1906903 - Unable to decrypt OpenGPG emails with the incorrect encoding reported in bug 1898832

Status: RESOLVED FIXED

(MailNews Core :: Security: OpenPGP, defect, P1)

Description

[kmunoz]

Attachment: Captura de pantalla_20240709_102504.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0

Steps to reproduce:

When trying to read an email encrypted with GPG it is not possible since it is not sending or finding the sender's digital signature and shows the following warning in the email security

No Digital Signature

This message does not contain the sender's digital signature. The absence of a digital signature means that the message could have been sent by someone pretending to have this email address. It also means that the message may have been altered while being transmitted over the network.

Actual results:

Unable to read GPG-encrypted emails

Expected results:

Be able to decrypt emails with GPG and read their content and attachments

Comment 1

[Magnus Melin [:mkmelin]]

Please try Thunderbird 128.
But, you're confusing the details. Signature missing doesn't have any implication on being able to decrypt; there's something else going on. Check that you actually have the keys it says it has encrypted to.

Comment 2

[kmunoz]

Attachment: imagen.png

Comment 3

[kmunoz]

(In reply to Magnus Melin [:mkmelin] from comment #1)

Please try Thunderbird 128.
But, you're confusing the details. Signature missing doesn't have any implication on being able to decrypt; there's something else going on. Check that you actually have the keys it says it has encrypted to.

Hello, I made the change as you recommended but the problem still continues and it is giving me problems with the work, about the keys if I have the key that encrypts and signs the emails (a yubikey 5 NFC)

Comment 4

[Kai Engert (:KaiE:)]

There is a known issue with encrypted messages sent by very new versions of GnuPG. They use an encoding that our RNP backend rejects and cannot decrypt.

Thunderbird versions until 115.12 are affected by this problem.

The problem is described in bug 1884508.

The fix is to upgrade to a newer RNP release, version 0.17.1
We are finally getting this done with version 115.13 (tracked in bug 1885353).

As soon as you are able to upgrade to 115.13, please test again and report here if the issue is fixed for you.

Magnus is correct regarding the information message you have seen. The explanation about a missing digital signature is irrelevant for a problem with decrypting a message.

Comment 5

[kmunoz]

Attachment: imagen2.png

Comment 6

[kmunoz]

I have version 0.17.1 of the RNP library available in the arch linux AUR and as a thunderbird base I am using the thunderbird-beta 129.0b1-1 [0 B 251.55 MiB] [Installed] but in the same way forwarding an encrypted email under this version and trying to read it continues to fail

Comment 7

[Magnus Melin [:mkmelin]]

Have you configured Thunderbird to use external GnuPG, in the account settings of the account? Or imported the key to Thunderbird.
If you only have the key in GnuPG and didn't configure in Thunderbird, it would not work.

Comment 8

[kmunoz]

Attachment: imagen3.png

Comment 9

[kmunoz]

Attachment: imagen4.png

Comment 10

[kmunoz]

I have it configured to import the key externally and in the thunderbird keychain I have imported the public keys from the key directory that we have in the company, this is how it had been working for me in previous versions but now that I update the computer and configure it in the usual way I found this problem

Comment 11

[Kai Engert (:KaiE:)]

What is the version that you're using now, and that doesn't work?

Comment 12

[Kai Engert (:KaiE:)]

Did you intentionally install the "octopus" library?
Maybe uninstall it, to make sure it isn't active, because Thunderbird doesn't support the octopus replacement library.

Comment 13

[Kai Engert (:KaiE:)]

You said, you have received an encrypted email. That email was sent by someone who used GnuPG.

Did you send the encrypted email with GnuPG, or was that someone else?

(If you send the encrypted email with GnuPG, then please try to send an encrypted email to me also, or tell your contact to send an encrypted email to me, kaie@kuix.de - 21D16E67E18398C8DA9DDF2E1C27423725007724

Comment 14

[Kai Engert (:KaiE:)]

Based on your screenshot it seems your own key expired on 2024-07-07.
But that shouldn't be an issue for decrypting email.

Comment 15

[Kai Engert (:KaiE:)]

(In reply to Kai Engert (:KaiE:) from comment #14)

Based on your screenshot it seems your own key expired on 2024-07-07.
But that shouldn't be an issue for decrypting email.

Sorry, I might have misinterpreted, is that the day you have created your key?

Comment 16

[Kai Engert (:KaiE:)]

Have you tried to decrypt the email on the command line with GnuPG ?

Comment 17

[Kai Engert (:KaiE:)]

You created the key on 2024-07-07
You filed this bug on 2024-07-09, which was just 2 days later.

You said it worked with a previous Thunderbird version.

Because you are reporting problems with a very new key, did it work correctly with a previous key, but the new problems are related to your new key?

Comment 18

[kmunoz]

(In reply to Kai Engert (:KaiE:) from comment #13)

You said, you have received an encrypted email. That email was sent by someone who used GnuPG.

Did you send the encrypted email with GnuPG, or was that someone else?

(If you send the encrypted email with GnuPG, then please try to send an encrypted email to me also, or tell your contact to send an encrypted email to me, kaie@kuix.de - 21D16E67E18398C8DA9DDF2E1C27423725007724

I sent you an encrypted email and another with only the signature to see if you appreciate the error

(In reply to Kai Engert (:KaiE:) from comment #17)

You created the key on 2024-07-07
You filed this bug on 2024-07-09, which was just 2 days later.

You said it worked with a previous Thunderbird version.

Because you are reporting problems with a very new key, did it work correctly with a previous key, but the new problems are related to your new key?

The error also occurred with my previous key as well and was revoked and updated by company policies then the 2 keys were affected

Comment 19

[Kai Engert (:KaiE:)]

I'm reverting the flags that you changed, please try to avoid that.

Comment 20

[Kai Engert (:KaiE:)]

Thank you for the test message you sent to me.

I can confirm the problem.
The message is encrypted to my key, but Thunderbird cannot decrypt it.
I can decrypt the message using GnuPG command line tool - if I use "gpg --unwrap" as a first step.

When trying to decrypt with gnupg, it complains that it finds unexpected packet of type 2d, which is the code for the dash character. So instead of finding a binary encoding, it finds ascii armored data inside.

It's very likely that it is the same cause as bug 1898832.

I didn't think of that bug, because you had said that you had created the email with gnupg.
Only Thunderbird creates that kind of corrupt messages, as far as I'm aware.

Maybe you said the message was created with gnupg, because you have configured external gnupg.
But even in that configuration, Thunderbird uses gnupg only for signing and decryption.
It doesn't use gnupg for creating an encrypted message.

So, hopefully soon bug 1898832 gets landed and backported to beta 129 and stable 128 (and stable 115, too).
Once that's done, we can ask you to test again.

Comment 21

[Kai Engert (:KaiE:)]

While we're still waiting for the second fix from bug 1898832 to get added Thunderbird (which will prevent the creation of these badly encoded messages),
we already have the earlier patch in that bug - which attempts to allow decryption of those badly encoded messages.

If I allow external_gnupg in Thunderbird, I'm actually able to decrypt your message already.
So I don't understand why you cannot decrypt it with 129.

Comment 22

[kmunoz]

Thank you, so while it is resolved I will continue to ask that the messages only signed for the internal company and external clients be authorized, I hope the problem is solved soon since the company implemented the gpg encryption of emails and I am its cybersecurity engineer who helped make the secure transition to this method

Comment 23

[Magnus Melin [:mkmelin]]

Please don't touch the flags.

Comment 24

[Kai Engert (:KaiE:)]

(In reply to Kai Engert (:KaiE:) from comment #21)

If I allow external_gnupg in Thunderbird, I'm actually able to decrypt your message already.
So I don't understand why you cannot decrypt it with 129.

I see that the behavior is erratic !

Sometimes it works for me, an after a while, it no longer works. Not even after restarting TB.

Comment 25

[Kai Engert (:KaiE:)]

Attachment: Bug 1906903 - Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin

See also bug 1898832.

Comment 26

[Kai Engert (:KaiE:)]

Attachment: alice-bob-bad-inner-armor.eml

sample email message, using the public alice/bob keys from
https://gitlab.com/openpgp-wg/openpgp-samples

Comment 27

[Kai Engert (:KaiE:)]

See bug 1898832 comment 21 for the justification for limiting the ability to decode these bad messages to users of thunderbird with external gnupg, and also for steps to manually decrypt those messages with gnupg.

Comment 28

[Pulsebot]

Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/1d67b7139d5f
Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin

Comment 29

[Kai Engert (:KaiE:)]

Comment on attachment 9413693 [details]
Bug 1906903 - Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin

[Approval Request Comment]
Regression caused by (bug #): 1688863
User impact if declined: users cannot decrypt some messages they have sent
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): low. Change is limited to users who experience messages that cannot be decrypted, and the fallback code is limited to users with the non-default external-gnupg configuration, only.

Comment 30

[Corey Bryant]

Comment on attachment 9413693 [details]
Bug 1906903 - Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin

[Triage Comment]
Approved for beta

Comment 31

[Daniel Darnell [:dandarnell]]

Thunderbird 129.0b4:
https://hg.mozilla.org/releases/comm-beta/rev/64cd8a3a513c

Comment 32

[Kai Engert (:KaiE:)]

Attachment: 1906903-backport-esr115.patch

Comment 33

[Kai Engert (:KaiE:)]

I've manually tested that the combination of the three backported patched from bug 1898832 and this bug 1906903 on the esr-115 branch provide the expected fix.

And here's a esr115 try build:
https://treeherder.mozilla.org/jobs?repo=try-comm-central&revision=d9c201635fb0d5d0cbb5f9bd882f424ed70a79e3

Comment 34

[Kai Engert (:KaiE:)]

Comment on attachment 9413693 [details]
Bug 1906903 - Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin

[Approval Request Comment]
Regression caused by (bug #): 1688863
User impact if declined: users cannot decrypt some messages they have sent
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): low. Change is limited to users who experience messages that cannot be decrypted, and the fallback code is limited to users with the non-default external-gnupg configuration, only.

Comment 35

[Daniel Veditz [:dveditz]]

Unfortunately Thunderbird is not covered by the Mozilla bug bounty program

Comment 36

[Wayne Mery (:wsmwk)]

Comment on attachment 9413693 [details]
Bug 1906903 - Enable users of external GnuPG to decrypt badly encoded messages with inner ASCII armor. r=mkmelin

[Triage Comment]
Approved for esr128

Comment 37

[Rob Lemley [:rjl]]

Thunderbird 128.1.0esr:
https://hg.mozilla.org/releases/comm-esr128/rev/6974f904df84

Comment 38

[Corey Bryant]

Comment on attachment 9414196 [details] [diff] [review]
1906903-backport-esr115.patch

[Triage Comment]
Approved for esr115

Comment 39

[Rob Lemley [:rjl]]

Thunderbird 115.14.0:
https://hg.mozilla.org/releases/comm-esr115/rev/99f915f469c8