Using OpenPGP secret keys that advertise features that are not supported by Thunderbird

Thunderbird Thunderbird 建立于: 4 weeks ago

Summary

This page documents the reason for a warning that is shown in Thunderbird version 128 or later.

If clicking a Help button in Thunderbird sent you to this page, then you were trying to import an OpenPGP key. Using that key as is with Thunderbird might result in future interoperability issues.

To avoid such issues, please consider performing the steps described in this document.

Detailed explanation:

It is possible to use OpenPGP secret keys with Thunderbird that were originally created using other software, for example using GnuPG.

An OpenPGP key may contain metadata that lists certain software capabilities, also called feature flags. Software that creates or updates a key may add such flags, to advertise that the software supports certain new features.

When exchanging messages between OpenPGP users, software usually considers interoperability between correspondents as a high priority, and often avoids the use of new features, unless it is certain the new feature can safely be used. A feature flag listed inside a correspondent's key can be used to learn that it is safe to use a new feature with a correspondent.

At the time of writing this article, Thunderbird versions 115.x and the planned 128.x do not support certain features that have been implmented by the GnuPG software.

When importing an OpenPGP secret key into Thunderbird, with the intention to use it as a personal key, Thunderbird will keep the existing feature flags, and will include them when publishing the user's public key.

This may cause interoperability issues. If Thunderbird signals to correspondents that a certain feature is supported, the correspondents may reply with messages or keys that Thunderbird cannot read or process.

To avoid these interoperability issues, it is recommended that you remove these flags prior to importing a secret key into Thunderbird.

Thunderbird versions 128 and newer will warn the user when unsupported feature flags are discovered. This allows the user to manually delete the imported key, use external software to create a version of they key without those feature flags, and then import it into Thunderbird again.

Because previous versions of Thunderbird did not warn in this scenario, users may already be using such a key. Thunderbird will show warning messages on the error console when such keys are present.

There are various options to remedy this:

  • You could do nothing. This means that should you ever receive messages that TB cannot process, you could export your messages and manually process them using GnuPG. OR
  • You could remove the feature flags.

Ideally Thunderbird should remove those flags at the time of import. However, at this time Thunderbird doesn't have the ability to remove those flags. To eventually do that, a future update to the RNP library that Thunderbird uses will be required. That work is tracked in bug 1896885.

How to remove the feature flags

If you would like to avoid potential interoperability issues, you may use the GnuPG software to remove the flags. To do, ensure you use the --rfc4880 command line parameter when using GnuPG, or add the rfc4880 parameter to your GnuPG configuration file. You need to perform the following steps once:

  • First, edit your existing GnuPG secret key to remove the flag:
gpg --rfc4880 --edit-key identifier-of-your-key
> setpref
> save
# export the secret key from GNUPG
gpg --rfc4880 --export-secret-keys --armor --output my-secret-key.asc my-key-identifier
  • Second, import the secret key again into Thunderbird.

Use account settings or OpenPGP key manager to import file ```my-secret-key.asc```

The information in this article applies to Thunderbird versions 128 and earlier. It might also apply to later versions. Refer to bug 1896885 for more information on which Thunderbird version has a fix for this issue.

这篇文章对您有帮助吗?

请稍候...

此文章在这些用户的协助下写成:

Illustration of hands

志愿者

分享知识并培养专业技能。解答问题并改进我们的知识库。

详细了解