Error trying to import PGP public key
Hi,
I have my Thunderbird 91.8.0 (64-bit) (Fedora 35) setup to use PGP aliases- This worked well quite some weeks. Since a short time (like one week or so) I do encounter a problem:
First when trying to use an alias, thunderbird told me there was no key for encrytion found. So I checked my settings and the profile directory for the .json file containing the alias rules. It was there as expected. Trying to fix the problem I did copy the file, rename it an change the mail.openpgp.alias_rules_file value to the new name. Now it would find the file again but tell me the corresponding public PGP key is missing.
I checked using the Thunderbird integrated OpenPGP Key Manager and indeed the public key for the alias was missing. So I did try to import this key again after downloading and saving it (from https://keys.openpgp.org/) but this always throws an error which doesn't tell a reason (see picture).
Btw: I also checked the pubring.gpg file with grep and it seems like the desired key is in there (I'm not very experienced in using grep but the output was somethig like "found occurence in binary file" for: grep XXXX (name of the owner of the key) ~/.thunderbird/NNNNxrez.default-release/pubring.gpg)
Does anyone know what the problem is or how to fix it? Maybe there is just a format problem when trying to import from https://keys.openpgp.org/ https://keys.openpgp.org/] ? Cause I did test it with another key from there with the same result...
Would appreciate any help or tip what to try!
Cheers!
Выбранное решение
How can I check this?
You can use gpg to check, see https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/
If you do see 'digest algo 2' in any of your packets your key is using a SHA1 hash.
If this doesn't get you any further, I'd suggest you ask about your problem at the e2ee mailing list. https://thunderbird.topicbox.com/groups/e2ee
Прочитайте этот ответ в контексте 👍 0Все ответы (6)
I forgot to mention: When adding the same public key file which caused the error in Thunderbird instead to the gpg keyring (in my case seashore) or with the "gpg --import" terminal command there is no problem and everything worked. So it should not be a broken key/file I guess...
I did try to import this key again after downloading and saving it (from https://keys.openpgp.org/) but this always throws an error which doesn't tell a reason (see picture).
Is there anything in the error console (CTRL-Shift-J)?
Note, OpenPGP keys with a SHA1 hash aren't supported anymore. https://thunderbird.topicbox.com/groups/e2ee/T11fc13015f1d7bf2/pgp-keys-singned-with-sha-1-broken
"found occurence in binary file"
Use grep in connection with text files. You don't want to use grep with binary files.
Is there anything in the error console (CTRL-Shift-J)?
There is some stuff, but I'm not getting any clue from this (see attached picture)
Note, OpenPGP keys with a SHA1 hash aren't supported anymore. https://thunderbird.topicbox.com/groups/e2ee/T11fc13015f1d7bf2/pgp-keys-singned-with-sha-1-broken
Thanks for the info! How can I check this? Anyway the key is pretty new (created in december '21 to upgrade from 2048 to 4096 bit) so I hope the organisation didn't use SHA1 lol... And the key worked fine for some weeks.
Thanks in advance for the help!
Выбранное решение
How can I check this?
You can use gpg to check, see https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/
If you do see 'digest algo 2' in any of your packets your key is using a SHA1 hash.
If this doesn't get you any further, I'd suggest you ask about your problem at the e2ee mailing list. https://thunderbird.topicbox.com/groups/e2ee
If you do see 'digest algo 2' in any of your packets your key is using a SHA1 hash.
Indeed it seems to be signed with SHA-1 - I don't know why anyone would this in 2021 but seems to be the case. Only weird thing is that the older key was correctly imported to Thunderbird but also used SHA-1.
Is there any way to manually allow a specific SHA-1 signed PGP key or do I have to download an older version of Thunderbird to fix my problem? I mean end-to-end encryption using a SHA-1 signed PGP key is better than no encryption at all, so I would prefer this over not using any encription. Probably I will not be able to get the company to generate a new PGP key using an algorithm that is considered safe...
Is there any way to manually allow a specific SHA-1 signed PGP key
There may be a way to fix the hashes using gpg but I'm not exactly sure. You may ask on the gnupg-users mailing list.
do I have to download an older version of Thunderbird to fix my problem?
Thunderbird versions prior to 91.8.0 are supposed to work with SHA1 hashes, however, it is not recommended to use outdated (and thus vulnerable) versions. You should also use a separate profile with an older version. Unless you know exactly what you're doing I'd not recommend going that route.
Probably I will not be able to get the company to generate a new PGP key using an algorithm that is considered safe...
If the company doesn't care, then why don't you simply generate a new key using Thunderbird and distribute your new public key to your correspondents? You can still decrypt existing messages using gpg or some GUI tool like Kleopatra if needed.