Email send fails with generic message when OpenPGP signed "Sending of the message failed" - Error: rnp_op_sign_add_signature failed (but re-importing private keys solved the problem)
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(Not tracked)
People
(Reporter: adam, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Steps to reproduce:
Attempt to send an email which is OpenPGP signed. (Encryption is optional.)
The primary key has purposes Sign, Certify, and Authentication. A subkey is used to encrypt.
Using Thunderbird on Windows, version 140.5.0esr 64-bit. This didn't impact branch 115.
Possibly related, though this is from branch 88: https://bugzilla.mozilla.org/show_bug.cgi?id=1666360
Actual results:
When the option to digitally sign the message is active, sending it will fail with a generic error message "Sending of the message failed". (No indication here that OpenPGP is the cause.)
Looking in the error console, having cleared it first, when dispatching the message a few issues are logged:
EnigmailFuncs.sync() failed result: Error: rnp_op_sign_add_signature failed
Error: encryptMessageStart FAILED: -1
mailnews.send: NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS: [JavaScript Error: "encryptMessageStart FAILED: -1" {file: "chrome://openpgp/content/modules/mimeEncrypt.sys.mjs" line: 455}]'[JavaScript Error: "encryptMessageStart FAILED: -1" {file: "chrome://openpgp/content/modules/mimeEncrypt.sys.mjs" line: 455}]' when calling method: [nsIMsgComposeSecure::finishCryptoEncapsulation]
mailnews.send: Sending failed; , exitCode=2153185313, originalMsgURI=
Error: rnp_op_sign_add_signature failed
The option to encrypt the message doesn't cause this. For example attempting to send an encrypted (but not signed) message works as expected.
Expected results:
My message should have been signed with the OpenPGP key identified in the Account Manager tool.
|
Reporter | |
Comment 1•1 month ago
|
||
This probably needs moving to the "MailNews+Core" project. (Wasn't obvious at the point of filing.)
|
|
Reporter | |
Updated•1 month ago
|
|
||
Comment 2•1 month ago
|
||
You probably get a bit more info of what's wrong with your key is you set set RNP_LOG_CONSOLE=1 and start from command line, with thunderbird.exe -console
|
|
Reporter | |
Comment 3•1 month ago
|
||
Thanks for the feedback. In the console window when attempting to send a message, this error was logged:
[init_encrypted_src() /builds/worker/checkouts/gecko/comm/third_party/rnp/src/librepgp/stream-parse.cpp:2156] failed to obtain decrypting key or password
Would this perhaps imply that the private keys in Thunderbird's GPG store are password protected? I'm never asked for a password to sign, encrypt, or decrypt a message.
When looking at the sender key pair in the key manager, it does claim I have the private key for it:
For this key, you have both the public and the secret part. You may use it as a personal key. If this key was given to you by someone else, then don't use it as a personal key.
(That mentioned option is set to Yes.)
|
||
Comment 4•1 month ago
|
||
I encountered the same problem on two machines. Re-importing my private keys solved the problem but it was odd that the existing keys in the store did not work (they had been working for years).
|
|
Reporter | |
Comment 5•1 month ago
|
||
(In reply to Gabriele Svelto [:gsvelto] from comment #4)
I encountered the same problem on two machines. Re-importing my private keys solved the problem but it was odd that the existing keys in the store did not work (they had been working for years).
Thanks for confirming. Re-importing resolved this for me too, also not sure why they suddenly didn't work.
I've deliberately not re-imported private keys for all my accounts so that I can replicate the issue if needed.
|
|
||
Comment 6•1 month ago
|
||
(In reply to Adam Reece from comment #3)
Under the hood, the keys are protected yes. But unless you enable a special setting, you're not asked to use it.
Are you by any chance using Primary Password?
|
|
Reporter | |
Comment 7•1 month ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #6)
Are you by any chance using Primary Password?
Very yes, Primary Password is on.
Do you also use this Gabriele?
|
|
||
Comment 8•1 month ago
|
||
No, no primary password for me, but the keys are password-protected. The failure appeared after inputting my password (which I've done a few times to be sure I was getting it right).
|
||
Comment 9•1 month ago
|
||
did you change the expiration date with an external tool, and only imported the updated public key, but the secret key in thunderbird still had the old expiration date? we have an existing bug about that.
|
|
Reporter | |
Comment 10•1 month ago
|
||
I definitely have changed expiration date to extend, can't remember if I imported a .pub or .pub-sec export of it. Can that be checked in TB's key manager?
|
|
||
Comment 11•29 days ago
|
||
Yes, Thunderbird only has the signing and encryption subkeys for this particular identity and I extend their date every year, publish the updated expiration date then refresh the keys in Thunderbird. This worked in the past.
|
|
||
Comment 12•28 days ago
|
||
Not sure how it could work in the past by refreshing only the public key.
I believe it is necessary to import the updated secret key. Let me find that other bug.
|
|
||
Comment 13•28 days ago
|
||
I found that I described my past experience in bug 1941370.
|
|
||
Comment 14•28 days ago
|
||
Ok, it's bug 1929026 that has the most information.
|
|
||
Comment 15•28 days ago
|
||
Please let's discuss in bug 1929026.
|
|
Reporter | |
Comment 16•28 days ago
|
||
Would the linked issue include the user interface?
Part of the reason behind opening this issue is that the error shown when a message failed to send is a very generic "Sending of the message failed" text, with no indication to what the cause was. Being somewhat technically minded I knew that digging into the error console could probably reveal the cause when attempting to send a message again, though it wouldn't be fair to assume all end users will do this.
Description
•