Bug 1886958
Summary: | [RHEL 8] Thunderbird OpenGPG integration fails | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Andrew Mike <amike> | |
Component: | thunderbird | Assignee: | Jan Horak <jhorak> | |
Status: | CLOSED NEXTRELEASE | QA Contact: | Desktop QE <desktop-qa-list> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 8.2 | CC: | ahughes, ajb, andreas.rogge, aph, chref, cschalle, dwojewod, fabian.arrotin, farrotin, info, jeffrey.lau, jhorak, kaie, mkielian, neal, pasik, pasteur, phil, qguo, rik.theys, ssorce, thuth, tpopela, tse, vseerror, zidek | |
Target Milestone: | rc | Keywords: | Regression | |
Target Release: | 8.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1886962 (view as bug list) | Environment: | ||
Last Closed: | 2022-12-15 11:09:51 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1886962 |
Description
Andrew Mike
2020-10-09 19:59:17 UTC
Setting regression flag since this marks a change since the Enigmail extension was obsoleted in favor of built-in encryption. I confirm the issue, and as Enigmail isn't allowed to load (due to Thunderbird version check) and that embedded openpgp support doesn't work (also tested with new profile, but feature is completely missing), I tested with a binary download straight from thunderbird.net : it works ! But then I also confirmed that this archive has librnp.so, which is completely missing from rpm pkg thunderbird-78.3.1-1.el8_2.x86_64 So it could be that it wasn't built (missing --enable statement or else) *or* removed from the rpm pkg itself and it's the case : Just have a look at the .spec that was pushed to git.centos.org and clearly removed from the built sources : https://git.centos.org/rpms/thunderbird/blob/c8/f/SPECS/thunderbird.spec#_1316 So now the question : as Fedora ships thunderbird with that librnp.so file, why is that removed/stripped from RHEL builds ? The line " we cannot deliver that in RHELs" doesn't mention the reason why it was removed. Is there a way to consider enabling it back ? Only workaround for people using gpg with thunderbird at this stage are : * downgrade to previous rpm pkg (after having restored ~/.thunderbird from backup, due to automatic profile upgrade) * use pre-built binariares from thunderbird.net as they shipped with librnp.so libraries * rebuild (in copr ?) thunderbird src.rpm but by *not* removing it (and so add it in %files section) So we now have the choice to either run an out-of-date (unsupported and potentially insecure version) of Thunderbird or not being able to read encrypted e-mail anymore. This is really, really bad. Either the maintainer knew what he was doing and broke PGP intentionally (on behalf on whomever), or the maintainer had no idea what he was doing, which is probably even worse. Could somebody please explain why this happened and if there is any chance for a fix at all? (In reply to Fabian Arrotin from comment #10) > So now the question : as Fedora ships thunderbird with that librnp.so file, > why is that removed/stripped from RHEL builds ? The line " we cannot deliver > that in RHELs" doesn't mention the reason why it was removed. It was removed based on the request from Red Hat's Security Response Team (SRT) - please see https://bugzilla.redhat.com/show_bug.cgi?id=1837512 > Is there a way to consider enabling it back ? No, there is no way, unless SRT reconsiders its decision. > Only workaround for people using gpg with thunderbird at this stage are : > * downgrade to previous rpm pkg (after having restored ~/.thunderbird from > backup, due to automatic profile upgrade) > * use pre-built binariares from thunderbird.net as they shipped with > librnp.so libraries > * rebuild (in copr ?) thunderbird src.rpm but by *not* removing it (and so > add it in %files section) Use Thunderbird as a Flatpak from Flathub or Fedora Registry. or Migrate to Evolution. (In reply to Andreas Rogge from comment #11) > Could somebody please explain why this happened and if there is any chance > for a fix at all? Please see the comment above and the linked bug from there. (In reply to Tomas Popela from comment #12) > (In reply to Fabian Arrotin from comment #10) > > So now the question : as Fedora ships thunderbird with that librnp.so file, > > why is that removed/stripped from RHEL builds ? The line " we cannot deliver > > that in RHELs" doesn't mention the reason why it was removed. > > It was removed based on the request from Red Hat's Security Response Team > (SRT) - please see https://bugzilla.redhat.com/show_bug.cgi?id=1837512 > Hi Tomas .. thanks a lot for the explanation and pointer For people still willing to use openpgp through librnp.so, Johnny (from CentOS) built and released it in centosplus repository : http://mirror.centos.org/centos/7/centosplus/x86_64/Packages/thunderbird-78.6.1-1.el7.centos.plus.x86_64.rpm It was also modified for c8 (and so should land in centosplus through next compose I heard) : https://koji.mbox.centos.org/koji/buildinfo?buildID=15507 relevant git change for the centosplus branch: https://git.centos.org/rpms/thunderbird/commits/c8-plus https://git.centos.org/rpms/thunderbird/commits/c7-plus I switched myself to that version and openpgp works fine, as librnp.so is there (use at your own risk, but it's centosplus repository, so opt-in repo) I'm also affected by this problem - OpenPGP does not work. Isn't there an easier solution than installing a third party build of Thunderbird (which also does not sound very appealing with regards to security for me)? (In reply to Thomas Huth from comment #16) > I'm also affected by this problem - OpenPGP does not work. Isn't there an > easier solution than installing a third party build of Thunderbird (which > also does not sound very appealing with regards to security for me)? Well, thunderbird from CentOS centosplus repository is built from same RHEL8 sources, just with the patch mentioned in git, to build and ship librnp.so (and it works, as that's the pkg I'm using on my RH laptop) As it seems clear that it's a RH decision to not ship it, I think that using that pkg (or tarball from upstream thunderbird.net or flatpak) is the only way to go ? Hi, (In reply to Fabian Arrotin from comment #15) > For people still willing to use openpgp through librnp.so, Johnny (from > CentOS) built and released it in centosplus repository : > http://mirror.centos.org/centos/7/centosplus/x86_64/Packages/thunderbird-78. > 6.1-1.el7.centos.plus.x86_64.rpm > > I switched myself to that version and openpgp works fine, as librnp.so is > there (use at your own risk, but it's centosplus repository, so opt-in repo) If I enable the plus repo on my system (with the other thunderbird package currently installed) and check if it would upgrade thunderbird: # dnf --enablerepo plus check-update Last metadata expiration check: 0:05:57 ago on Thu 28 Jan 2021 12:34:27 PM CET. perf.x86_64 4.18.0-240.10.1.el8_3.centos.plus plus python3-perf.x86_64 4.18.0-240.10.1.el8_3.centos.plus plus Obsoleting Packages kernel-plus-headers.x86_64 4.18.0-240.10.1.el8_3.centos.plus plus kernel-headers.x86_64 4.18.0-240.10.1.el8_3 @baseos Enabling the plus repo would in my case upgrade some packages that don't need to be upgraded, but would not automatically use thunderbird from this repository. For each thunderbird update, I would have to make sure it's using the package from the plus repo. Since there can be a delay in thunderbird updates in the plus repo compared to the appstream repo, systems would have pulled it from the appstream repo and not upgrade to the plus version once it arrives there as the NVR is the same? It it an option to ship the librnp.so library in another package (for example thunderbird-gpg) instead? Or is there a nice way to only pull thunderbird from the plus repo? Regards, Rik Hi Rik, Unsure if discussion can still happen on bugzilla, as I don't think that it will be fixed in RHEL (but it's allowed in Fedora) Back to centosplus, you can use exclude/includepkgs in your .repo config and so it would pick only the one from CentOS plus : From /etc/yum.repos.d/CentOS-Linux-AppStream.repo [appstream] name=CentOS Linux $releasever - AppStream mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=AppStream&infra=$infra #baseurl=http://mirror.centos.org/$contentdir/$releasever/AppStream/$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial exclude=thunderbird And from /etc/yum.repos.d/CentOS-Linux-Plus.repo [plus] name=CentOS Linux $releasever - Plus mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra #baseurl=http://mirror.centos.org/$contentdir/$releasever/centosplus/$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial includepkgs=thunderbird That way it would only get it from centosplus all the time (and of course if you want other pkgs from Plus repository, you can extend the list, or just exclude from AppStream, up to you :-) (In reply to Tomas Popela from comment #12) > (In reply to Fabian Arrotin from comment #10) > > So now the question : as Fedora ships thunderbird with that librnp.so file, > > why is that removed/stripped from RHEL builds ? The line " we cannot deliver > > that in RHELs" doesn't mention the reason why it was removed. > > It was removed based on the request from Red Hat's Security Response Team > (SRT) - please see https://bugzilla.redhat.com/show_bug.cgi?id=1837512 > > > Is there a way to consider enabling it back ? > > No, there is no way, unless SRT reconsiders its decision. > > > Only workaround for people using gpg with thunderbird at this stage are : > > * downgrade to previous rpm pkg (after having restored ~/.thunderbird from > > backup, due to automatic profile upgrade) > > * use pre-built binariares from thunderbird.net as they shipped with > > librnp.so libraries > > * rebuild (in copr ?) thunderbird src.rpm but by *not* removing it (and so > > add it in %files section) > > Use Thunderbird as a Flatpak from Flathub or Fedora Registry. > > or > > Migrate to Evolution. There is now another alternative. We (Sequoia PGP, https://sequoia-pgp.org) have created an ABI compatible shim that implements the semantics that rnp implements. You can find the code here: https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp . The basic idea is: build it, replace TB's librnp with sequoia-octopus-librnp's RNP, restart TB. No migration is required (the shim uses the same key stores as RNP and uses the same format), and it is possible to switch back at any time. The nice thing about this shim is that Sequoia uses Nettle, which is already part of RHEL. So, AIUI, it is possible for RHEL to ship it. Note: there is still one function missing: we haven't yet implemented importing keys (existing keys are used), because it has a bit of a funky JSON API. Several people on the Sequoia team are already using it, as it supports a greater variety of keys than rnp, for instance. We'd like to hear from users impacted by this issue whether they are interested in this solution. (In reply to neal from comment #20) > Note: there is still one function missing: we haven't yet implemented > importing keys (existing keys are used), because it has a bit of a funky > JSON API. But I assume there is a way to manually import keys on the command line? ... that would be fine for me, at least. > Several people on the Sequoia team are already using it, as it supports a > greater variety of keys than rnp, for instance. > > We'd like to hear from users impacted by this issue whether they are > interested in this solution. I'm certainly interested! I'd really prefer such a solution than having to take care of installing a 3rd party TB build... (In reply to Thomas Huth from comment #21) > (In reply to neal from comment #20) > > Note: there is still one function missing: we haven't yet implemented > > importing keys (existing keys are used), because it has a bit of a funky > > JSON API. > > But I assume there is a way to manually import keys on the command line? ... > that would be fine for me, at least. > > > Several people on the Sequoia team are already using it, as it supports a > > greater variety of keys than rnp, for instance. > > > > We'd like to hear from users impacted by this issue whether they are > > interested in this solution. > > I'm certainly interested! I'd really prefer such a solution than having to > take care of installing a 3rd party TB build... Rereading my original note, I realize you may have gotten the impression that the shim is nearly production ready. I didn't mean to imply that. It is a two week hack, and one important function is still missing. Consider it a tech demo, even if it works surprisingly well. I mentioned it here, because we'd like some feedback to better gauge the degree to which people (in particular, Redhat and Fedora) are interested. Now to your specific question: you can't right now import keys using the command line. If you want to try it out, use an existing public keyring. It could be from TB, or you could just do: 'gpg --export > .thunderbird/$MY-PROFILE.default-release/pubring.gpg'. from TB. Joining in this party, the RNP team has been working on a version that should address SRT concerns and can hopefully satisfy the needs of the RHEL Thunderbird package. This version dynamically links to one of the native cryptographic libraries on RHEL; Simo and Kai are well aware of the effort. The remaining concern on our side is to address immediate algorithm availability (not all OpenPGP algorithms are supported by those cryptographic libraries), but we will work with that particular library (in time) to attempt parity with our usage of Botan. Last but not least, please feel free to post any RNP unmet needs at our issue tracker: https://github.com/rnpgp/rnp/issues Thank you to all those who have been patient! One more note: technically this issue will be fully resolved once the new RNP version is released and incorporated into Thunderbird (i.e. the RHEL version would not depend on Botan). Hope this helps. Thanks! I'd like to provide an update on the Sequoia option, for those who are interested. We've just release v1.0. This implements all of the functionality that Thunderbird uses, and a bit more. In the end, the project grew to also reintroduce many of the features that we and others miss from Enigmail, in particular, close gpg integration, web of trust support, and background updates. Along the way, we also discovered some security flaws, which we found workarounds for (see below). And Sequoia has several non-functional advantages. More details are available in the release announcement https://sequoia-pgp.org/blog/2021/04/08/202103-a-new-backend-for-thunderbird/ and in the project's README https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp . With https://src.fedoraproject.org/rpms/thunderbird/pull-request/11 and https://src.fedoraproject.org/rpms/rust-sequoia-octopus-librnp/pull-request/1 in place it would be possible to see how things are working together at least in Fedora for now. (In reply to Fabian Arrotin from comment #15) > For people still willing to use openpgp through librnp.so, Johnny (from > CentOS) built and released it in centosplus repository : > http://mirror.centos.org/centos/7/centosplus/x86_64/Packages/thunderbird-78. > 6.1-1.el7.centos.plus.x86_64.rpm Looks like the latest build (thunderbird-78.11.0-1.el8.x86_64.rpm) disabled openpgp again? It was still working fine in thunderbird-78.10.0-1.el8.x86_64.rpm ...thunderbird-78.10.0-1.el8.x86_64.rpm (In reply to Thomas Huth from comment #33) > (In reply to Fabian Arrotin from comment #15) > > For people still willing to use openpgp through librnp.so, Johnny (from > > CentOS) built and released it in centosplus repository : > > http://mirror.centos.org/centos/7/centosplus/x86_64/Packages/thunderbird-78. > > 6.1-1.el7.centos.plus.x86_64.rpm > > Looks like the latest build (thunderbird-78.11.0-1.el8.x86_64.rpm) disabled > openpgp again? It was still working fine in > thunderbird-78.10.0-1.el8.x86_64.rpm ...thunderbird-78.10.0-1.el8.x86_64.rpm Yes, I already reported that myself to Johnny as he built it in koji with the correct git hash/branch and then was pushed out (so in fact the one from AppStream landed into centosplus) The following build is the one pointing to correct git hash/commit/branch and hopefully should land on mirrors soon (don't know when they'll push it out but soon I hope) https://koji.mbox.centos.org/koji/buildinfo?buildID=18123 Normally you can now already download/dnf localinstall it if needed (and not wait) (In reply to Fabian Arrotin from comment #15) > For people still willing to use openpgp through librnp.so, Johnny (from > CentOS) built and released it in centosplus repository : > http://mirror.centos.org/centos/7/centosplus/x86_64/Packages/thunderbird-78. > 6.1-1.el7.centos.plus.x86_64.rpm While the centosplus repository for CentOS 7 is still available, the one for CentOS 8 seems to be gone now (likely because 8 is EOL?)... is there still a place where current versions of a GPG-enabled Thunderbird can be found for RHEL8 ? yes, it's just built for centos 8 stream and still from the core sig, and in centos-plus repo : http://mirror.centos.org/centos/8-stream/core/x86_64/centos-plus/ I think that Johnny should just build the last one that landed (but the one from distro itself isn't built) and usually he does that in parallel (In reply to farrotin from comment #38) > yes, it's just built for centos 8 stream and still from the core sig, and in > centos-plus repo : > http://mirror.centos.org/centos/8-stream/core/x86_64/centos-plus/ Great, that worked, thank you very much! Hello everyone, Just a hark back from the past: RNP now works with RHEL OpenSSL out of the box without needing Botan. Would PRs be welcome at https://src.fedoraproject.org/rpms/thunderbird ? *** Bug 2136970 has been marked as a duplicate of this bug. *** The support for OpenGPG in Thunderbird on RHEL 8 was implemented by enabling the OpenSSL backend for the RNP. This is available on RHEL 8.4 and newer releases, but not on 8.2.0 and 8.1.0 where the OpenSSL is too old (1.1.1c is presented and 1.1.1e required). It will be available in Thunderbird 102.6 builds that should be available in following days. |