you're using there are controls to do various actions with the key, like backup
Maybe this is related to my problem! I don't have any option to select keys there, instead I have to open the key manager to be able to select them. This is because the key I am using is not associated with the account email address. So it shows a message saying Thunderbird doesn't have a personal OpenPGP key for afranchuk@mozilla.com.
|
|
||
Comment 17•2 years ago
|
||
Comment on attachment 9341096 [details]
Bug 1839415 - Minimal fix for backing up an OpenPGP secret key from account manager. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): 1679278
User impact if declined: failure to back a secret key
Testing completed (on c-c, etc.): yes
Risk to taking this patch (and alternatives if risky): low
|
||
Comment 18•2 years ago
|
||
Comment on attachment 9341096 [details]
Bug 1839415 - Minimal fix for backing up an OpenPGP secret key from account manager. r=mkmelin
The checkin at comment 10 indicates this will be in beta 116 without the need for uplift to beta.
|
|
||
Comment 19•2 years ago
|
||
Will uplift to esr point release after it bakes on beta
|
|
||
Comment 20•2 years ago
|
||
I still don't understand what happens in your scenario.
Because you said you aren't using account settings, I'm undoing the change to the bug's summary (which Magnus had made) and clarifying your problem is about backing up from OpenPGP key manager.
You are using an OpenPGP that either lacks an user identity, or has a user identity that doesn't match your configured Thunderbird account.
Alex, is my assumption correct that you had initially created your key outside of Thunderbird, maybe using GnuPG?
To summarize:
- you go to Tools / OpenPGP Key Manager
- you select a secret key (which should be shown as bold)
- you use the command to backup the secret key.
Is my understanding correct?
When you do the above, you see the error message from comment 3.
That doesn't make sense to me at all, because as I said above, that code path shouldn't be reached when backing up, it would only be reached when generating a new key.
|
|
||
Comment 21•2 years ago
|
||
... and the bugfix patch we have attached here cannot fix your bug, it fixes a different bug that we identified while investigating.
|
|
Reporter | |
Comment 22•2 years ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #20)
I still don't understand what happens in your scenario.
Because you said you aren't using account settings, I'm undoing the change to the bug's summary (which Magnus had made) and clarifying your problem is about backing up from OpenPGP key manager.
You are using an OpenPGP that either lacks an user identity, or has a user identity that doesn't match your configured Thunderbird account.
Alex, is my assumption correct that you had initially created your key outside of Thunderbird, maybe using GnuPG?To summarize:
- you go to Tools / OpenPGP Key Manager
- you select a secret key (which should be shown as bold)
- you use the command to backup the secret key.
Is my understanding correct?
When you do the above, you see the error message from comment 3.
That doesn't make sense to me at all, because as I said above, that code path shouldn't be reached when backing up, it would only be reached when generating a new key.
Your summary is accurate. And yes, I added a key which existed outside of Thunderbird and prior to the existence of my @mozilla.com email account.
I agree the error doesn't make sense given the action I'm taking, but that is what I see each time I attempt an export. When I have some free time I will attach a debugger to see how it's ending up in the code path.
|
|
||
Comment 23•2 years ago
|
||
Comment on attachment 9341096 [details]
Bug 1839415 - Minimal fix for backing up an OpenPGP secret key from account manager. r=mkmelin
[Triage Comment]
Approved for esr115
|
||
Updated•2 years ago
|
|
|
||
Comment 24•2 years ago
|
||
| bugherder uplift | ||
Thunderbird 115.0.1:
https://hg.mozilla.org/releases/comm-esr115/rev/75bc6cd014bf
|
|
||
Comment 25•2 years ago
|
||
Alex, are you using an unusual key?
Maybe you have offline secret keys? With some secret keys (e.g. for subkeys) missing?
Do you have a key that uses different passphrases for subkeys?
If the answer is "no" to the above, maybe there's something else unusual about your key?
Maybe it would be helpful to share the structure of your key?
|
|
Reporter | |
Comment 26•2 years ago
|
||
My key is one master key with 3 subkeys, one for each of encryption, authentication, and signing. All secret keys are present (they are also on a yubikey but I've imported them locally). They use the same master key passphrase.
|
|
Assignee | |
Comment 27•2 years ago
|
||
Alex, is this (comment 20) still a problem in Thunderbird 115 or above? If so we should close this and clone that into a new bug.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Reporter | |
Comment 28•1 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #27)
Alex, is this (comment 20) still a problem in Thunderbird 115 or above? If so we should close this and clone that into a new bug.
The actions seem to work in Thunderbird 115!
|
|
Assignee | |
Comment 29•1 years ago
|
||
Thanks, closing this then!
Description
•