Bug 2133263
Summary: | [RHEL 9] Thunderbird OpenGPG integration fails | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | David <gigabot> | ||||
Component: | thunderbird | Assignee: | Jan Horak <jhorak> | ||||
Status: | CLOSED NEXTRELEASE | QA Contact: | Desktop QE <desktop-qa-list> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 9.0 | CC: | dwojewod, jhorak, kai-engert-fedora, mkielian, o.nickolay, ssorce, tpopela, tse, vseerror | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2022-12-15 11:09:05 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
David
2022-10-09 09:45:14 UTC
This is basically a duplicate of a RHEL 7 bug https://bugzilla.redhat.com/show_bug.cgi?id=1886962 and a RHEL 8 bug https://bugzilla.redhat.com/show_bug.cgi?id=1886958. I am not sure it is a duplicate, as the last version of Thunderbird I used on RHEL 8.6 worked perfectly. It is possible it was a flatpak, I really can't remember, sorry. Reading those bug reports, this seems like a dire situation for RHEL Thunderbird, should I expect it to be broken, or is a fix coming soon? How come this is not in known issues, for example in 9.1: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9-beta/html/9.1_release_notes/known-issues (In reply to David from comment #2) > Reading those bug reports, this seems like a dire situation for RHEL > Thunderbird, should I expect it to be broken, or is a fix coming soon? There is some work in progress, but nothing to be shared about it (or any outcomes) at the moment. Cheers, I really hope this is fixed for 9.1, or at least added to the know issues as it is a serious problem that people need to know about. (In reply to David from comment #4) > Cheers, I really hope this is fixed for 9.1. We can't share anything about the timeline, but I will just add that Thunderbird (and Firefox) releases in RHEL are not tight to a specific RHEL release, so when the issue will be resolved it will get to all supported RHEL releases (if no low level changes will be needed). Hi @david @ Gosh, sorry for the premature message... @david @tpopela I write on behalf of the RNP team. The latest Thunderbird version supports the RNP v16.1, which can be built with OpenSSL instead of Botan for cryptographic operations. Switching to using OpenSSL is now a package build configuration option. Could we know the responsible RHEL packaging engineer(s) here so we could work with them in resolving this issue? Thanks! (In reply to rhtse from comment #7) > Gosh, sorry for the premature message... @david > @tpopela > > I write on behalf of the RNP team. The latest Thunderbird version supports > the RNP v16.1, which can be built with OpenSSL instead of Botan for > cryptographic operations. Switching to using OpenSSL is now a package build > configuration option. Could we know the responsible RHEL packaging > engineer(s) here so we could work with them in resolving this issue? Thanks! That will be Jan Horak from the Desktop team (working on Thunderbird itself) and we should also include Simo Sorce from the Crypto team. (In reply to rhtse from comment #7) > Gosh, sorry for the premature message... @david > @tpopela > > I write on behalf of the RNP team. The latest Thunderbird version supports > the RNP v16.1, which can be built with OpenSSL instead of Botan for > cryptographic operations. Switching to using OpenSSL is now a package build > configuration option. Could we know the responsible RHEL packaging > engineer(s) here so we could work with them in resolving this issue? Thanks! That's a great news! Looks like the 102 has the 16.0 and 16.1 is in beta code. Any chance there will be an uplift to 102? Here are test builds for the Thunderbird with bundled sequoia librnp for rhel9 and 8.6: https://xhorak.fedorapeople.org/thunderbird-102.4.0-2.el9_0.x86_64.rpm https://xhorak.fedorapeople.org/thunderbird-102.4.0-2.el8_6.x86_64.rpm RHEL 9 ships with OpenSSL 3.0 which is supported by RNP 16.1. RHEL 8 ships with OpenSSL 1.1.1 which is supported by RNP 16.2. @kai-engert-fedora would you have any answer for @jhorak regarding uplift to 102? Thanks! Jan, I tested the thunderbird-102.4.0-2 el9 build and it works great, thanks! Hope it can be released officially soon, great work getting this sorted. Hello Jan, we have not yet officially backported RNP v0.16.2 to esr102. Currently, esr102 still uses RNP v0.16.0. However, the nightly versions of Thunderbird (and Beta) already got the upgrade to v0.16.2 In addition, I am currently testing v0.16.2 with a local esr102 build, and it seems to work. Ideally I would like to take a little more time to wait for regression reports with Thunderbird nightly/beta, prior to officially uplifting to esr102. However, given that OpenPGP does not yet work at all in RHEL, I think there's no need for RHEL to wait. We had added several patches to Thunderbird to allow building with RNP v0.16.2. Most of them were patches for the Thunderbird build system, but in addition, we also have two patches that are required application code changes. (a) https://bugzilla.mozilla.org/show_bug.cgi?id=1753683 (b) https://bugzilla.mozilla.org/show_bug.cgi?id=1790446 (c) https://bugzilla.mozilla.org/show_bug.cgi?id=1790116 (d) https://bugzilla.mozilla.org/show_bug.cgi?id=1790662 (e) https://bugzilla.mozilla.org/show_bug.cgi?id=1791195 Would you distribute RNP as part of the Thunderbird package? If yes, you would need all the patches (a)-(e). Patches (a)-(d) are build system and libraries. Patch (e) is for Thunderbird itself, to make its logic compatible with RNP v0.16.2 I can offer the series of patches that I have applied to esr102 and that builds for me (local build, not rpm build). Created attachment 1920830 [details]
Series of patches to backport RNP v0.16.2 to Thunderbird ESR 102 (tar.gz)
The patches in the attached archive were taken from the above list of bugzilla.mozilla.org bugs, with minor merging. Jan, the 102.4.0 build you uploaded has some super annoying visual regressions which I am sure are not related to this encryption issue, but I hope whoever builds the official el9 version can use the latest which is currently https://www.thunderbird.net/en-US/thunderbird/102.4.1/releasenotes/ which will hopefully fix them. Cheers. Kai thanks a lot, you've did a really nice work. Looking at the: https://searchfox.org/comm-central/source/third_party/rnp/moz.build#42 can I expect that BOTAN is still the used as crypto backend and to change that to openssl I need to patch the moz.build file to use CRYPTO_BACKEND_OPENSSL? Yes, the patch I've provided is limited to porting esr102 to RNP v0.16.2 I have not made any changes to make it use OpenSSL, that's still a TODO for you. Yes, that file seems like the right place to patch. We've rather decided to use openssl implementation of crypto ops in librnp than using sequioa, here are builds for the testing: https://xhorak.fedorapeople.org/thunderbird-102.4.0-1.el8_6.x86_64.rpm https://xhorak.fedorapeople.org/thunderbird-102.4.0-1.el9_0.x86_64.rpm Is it just me, or is the download site from comment 20 very slow for everyone? I get 6 KB/s download speed, estimated more than 4 hours to download. Never mind, I was able to download from a different network, which was faster. I have installed the el9 package from comment 20 on CentOS 9 stream, and I was able to use OpenPGP key generation, encrypting, decrypting and signing OpenPGP email. This is the first time I've actually tried Thunderbird with RNP and OpenSSL. I'm glad to see it working. Looks like RHEL 7.9 has too old openssl version: 0:03.67 Determining librnp version from version.h. 0:03.68 checking for openssl > 1.1.1... no 0:03.68 WARNING: Requested 'openssl > 1.1.1' but version of OpenSSL is 1.0.2k 0:03.68 Checking for OpenSSL >= 1.1.1 0:03.68 ERROR: OpenSSL not found. Must be locatable with pkg-config or use --with-openssl. dbelyavs: can we do something about it? Is the newer openssl available in rhel 7.9 in some different way? I just updated to RHEL 9.1, the current Thunderbird version is 102.5.0 and is still broken. Is there a link for a new working 102.5.0 el9_1 build for testing? Cheers! The support for OpenGPG in Thunderbird on RHEL 9 was implemented by enabling the OpenSSL backend for the RNP. It will be available in Thunderbird 102.6 builds that should be available in following days. |