In version 140.0.1esr, it's not possible to sign S/MIME with a private key on a QSCD.
Categories
(MailNews Core :: Security: S/MIME, defect)
Tracking
(Not tracked)
People
(Reporter: petr.konvalinka, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
(Keywords: regression, regressionwindow-wanted)
Attachments
(2 files)
PrintScreen TEST certificate 2025-08-04
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Steps to reproduce:
For several years, we've been using Thunderbird to send unencrypted messages, signed only with S/MIME using a private key stored on a QSCD (Qualified Signature Creation Device). Everything was functional until the update to version 140.0.1esr.
Actual results:
After updating to version 140.0.1esr, I'm no longer able to sign outgoing emails with S/MIME using a private key on a QSCD. Thunderbird reports that it "could not find a corresponding certificate from the account settings." Please refer to the attached BUGZILLA FOTO_1.
I've checked the settings multiple times, and everything appeared to be in order. I even removed the S/MIME settings completely and reconfigured them from scratch, but the problem persists.
During repeated verifications of the settings, I noticed that when I try to send an S/MIME-signed email using the settings and certificate from our Czech service provider, the email header indicates that my OpenPGP public key will be attached (see attached BUGZILLA FOTO_2). I do not use OpenPGP and have it completely unconfigured in Thunderbird.
If Thunderbird is indeed attempting to use OpenPGP for email signing instead of S/MIME, that would clearly explain why it can't find the corresponding certificate.
Expected results:
I would still need to be able to send emails with an electronic signature created by the configured S/MIME with a private key stored on a QSCD.
|
||
Updated•22 days ago
|
|
||
Comment 1•16 days ago
|
||
Petr, which version did you use previously that worked?
Would you be able to double check that it works again if you use the older version?
It is difficult to help with bugs related to smartcards, because there are so many different devices and I don't have access to them.
The screenshot you're showing, regarding OpenPGP, is unlikely to cause the issue. It's grayed out, it's just about attaching something to an email (if present).
If Thunderbird says that it cannot find the certificate, it could mean that it no longer considers the certificate valid. You probably checked, it didn't expire?
In account settings, if you click the "select" button to chose a certificate, does Thunderbird still find it?
|
|
||
Comment 2•15 days ago
|
||
I will prepare a test version of TB 140 that includes work-in-progress changes from bug 1944810 and bug 1735832 and provide a download link soon.
Which operating system are you using?
The test version will give you an extra button in account settings, next to certificate selection, labeled "test".
If you click it, TB will check the certificate and report a reason, if it cannot use it.
Hopefully this will give helpful information.
In addition, in in certificate manager, if you click your own cert and click the button to "view" it, at the bottom of the window you should get extra information.
|
|
||
Comment 3•15 days ago
•
|
||
Can you please test the follwing test build and give feedback about my questions from comment 1 and comment 2 ?
Windows 64bit:
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/as6JL1VfRJGYcoPJa6_OKQ/runs/0/artifacts/public/build/target.zip
Let me know if you need a macos build.
(Note to myself:
https://treeherder.mozilla.org/jobs?repo=try-comm-central&revision=a20ca97ca6ddbee8c69201608149049765dd09e9 )
|
Reporter | |
Comment 4•15 days ago
|
||
|
|
||
Comment 5•15 days ago
|
||
The error message says the configured certificate cannot be found.
You have not yet responded to my questions from comment 1.
I need your answers to help you.
I suggested "In account settings, if you click the select button to chose a certificate, does Thunderbird still find it?"
What happens if you try that, does TB offer the cert or not?
|
||
Updated•5 days ago
|
|
|
||
Comment 6•5 days ago
|
||
Petr, if possible, please pin down the exact regression window using mozregression (see https://mozilla.github.io/mozregression/documentation/usage.html)
|
|
||
Comment 7•10 hours ago
|
||
It would be interesting to test whether this has the same cause as bug 1982742.
If I created a test build that removes the change from bug 1911354, would you be able to test it?
Please let us know, we cannot fix this issue without your help.
Description
•