[opensuse-factory] Thunderbird 78 and encryption status
Hi, since there have been multiple threads on different lists about availability of Thunderbird 78 for openSUSE please let me share the latest news. Upstream released Thunderbird 78.2.2 last week. Upstream did not enable automatic updates to 78 from 68 and also recommended to distros to not upgrade until now. It's likely that this changes with 78.2.2 being released now. The main reason is that there was no finished PGP support in TB 78. Previously it was provided by enigmail but as TB 78 does only allow webextensions enigmail cannot work anymore to provide PGP support. Therefore upstream implemented their own OpenPGP support natively in Thunderbird 78 which has been finally enabled by default in recent versions. You can find the upstream FAQ here and if you are using Thunderbird with enigmal today you really should read it carefully: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq So what about the current status for openSUSE: The "mozilla" OBS repository (which is for ages the official project you get current versions as backports to supported openSUSE distros) currently contains Thunderbird 78.2.2 enigmail 2.2.2 (which requires 78.2.2) (please find its purpose in the FAQ above) how those will soon be submitted to Tumbleweed. When this "soon" will be depends a bit on your feedback if there are still major issues found during the next days. So please feel free to provide feedback on the list, in bugzilla, or directly to me. After Tumbleweed I'm quite sure that the SUSE guys will also move along putting the version into supported Leap versions. Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 14.09.20 um 10:30 schrieb Wolfgang Rosenauer:
Hi,
since there have been multiple threads on different lists about availability of Thunderbird 78 for openSUSE please let me share the latest news.
Upstream released Thunderbird 78.2.2 last week. Upstream did not enable automatic updates to 78 from 68 and also recommended to distros to not upgrade until now. It's likely that this changes with 78.2.2 being released now.
The main reason is that there was no finished PGP support in TB 78. Previously it was provided by enigmail but as TB 78 does only allow webextensions enigmail cannot work anymore to provide PGP support. Therefore upstream implemented their own OpenPGP support natively in Thunderbird 78 which has been finally enabled by default in recent versions. You can find the upstream FAQ here and if you are using Thunderbird with enigmal today you really should read it carefully: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
So what about the current status for openSUSE:
The "mozilla" OBS repository (which is for ages the official project you get current versions as backports to supported openSUSE distros) currently contains
Thunderbird 78.2.2 enigmail 2.2.2 (which requires 78.2.2) (please find its purpose in the FAQ above)
how those will soon be submitted to Tumbleweed.
When this "soon" will be depends a bit on your feedback if there are still major issues found during the next days. So please feel free to provide feedback on the list, in bugzilla, or directly to me.
After Tumbleweed I'm quite sure that the SUSE guys will also move along putting the version into supported Leap versions.
Wolfgang Thank you for the "warning". Thunderbird 78.2.2 from the mozilla:repo works fine for me (TW & Leap 15.2), including openPGP. Thanks a lot for all your efforts, in particular for maintaining the mozilla OBS repo now for ages!
Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, 2020-09-14 at 10:30 +0200, Wolfgang Rosenauer wrote:
You can find the upstream FAQ here and if you are using Thunderbird with enigmal today you really should read it carefully: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
Q: "I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys?" A: "No." Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected." These two answers prove to me that this feature isn't production-ready. Protecting one of the most important items for personal privacy (the GPG secret key) with just the thunderbird master password sounds like a joke. In general, not relying on gpg strikes me as a bad idea, as that's what allows sharing the same set of keys between different applications. And being unable to share or even synchronize keys with the de-facto-standard PGP encryption software seems - dumb, sorry. It's not your fault. But perhaps let it sit in the mozilla repo for some more time. Anyway, thanks for the warning, Martin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org -- Dr. Martin Wilck <mwilck@suse.com>, Tel. +49 (0)911 74053 2107 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg GF: Felix Imendörffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, Am 14.09.20 um 20:53 schrieb Martin Wilck:
Q: "I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys?" A: "No."
Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected."
These two answers prove to me that this feature isn't production-ready. Protecting one of the most important items for personal privacy (the GPG secret key) with just the thunderbird master password sounds like a joke. In general, not relying on gpg strikes me as a bad idea, as that's what allows sharing the same set of keys between different applications. And being unable to share or even synchronize keys with the de-facto-standard PGP encryption software seems - dumb, sorry.
It's not your fault. But perhaps let it sit in the mozilla repo for some more time.
what I understood it was not a light decision to implement it like this. There was basically not much choice from what I know. The Mozilla platform does not allow that deep integration with the system anymore (with the removal of legacy extensions to webextensions only). Integrating or linking to GPG components then again would have been a platform specific one and also apparently license wise not really an option. Just waiting most likely won't change the situation because of that. For certain usecases a bit of GPG support is still available: https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Am 14.09.20 um 20:53 schrieb Martin Wilck:
On Mon, 2020-09-14 at 10:30 +0200, Wolfgang Rosenauer wrote:
You can find the upstream FAQ here and if you are using Thunderbird with enigmal today you really should read it carefully: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq ...
These two answers prove to me that this feature isn't production-ready. Protecting one of the most important items for personal privacy (the GPG secret key) with just the thunderbird master password sounds like a joke. In general, not relying on gpg strikes me as a bad idea, as that's what allows sharing the same set of keys between different applications. And being unable to share or even synchronize keys with the de-facto-standard PGP encryption software seems - dumb, sorry.
It's not your fault. But perhaps let it sit in the mozilla repo for some more time.
Anyway, thanks for the warning, Martin
You have a strong argument. I am also not happy with the decision not to support any key signatures (Web of Trust). It will break my company setup with an "in-house" CA. It was hard enough to convince the Windows users to start encrypting and signing their mails. The update will create new challenges for their workflow. :( But all of this is beyond the scope of the Factory or mozilla devel repo. Let upstream know about your feelings. The best we can hope for is that they will adjust their approach while this is still fresh. We don't need another bug open for 21 years [1]! Ben [1] https://bugzilla.mozilla.org/show_bug.cgi?id=22687 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 9/14/20 1:53 PM, Martin Wilck wrote:
Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected."
Holy 5hi4! That is indeed a showstopper. I wonder how many folks that will catch by surprise? But thank you Martin for bringing that forward. Why is Tbird bringing your GPG keys in and then storing them in a directory outside of .gnupg and duplicating what GPG does instead of using an gpg agent or some sort know way to just access your GPG keys for use. This seems like 2-steps backwards is security. Steal laptop -- look in thunderbird profile, if no Master Password, scrape keys to the kingdom... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 16/09/2020 10.30, David C. Rankin wrote:
On 9/14/20 1:53 PM, Martin Wilck wrote:
Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected."
Holy 5hi4!
That is indeed a showstopper. I wonder how many folks that will catch by surprise? But thank you Martin for bringing that forward. Why is Tbird bringing your GPG keys in and then storing them in a directory outside of .gnupg and duplicating what GPG does instead of using an gpg agent or some sort know way to just access your GPG keys for use.
They seem to have rewritten the entire thing :-(
This seems like 2-steps backwards is security. Steal laptop -- look in thunderbird profile, if no Master Password, scrape keys to the kingdom...
It is backwards in several senses. Of course I use a master password with both Firefox and Thunderbird (to keep the connection passwords to servers), but I'm used to have a different password to sign an email, which is something serious. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
Am 14.09.20 um 20:53 schrieb Martin Wilck:
You can find the upstream FAQ here and if you are using Thunderbird with enigmal today you really should read it carefully: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq Q: "I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys?" A: "No."
Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected."
From what I've gathered, if you set
mail.openpgp.allow_external_gnupg = true you should be able to continue using GnuPG to access your secret key (not only for smartcard based setups). Haven't tried it though. - https://gitlab.tails.boum.org/tails/tails/-/issues/17147#upgrade-notes - https://www.privacy-handbuch.de/handbuch_32l.htm HTH -- Till -- Dipl.-Inform. Till Dörges doerges@pre-sense.de PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 27.10.20 um 09:43 schrieb Till Dörges:
Am 14.09.20 um 20:53 schrieb Martin Wilck:
You can find the upstream FAQ here and if you are using Thunderbird with enigmal today you really should read it carefully: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq Q: "I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys?" A: "No."
Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected."
From what I've gathered, if you set
mail.openpgp.allow_external_gnupg = true
I doubt that this will work (in the future), see, e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1663149, which has status "resolved wontfix". Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
27.10.2020 22:53, Frank Krüger пишет:
Am 27.10.20 um 09:43 schrieb Till Dörges:
Am 14.09.20 um 20:53 schrieb Martin Wilck:
You can find the upstream FAQ here and if you are using Thunderbird with enigmal today you really should read it carefully: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq Q: "I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys?" A: "No."
Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected."
From what I've gathered, if you set
mail.openpgp.allow_external_gnupg = true
I doubt that this will work (in the future), see, e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1663149, which has status "resolved wontfix".
This bug is about pulbic keys, not private. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, 2020-10-27 at 20:53 +0100, Frank Krüger wrote:
Am 27.10.20 um 09:43 schrieb Till Dörges:
From what I've gathered, if you set
mail.openpgp.allow_external_gnupg = true
I doubt that this will work (in the future), see, e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1663149, which has status "resolved wontfix".
I got the TB update on my Leap 15.2 system now. You can't use gnupg for public key management, but you can use it for secret keys, and that's what matters to me (and despite the UI labels suggesting otherwise, it has nothing to do with the use of smart cards). Importing the public keys with the enigmail pseudo-plugin worked, the list of keys I obtained from the import procedure looked sane, although I refused to import the secret keys (didn't provide the pass phrase). Importing keys in both TB and gnupg will be more cumbersome in the future, one extra step required every time. But I can deal with that. So, all in all, it's less bad than I expected, even though I still think the upstream developers' choice was ill-advised. I still strongly recommend against importing private keys in TB. Martin -- Dr. Martin Wilck <mwilck@suse.com>, Tel. +49 (0)911 74053 2107 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg GF: Felix Imendörffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 02/11/2020 11.29, Martin Wilck wrote: ...
I got the TB update on my Leap 15.2 system now. You can't use gnupg for public key management, but you can use it for secret keys, and that's what matters to me (and despite the UI labels suggesting otherwise, it has nothing to do with the use of smart cards).
Importing the public keys with the enigmail pseudo-plugin worked, the list of keys I obtained from the import procedure looked sane, although I refused to import the secret keys (didn't provide the pass phrase). Importing keys in both TB and gnupg will be more cumbersome in the future, one extra step required every time. But I can deal with that.
So, all in all, it's less bad than I expected, even though I still think the upstream developers' choice was ill-advised. I still strongly recommend against importing private keys in TB.
Then how can you sign email? -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
Hi Martin! On 11/2/20 11:29 AM, Martin Wilck wrote:
So, all in all, it's less bad than I expected, even though I still think the upstream developers' choice was ill-advised. I still strongly recommend against importing private keys in TB.
Can you elaborate how to remove the secret keys from Thundebird again and how to enforce the keys to be stored externally? I would like to do the same as I don't trust Thunderbird in this regard although my home partition is encrypted anyways. Might be an idea to put this information somewhere on the wiki. Thanks in advance, Adrian -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, 2020-11-02 at 11:49 +0100, John Paul Adrian Glaubitz wrote:
Can you elaborate how to remove the secret keys from Thundebird again and how to enforce the keys to be stored externally?
I don't know how to do that. All I did was a) setting mail.openpgp.allow_external_gnupg = true first thing after I started TB 78 for the first time. b) not entering my passphase at the GNUpg prompt during the enigmail import procedure. That way I made sure that the private key was never stored in TB. The import completed nonetheless, without the private keys, which is what I wanted. If you'd used and unlocked your gpg private keys before, you should make sure the gpg agent didn't cache any credentials related to your private keys (pkill -HUP gpg-agent).
I would like to do the same as I don't trust Thunderbird in this regard
Same here ;-) Martin -- Dr. Martin Wilck <mwilck@suse.com>, Tel. +49 (0)911 74053 2107 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg GF: Felix Imendörffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 02. 11. 20, 11:49, John Paul Adrian Glaubitz wrote:
Hi Martin!
On 11/2/20 11:29 AM, Martin Wilck wrote:
So, all in all, it's less bad than I expected, even though I still think the upstream developers' choice was ill-advised. I still strongly recommend against importing private keys in TB.
Can you elaborate how to remove the secret keys from Thundebird again and how to enforce the keys to be stored externally?
I did the same mistake. Moving secring.gpg away from my TB profile seems to do the job. Then I need to allow external gnupg and select proper key in account settings again. Now it wants a passwd when I sign this message. I think encryption is not possible in this setup :(... thanks, -- js suse labs
On Tue, Nov 3, 2020 at 10:07 AM Jiri Slaby <jslaby@suse.cz> wrote:
On 02. 11. 20, 11:49, John Paul Adrian Glaubitz wrote:
Hi Martin!
On 11/2/20 11:29 AM, Martin Wilck wrote:
So, all in all, it's less bad than I expected, even though I still think the upstream developers' choice was ill-advised. I still strongly recommend against importing private keys in TB.
Can you elaborate how to remove the secret keys from Thundebird again and how to enforce the keys to be stored externally?
I did the same mistake. Moving secring.gpg away from my TB profile seems to do the job. Then I need to allow external gnupg and select proper key in account settings again. Now it wants a passwd when I sign this message.
I think encryption is not possible in this setup :(...
According to FAQ it should be This key ID will be used to digitally sign messages with your account. It will also be used when you send an encrypted message, which will be encrypted for you, in addition to encrypting for the message recipients. https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Configure_an_email_a... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Nov 3, 2020 at 10:29 AM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
On Tue, Nov 3, 2020 at 10:07 AM Jiri Slaby <jslaby@suse.cz> wrote:
On 02. 11. 20, 11:49, John Paul Adrian Glaubitz wrote:
Hi Martin!
On 11/2/20 11:29 AM, Martin Wilck wrote:
So, all in all, it's less bad than I expected, even though I still think the upstream developers' choice was ill-advised. I still strongly recommend against importing private keys in TB.
Can you elaborate how to remove the secret keys from Thundebird again and how to enforce the keys to be stored externally?
I did the same mistake. Moving secring.gpg away from my TB profile seems to do the job. Then I need to allow external gnupg and select proper key in account settings again. Now it wants a passwd when I sign this message.
I think encryption is not possible in this setup :(...
According to FAQ it should be
This key ID will be used to digitally sign messages with your account. It will also be used when you send an encrypted message, which will be encrypted for you, in addition to encrypting for the message recipients.
https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Configure_an_email_a...
Or do you mean "encryption to you as recipient"? Should work too Enabling this preference will cause Thunderbird to attempt to decrypt a message using GnuPG, whenever RNP fails to decrypt a message with the secret keys that are available inside Thunderbird's key storage. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03. 11. 20, 8:29, Andrei Borzenkov wrote:
On Tue, Nov 3, 2020 at 10:07 AM Jiri Slaby <jslaby@suse.cz> wrote:
On 02. 11. 20, 11:49, John Paul Adrian Glaubitz wrote:
Hi Martin!
On 11/2/20 11:29 AM, Martin Wilck wrote:
So, all in all, it's less bad than I expected, even though I still think the upstream developers' choice was ill-advised. I still strongly recommend against importing private keys in TB.
Can you elaborate how to remove the secret keys from Thundebird again and how to enforce the keys to be stored externally?
I did the same mistake. Moving secring.gpg away from my TB profile seems to do the job. Then I need to allow external gnupg and select proper key in account settings again. Now it wants a passwd when I sign this message.
I think encryption is not possible in this setup :(...
According to FAQ it should be
This key ID will be used to digitally sign messages with your account. It will also be used when you send an encrypted message, which will be encrypted for you, in addition to encrypting for the message recipients.
https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Configure_an_email_a...
The page states later in Limitations of using GnugPG: For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. _GnuPG will not be used for encryption_, and GnuPG will not be used for signature verification. So I only misunderstood? -- js suse labs -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Nov 3, 2020 at 10:33 AM Jiri Slaby <jslaby@suse.cz> wrote:
On 03. 11. 20, 8:29, Andrei Borzenkov wrote:
On Tue, Nov 3, 2020 at 10:07 AM Jiri Slaby <jslaby@suse.cz> wrote:
On 02. 11. 20, 11:49, John Paul Adrian Glaubitz wrote:
Hi Martin!
On 11/2/20 11:29 AM, Martin Wilck wrote:
So, all in all, it's less bad than I expected, even though I still think the upstream developers' choice was ill-advised. I still strongly recommend against importing private keys in TB.
Can you elaborate how to remove the secret keys from Thundebird again and how to enforce the keys to be stored externally?
I did the same mistake. Moving secring.gpg away from my TB profile seems to do the job. Then I need to allow external gnupg and select proper key in account settings again. Now it wants a passwd when I sign this message.
I think encryption is not possible in this setup :(...
According to FAQ it should be
This key ID will be used to digitally sign messages with your account. It will also be used when you send an encrypted message, which will be encrypted for you, in addition to encrypting for the message recipients.
https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Configure_an_email_a...
The page states later in Limitations of using GnugPG: For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. _GnuPG will not be used for encryption_, and GnuPG will not be used for signature verification.
So I only misunderstood?
Encryption does not use secret keys at all - it is using public keys of recipients (you including, so you can later read it). All public keys operations are performed internally, so public keys must be imported into and managed by TB. It means you may need to import every public key twice, as Martin already mentioned. Neither are secret keys used for signature verification - again, you are using public keys of sender. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03. 11. 20, 8:33, Jiri Slaby wrote:
The page states later in Limitations of using GnugPG: For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. _GnuPG will not be used for encryption_, and GnuPG will not be used for signature verification.
So I only misunderstood?
It appears to work. I had to add a trust to the keys of the recipients first. I saw no reason why it shouldn't work (it needs only pub keys from TB storage). -- js suse labs -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/11/2020 08.38, Jiri Slaby wrote:
On 03. 11. 20, 8:33, Jiri Slaby wrote:
The page states later in Limitations of using GnugPG: For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. _GnuPG will not be used for encryption_, and GnuPG will not be used for signature verification.
So I only misunderstood?
It appears to work. I had to add a trust to the keys of the recipients first. I saw no reason why it shouldn't work (it needs only pub keys from TB storage).
Some one tried receiving an encrypted email, while using gnupg for secret keys? If you allow Thunderbird to do it all, how are the keys protected? The master Password of Thunderbird perhaps? (What a mess...) -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On Tue, 2020-11-03 at 08:33 +0100, Jiri Slaby wrote:
On 03. 11. 20, 8:29, Andrei Borzenkov wrote:
On Tue, Nov 3, 2020 at 10:07 AM Jiri Slaby <jslaby@suse.cz> wrote:
On 02. 11. 20, 11:49, John Paul Adrian Glaubitz wrote:
Can you elaborate how to remove the secret keys from Thundebird again and how to enforce the keys to be stored externally?
I did the same mistake. Moving secring.gpg away from my TB profile seems to do the job. Then I need to allow external gnupg and select proper key in account settings again. Now it wants a passwd when I sign this message.
I think encryption is not possible in this setup :(...
According to FAQ it should be
This key ID will be used to digitally sign messages with your account. It will also be used when you send an encrypted message, which will be encrypted for you, in addition to encrypting for the message recipients.
https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Configure_an_email_a...
The page states later in Limitations of using GnugPG: For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. _GnuPG will not be used for encryption_, and GnuPG will not be used for signature verification.
So I only misunderstood?
Public keys are handled in TB using RNP. Populating the initial list of public keys and associated addresses is done with the enigmail tool. Secret key operations are delegated to gnupg. This worked for me, also for sending signed and encrypted mail to myself. I didn't need to set up any keys or account associations manually. As I said, I enabled delegation to gnupg immediately, and never imported any secret key into TB. The result of the procedure was a zero-byte "secring.gpg" in the thunderbird profile dir, besides "pubring.gpg" and "openpgp.sqlite". Thus, perhaps simply truncating "secring.gpg" to 0 bytes might to the trick. There's also a file "encrypted-openpgp-passphrase.txt"; I suppose it's my encrypted TB master password. But I'm not sure. Perhaps it's just an invitation to attempt a brute force attack. I definitely didn't enter any passwords in the openpgp setup procedure. One more reason not to use "user friendly" stuff like this for critical operations. With gnupg, at least you know exactly it stores on disk, and where. Best, Martin -- Dr. Martin Wilck <mwilck@suse.com>, Tel. +49 (0)911 74053 2107 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg GF: Felix Imendörffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (12)
-
Andrei Borzenkov -
Ben Greiner -
Carlos E. R. -
Carlos E.R. -
David C. Rankin -
Frank Krüger -
Jiri Slaby -
John Paul Adrian Glaubitz -
Martin Wilck -
Martin Wilck
-
Till Dörges -
Wolfgang Rosenauer