Closed Bug 1941700 Opened 1 year ago Closed 1 year ago

"Import OpenPGP public from URL" fails with "Can't read public key file." if the file contains additional newlines

Categories

(MailNews Core :: Security: OpenPGP, defect)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 128
Type:
defect

Tracking

(thunderbird_esr128 affected, thunderbird136 affected)

Status:
RESOLVED FIXED
Milestone:
137 Branch
Tracking Flags:
Tracking Status
thunderbird_esr128 --- affected
thunderbird136 --- affected

People

(Reporter: bugzilla_mozilla, Assigned: KaiE)

References

Details

Attachments

(2 files)

debian12.asc
463 bytes, text/plain
Details
Bug 1941700 - Ingore whitespace around OpenPGP public key when importing from URL or clipboard. r=mkmelin
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

I tried to import a PGP public key into my keyring, but it failed. I isolated the issue to the existance of two newlines both [a] before and [b] after the ASCII armored PGP public key text.

To reproduce, let's use the Debian 12 release signing key https://ftp-master.debian.org/keys/release-12.asc

  1. Output the key to a file with two newlines before and after it

cat << EOF > /tmp/debian12.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEY865UxYJKwYBBAHaRw8BAQdAd7Z0srwuhlB6JKFkcf4HU4SSS/xcRfwEQWzr
crf6AEq0SURlYmlhbiBTdGFibGUgUmVsZWFzZSBLZXkgKDEyL2Jvb2t3b3JtKSA8
ZGViaWFuLXJlbGVhc2VAbGlzdHMuZGViaWFuLm9yZz6IlgQTFggAPhYhBE1k/sEZ
wgKQZ9bnkfjSWFuHg9SBBQJjzrlTAhsDBQkPCZwABQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEPjSWFuHg9SBSgwBAP9qpeO5z1s5m4D4z3TcqDo1wez6DNya27QW
WoG/4oBsAQCEN8Z00DXagPHbwrvsY2t9BCsT+PgnSn9biobwX7bDDg==
=5NZE
-----END PGP PUBLIC KEY BLOCK-----

EOF

  1. In thunderbird, go to Tools -> Open PGP Key Manager

  2. File -> Import Keys from URL

  3. Type "file:///tmp/debian12.asc"

  4. See error

Actual results:

The UI opens a pop-up window with error message:

Can't read public key file.

Expected results:

The key should have been imported into the keyring.

That file import fine for me on Daily.

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

I checked it as well - after download from the ftp key file contains two empty lines after the BEGIN PGP... in LF format, and one before the END PGP... (which is something expected), and is imported fine to RNP.
If you see two empty lines this could be probably related to the ftp software.

Hi,

To be clear, I added 4 newlines to the file after download.

  1. Two newlines added before the -----BEGIN PGP PUBLIC KEY BLOCK-----
  2. Two newlines after the -----END PGP PUBLIC KEY BLOCK-----

Did you try the command in the steps-to-reproduce?

cat << EOF > /tmp/debian12.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEY865UxYJKwYBBAHaRw8BAQdAd7Z0srwuhlB6JKFkcf4HU4SSS/xcRfwEQWzr
crf6AEq0SURlYmlhbiBTdGFibGUgUmVsZWFzZSBLZXkgKDEyL2Jvb2t3b3JtKSA8
ZGViaWFuLXJlbGVhc2VAbGlzdHMuZGViaWFuLm9yZz6IlgQTFggAPhYhBE1k/sEZ
wgKQZ9bnkfjSWFuHg9SBBQJjzrlTAhsDBQkPCZwABQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEPjSWFuHg9SBSgwBAP9qpeO5z1s5m4D4z3TcqDo1wez6DNya27QW
WoG/4oBsAQCEN8Z00DXagPHbwrvsY2t9BCsT+PgnSn9biobwX7bDDg==
=5NZE
-----END PGP PUBLIC KEY BLOCK-----

EOF
Attached file debian12.asc

hexdump shows unexpected results. Let's try this. I'll attach the file to this ticket, then you can download it and try to import it.

Yes that imports fine at least on Daily.

Thanks for the details, they explain things. If RNP doesn't hit EOF while importing keys from armored file, it attempts to initialize a next pass of armored data reading, as sometimes multiple armored chunks are pasted together in the single file. And this fails, as no more armored input follows.

I created the issue on RNP tracker here: https://github.com/rnpgp/rnp/issues/2308
Not sure whether this behaviour is standard-compliant, but would definitely imporve users convenience.

Thanks. In the meantime, can we get a better error other than "Can't read public key file."

Why does it work for me?

Maybe something about carriage returns? I'm using Debian 12. What system are you using?

Ubuntu 24.04

Function importKeyAsync from keyRing.sys.mjs calls EnigmailArmor.locateArmoredBlock which seems to strip extra data out from the input stream. Not sure whether it is the case, and when this was added, but remember (if I'm not mistaken) that there were some ticket talks about stripping extra spaces during the armored keys import. But, again, I'm not sure about it.

Not sure whether this behaviour is standard-compliant, but would definitely imporve users convenience.

Just to add some additional context info: I encountered this issue when copying a PGP public key block from a website, and I had copied some newlines at the end of the block to the clipboard.

When I did "import from clipboard", thunderbird choked on it.

When I pasted the same clipboard contents into gpg --import, it worked fine.

It took me a long time to figure out that the newlines were an issue for thunderbird but not for gpg because the error wasn't very helpful.

(In reply to Magnus Melin [:mkmelin] from comment #5)

Yes that imports fine at least on Daily.

Did you use "menu, edit, import from url" ?

I can reproduce the error when using "import from url".

I cannot reproduce when using "import from file".

Status: UNCONFIRMED → NEW
Ever confirmed: true

(In reply to Michael Altfield from comment #7)

Thanks. In the meantime, can we get a better error other than "Can't read public key file."

If the code isn't prepared for a specific scneario, then the code has to fall back to a generic error message.

Showing a better error message would require that the code understands exactly what's going on. But if it does, and there isn't a reason for aborting the operation, the code could be fixed to do the right thing instead.

So, I don't think it's worthwhile writing code to detect this new scenario and simply show a better error message. We probably should fix the scenario and avoid the error.

Summary: Import GPG fails with "Can't read public key file." with two newlines before and after key → "Import OpenPGP public from URL" fails with "Can't read public key file." if the file contains additional newlines
Assignee: nobody → kaie
Status: NEW → ASSIGNED
Keywords: checkin-needed-tb
status-thunderbird136: --- → affected
status-thunderbird_esr128: --- → affected
Target Milestone: --- → 137 Branch

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/6bcd7a563adc
Ingore whitespace around OpenPGP public key when importing from URL or clipboard. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: