Unsafe properties of OpenPGP keys might be ignored

When processing OpenPGP keys, Thunderbird ignores properties that were created using unsafe mechanisms.

Starting with version 91.8.0, Thunderbird no longer accepts OpenPGP signatures that involve the SHA-1 hash algorithm and that were created after 2019-01-15. The SHA-1 algorithm is considered unsafe.

Besides signatures on OpenPGP messages, it also affects signatures on modified OpenPGP keys. For example, if an OpenPGP key defined an expiration date, and the key owner updated the key with a different expiration date, the modification involves a signature that is added to the OpenPGP key.

If a modification was made with outdated OpenPGP software, the signature may have used the unsafe SHA-1 algorithm. If Thunderbird ignores an unsafe signature, it may report the OpenPGP as expired, or it may ignore and not show some properties of the key.

The key owner should update to the latest version of their OpenPGP software, and repeat the key modifications to produce an updated key, and then share the updated public key with you.

Some software may require an updated configuration to ensure that modern algorithms are used when modifying keys.