Unable to decrypt OpenGPG emails with the incorrect encoding reported in bug 1898832
Categories
(MailNews Core :: Security: OpenPGP, defect, P1)
Tracking
(thunderbird_esr115 fixed, thunderbird_esr128 fixed, thunderbird129 fixed)
People
(Reporter: kmunoz, Assigned: KaiE)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [1898832 and 1906903 should go together])
Attachments
(8 files)
|
482.74 KB,
image/png
|
Details | |
|
334.13 KB,
image/png
|
Details | |
|
115.49 KB,
image/png
|
Details | |
|
151.33 KB,
image/png
|
Details | |
|
345.78 KB,
image/png
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
corey
:
approval-comm-beta+
wsmwk
:
approval-comm-esr128+
|
Details | Review |
|
4.62 KB,
message/rfc822
|
Details | |
|
8.23 KB,
patch
|
corey
:
approval-comm-esr115+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0
Steps to reproduce:
When trying to read an email encrypted with GPG it is not possible since it is not sending or finding the sender's digital signature and shows the following warning in the email security
No Digital Signature
This message does not contain the sender's digital signature. The absence of a digital signature means that the message could have been sent by someone pretending to have this email address. It also means that the message may have been altered while being transmitted over the network.
Actual results:
Unable to read GPG-encrypted emails
Expected results:
Be able to decrypt emails with GPG and read their content and attachments
Comment 1•2 years ago
|
||
Please try Thunderbird 128.
But, you're confusing the details. Signature missing doesn't have any implication on being able to decrypt; there's something else going on. Check that you actually have the keys it says it has encrypted to.
(In reply to Magnus Melin [:mkmelin] from comment #1)
Please try Thunderbird 128.
But, you're confusing the details. Signature missing doesn't have any implication on being able to decrypt; there's something else going on. Check that you actually have the keys it says it has encrypted to.
Hello, I made the change as you recommended but the problem still continues and it is giving me problems with the work, about the keys if I have the key that encrypts and signs the emails (a yubikey 5 NFC)
| Assignee | ||
Comment 4•1 year ago
|
||
There is a known issue with encrypted messages sent by very new versions of GnuPG. They use an encoding that our RNP backend rejects and cannot decrypt.
Thunderbird versions until 115.12 are affected by this problem.
The problem is described in bug 1884508.
The fix is to upgrade to a newer RNP release, version 0.17.1
We are finally getting this done with version 115.13 (tracked in bug 1885353).
As soon as you are able to upgrade to 115.13, please test again and report here if the issue is fixed for you.
Magnus is correct regarding the information message you have seen. The explanation about a missing digital signature is irrelevant for a problem with decrypting a message.
I have version 0.17.1 of the RNP library available in the arch linux AUR and as a thunderbird base I am using the thunderbird-beta 129.0b1-1 [0 B 251.55 MiB] [Installed] but in the same way forwarding an encrypted email under this version and trying to read it continues to fail
Comment 7•1 year ago
|
||
Have you configured Thunderbird to use external GnuPG, in the account settings of the account? Or imported the key to Thunderbird.
If you only have the key in GnuPG and didn't configure in Thunderbird, it would not work.
| Reporter | ||
Comment 10•1 year ago
|
||
I have it configured to import the key externally and in the thunderbird keychain I have imported the public keys from the key directory that we have in the company, this is how it had been working for me in previous versions but now that I update the computer and configure it in the usual way I found this problem
| Assignee | ||
Comment 11•1 year ago
|
||
What is the version that you're using now, and that doesn't work?
| Assignee | ||
Comment 12•1 year ago
|
||
Did you intentionally install the "octopus" library?
Maybe uninstall it, to make sure it isn't active, because Thunderbird doesn't support the octopus replacement library.
| Assignee | ||
Comment 13•1 year ago
|
||
You said, you have received an encrypted email. That email was sent by someone who used GnuPG.
Did you send the encrypted email with GnuPG, or was that someone else?
(If you send the encrypted email with GnuPG, then please try to send an encrypted email to me also, or tell your contact to send an encrypted email to me, kaie@kuix.de - 21D16E67E18398C8DA9DDF2E1C27423725007724
| Assignee | ||
Comment 14•1 year ago
|
||
Based on your screenshot it seems your own key expired on 2024-07-07.
But that shouldn't be an issue for decrypting email.
| Assignee | ||
Comment 15•1 year ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #14)
Based on your screenshot it seems your own key expired on 2024-07-07.
But that shouldn't be an issue for decrypting email.
Sorry, I might have misinterpreted, is that the day you have created your key?
| Assignee | ||
Comment 16•1 year ago
|
||
Have you tried to decrypt the email on the command line with GnuPG ?
| Assignee | ||
Comment 17•1 year ago
|
||
You created the key on 2024-07-07
You filed this bug on 2024-07-09, which was just 2 days later.
You said it worked with a previous Thunderbird version.
Because you are reporting problems with a very new key, did it work correctly with a previous key, but the new problems are related to your new key?
| Reporter | ||
Comment 18•1 year ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #13)
You said, you have received an encrypted email. That email was sent by someone who used GnuPG.
Did you send the encrypted email with GnuPG, or was that someone else?
(If you send the encrypted email with GnuPG, then please try to send an encrypted email to me also, or tell your contact to send an encrypted email to me, kaie@kuix.de - 21D16E67E18398C8DA9DDF2E1C27423725007724
I sent you an encrypted email and another with only the signature to see if you appreciate the error
(In reply to Kai Engert (:KaiE:) from comment #17)
You created the key on 2024-07-07
You filed this bug on 2024-07-09, which was just 2 days later.You said it worked with a previous Thunderbird version.
Because you are reporting problems with a very new key, did it work correctly with a previous key, but the new problems are related to your new key?
The error also occurred with my previous key as well and was revoked and updated by company policies then the 2 keys were affected
| Assignee | ||
Comment 19•1 year ago
|
||
I'm reverting the flags that you changed, please try to avoid that.
| Assignee | ||
Comment 20•1 year ago
|
||
Thank you for the test message you sent to me.
I can confirm the problem.
The message is encrypted to my key, but Thunderbird cannot decrypt it.
I can decrypt the message using GnuPG command line tool - if I use "gpg --unwrap" as a first step.
When trying to decrypt with gnupg, it complains that it finds unexpected packet of type 2d, which is the code for the dash character. So instead of finding a binary encoding, it finds ascii armored data inside.
It's very likely that it is the same cause as bug 1898832.
I didn't think of that bug, because you had said that you had created the email with gnupg.
Only Thunderbird creates that kind of corrupt messages, as far as I'm aware.
Maybe you said the message was created with gnupg, because you have configured external gnupg.
But even in that configuration, Thunderbird uses gnupg only for signing and decryption.
It doesn't use gnupg for creating an encrypted message.
So, hopefully soon bug 1898832 gets landed and backported to beta 129 and stable 128 (and stable 115, too).
Once that's done, we can ask you to test again.
| Assignee | ||
Comment 21•1 year ago
|
||
While we're still waiting for the second fix from bug 1898832 to get added Thunderbird (which will prevent the creation of these badly encoded messages),
we already have the earlier patch in that bug - which attempts to allow decryption of those badly encoded messages.
If I allow external_gnupg in Thunderbird, I'm actually able to decrypt your message already.
So I don't understand why you cannot decrypt it with 129.
| Reporter | ||
Comment 22•1 year ago
|
||
Thank you, so while it is resolved I will continue to ask that the messages only signed for the internal company and external clients be authorized, I hope the problem is solved soon since the company implemented the gpg encryption of emails and I am its cybersecurity engineer who helped make the secure transition to this method
Comment 23•1 year ago
|
||
Please don't touch the flags.
| Assignee | ||
Comment 24•1 year ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #21)
If I allow external_gnupg in Thunderbird, I'm actually able to decrypt your message already.
So I don't understand why you cannot decrypt it with 129.
I see that the behavior is erratic !
Sometimes it works for me, an after a while, it no longer works. Not even after restarting TB.
| Assignee | ||
Comment 25•1 year ago
|
||
See also bug 1898832.
Updated•1 year ago
|
| Assignee | ||
Updated•1 year ago
|
| Assignee | ||
Comment 26•1 year ago
|
||
sample email message, using the public alice/bob keys from
https://gitlab.com/openpgp-wg/openpgp-samples
| Assignee | ||
Comment 27•1 year ago
|
||
See bug 1898832 comment 21 for the justification for limiting the ability to decode these bad messages to users of thunderbird with external gnupg, and also for steps to manually decrypt those messages with gnupg.
Comment 28•1 year ago
|
||
Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/1d67b7139d5f
Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin
| Assignee | ||
Comment 29•1 year ago
|
||
Comment on attachment 9413693 [details]
Bug 1906903 - Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): 1688863
User impact if declined: users cannot decrypt some messages they have sent
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): low. Change is limited to users who experience messages that cannot be decrypted, and the fallback code is limited to users with the non-default external-gnupg configuration, only.
Updated•1 year ago
|
Comment 30•1 year ago
|
||
Comment on attachment 9413693 [details]
Bug 1906903 - Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin
[Triage Comment]
Approved for beta
Comment 31•1 year ago
|
||
| bugherder uplift | ||
Thunderbird 129.0b4:
https://hg.mozilla.org/releases/comm-beta/rev/64cd8a3a513c
| Assignee | ||
Updated•1 year ago
|
| Assignee | ||
Updated•1 year ago
|
| Assignee | ||
Comment 32•1 year ago
|
||
| Assignee | ||
Comment 33•1 year ago
|
||
I've manually tested that the combination of the three backported patched from bug 1898832 and this bug 1906903 on the esr-115 branch provide the expected fix.
And here's a esr115 try build:
https://treeherder.mozilla.org/jobs?repo=try-comm-central&revision=d9c201635fb0d5d0cbb5f9bd882f424ed70a79e3
| Assignee | ||
Comment 34•1 year ago
|
||
Comment on attachment 9413693 [details]
Bug 1906903 - Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): 1688863
User impact if declined: users cannot decrypt some messages they have sent
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): low. Change is limited to users who experience messages that cannot be decrypted, and the fallback code is limited to users with the non-default external-gnupg configuration, only.
| Assignee | ||
Updated•1 year ago
|
| Assignee | ||
Updated•1 year ago
|
Comment 35•1 year ago
|
||
Unfortunately Thunderbird is not covered by the Mozilla bug bounty program
Comment 36•1 year ago
|
||
Comment on attachment 9413693 [details]
Bug 1906903 - Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin
[Triage Comment]
Approved for esr128
Comment 37•1 year ago
|
||
| bugherder uplift | ||
Thunderbird 128.1.0esr:
https://hg.mozilla.org/releases/comm-esr128/rev/6974f904df84
Comment 38•1 year ago
|
||
Comment on attachment 9414196 [details] [diff] [review]
1906903-backport-esr115.patch
[Triage Comment]
Approved for esr115
Comment 39•1 year ago
|
||
| bugherder uplift | ||
Thunderbird 115.14.0:
https://hg.mozilla.org/releases/comm-esr115/rev/99f915f469c8
Description
•