On Tue, 2020-11-03 at 08:33 +0100, Jiri Slaby wrote:
On 03. 11. 20, 8:29, Andrei Borzenkov wrote:
On Tue, Nov 3, 2020 at 10:07 AM Jiri Slaby <jslaby@suse.cz> wrote:
On 02. 11. 20, 11:49, John Paul Adrian Glaubitz wrote:
Can you elaborate how to remove the secret keys from Thundebird again and how to enforce the keys to be stored externally?
I did the same mistake. Moving secring.gpg away from my TB profile seems to do the job. Then I need to allow external gnupg and select proper key in account settings again. Now it wants a passwd when I sign this message.
I think encryption is not possible in this setup :(...
According to FAQ it should be
This key ID will be used to digitally sign messages with your account. It will also be used when you send an encrypted message, which will be encrypted for you, in addition to encrypting for the message recipients.
https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Configure_an_email_a...
The page states later in Limitations of using GnugPG: For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. _GnuPG will not be used for encryption_, and GnuPG will not be used for signature verification.
So I only misunderstood?
Public keys are handled in TB using RNP. Populating the initial list of public keys and associated addresses is done with the enigmail tool. Secret key operations are delegated to gnupg. This worked for me, also for sending signed and encrypted mail to myself. I didn't need to set up any keys or account associations manually. As I said, I enabled delegation to gnupg immediately, and never imported any secret key into TB. The result of the procedure was a zero-byte "secring.gpg" in the thunderbird profile dir, besides "pubring.gpg" and "openpgp.sqlite". Thus, perhaps simply truncating "secring.gpg" to 0 bytes might to the trick. There's also a file "encrypted-openpgp-passphrase.txt"; I suppose it's my encrypted TB master password. But I'm not sure. Perhaps it's just an invitation to attempt a brute force attack. I definitely didn't enter any passwords in the openpgp setup procedure. One more reason not to use "user friendly" stuff like this for critical operations. With gnupg, at least you know exactly it stores on disk, and where. Best, Martin -- Dr. Martin Wilck <mwilck@suse.com>, Tel. +49 (0)911 74053 2107 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg GF: Felix Imendörffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org