Bug 1886958 - [RHEL8] Thunderbird 78 OpenGPG integration fails
Summary: [RHEL8] Thunderbird 78 OpenGPG integration fails
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: thunderbird
Version: 8.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.0
Assignee: Jan Horak
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 1886962
TreeView+ depends on / blocked
 
Reported: 2020-10-09 19:59 UTC by Andrew Mike
Modified: 2021-06-22 14:39 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1886962 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Andrew Mike 2020-10-09 19:59:17 UTC
Description of problem: Thunderbird OpenGPG integration fails to function.

Version-Release number of selected component (if applicable):
78.3.1-1.el8_2

How reproducible: Consistently.

Steps to Reproduce:
1. Make a GPG keypair with "gpg --gen-key".
2. Make a new IMAP account with the email address of the GPG key.
3. Open the account settings page for that account by right-clicking on the account in the left pane of the main window and selecting "Settings".
4. Click the "Manage Identities..." button, select the single identity in the list, then select "Edit".
5. Go to the "End-To-End Encryption" tab and select the "Add Key..." button.

Actual results: Button has no effect, and no dialog button pops up.

Expected results: Button opens up the a dialog for importing an OpenPGP keypair.

Additional info: When running thunderbird with the --jsconsole command line option, this error appears:

==============================================================
Error: Cannot load required RNP library
    loadExternalRNPLib chrome://openpgp/content/modules/RNPLib.jsm:81
    init chrome://openpgp/content/modules/RNPLib.jsm:87
    once chrome://openpgp/content/modules/RNP.jsm:48
    init chrome://openpgp/content/modules/RNP.jsm:65
    init chrome://openpgp/content/BondOpenPGP.jsm:90
    <anonymous> chrome://openpgp/content/BondOpenPGP.jsm:217
    <anonymous> chrome://messenger/content/msgMail3PaneWindow.js:67
RNP.jsm:57:15

==============================================================

Comment 1 Andrew Mike 2020-10-09 20:00:41 UTC
Setting regression flag since this marks a change since the Enigmail extension was obsoleted in favor of built-in encryption.

Comment 10 Fabian Arrotin 2020-11-15 18:37:18 UTC
I confirm the issue, and as Enigmail isn't allowed to load (due to Thunderbird version check) and that embedded openpgp support doesn't work (also tested with new profile, but feature is completely missing), I tested with a binary download straight from thunderbird.net : it works !
But then I also confirmed that this archive has librnp.so, which is completely missing from rpm pkg thunderbird-78.3.1-1.el8_2.x86_64

So it could be that it wasn't built (missing --enable statement or else) *or* removed from the rpm pkg itself and it's the case : Just have a look at the .spec that was pushed to git.centos.org and clearly removed from the built sources : https://git.centos.org/rpms/thunderbird/blob/c8/f/SPECS/thunderbird.spec#_1316

So now the question : as Fedora ships thunderbird with that librnp.so file, why is that removed/stripped from RHEL builds ? The line " we cannot deliver that in RHELs" doesn't mention the reason why it was removed.

Is there a way to consider enabling it back ? 

Only workaround for people using gpg with thunderbird at this stage are : 
 * downgrade to previous rpm pkg (after having restored ~/.thunderbird from backup, due to automatic profile upgrade)
 * use pre-built binariares from thunderbird.net as they shipped with librnp.so libraries
 * rebuild (in copr ?) thunderbird src.rpm but by *not* removing it (and so add it in %files section)

Comment 11 Andreas Rogge 2020-11-17 16:36:12 UTC
So we now have the choice to either run an out-of-date (unsupported and potentially insecure version) of Thunderbird or not being able to read encrypted e-mail anymore. This is really, really bad.
Either the maintainer knew what he was doing and broke PGP intentionally (on behalf on whomever), or the maintainer had no idea what he was doing, which is probably even worse.

Could somebody please explain why this happened and if there is any chance for a fix at all?

Comment 12 Tomas Popela 2020-11-18 06:44:03 UTC
(In reply to Fabian Arrotin from comment #10)
> So now the question : as Fedora ships thunderbird with that librnp.so file,
> why is that removed/stripped from RHEL builds ? The line " we cannot deliver
> that in RHELs" doesn't mention the reason why it was removed.

It was removed based on the request from Red Hat's Security Response Team (SRT) - please see https://bugzilla.redhat.com/show_bug.cgi?id=1837512

> Is there a way to consider enabling it back ?

No, there is no way, unless SRT reconsiders its decision.

> Only workaround for people using gpg with thunderbird at this stage are : 
>  * downgrade to previous rpm pkg (after having restored ~/.thunderbird from
> backup, due to automatic profile upgrade)
>  * use pre-built binariares from thunderbird.net as they shipped with
> librnp.so libraries
>  * rebuild (in copr ?) thunderbird src.rpm but by *not* removing it (and so
> add it in %files section)

Use Thunderbird as a Flatpak from Flathub or Fedora Registry.

or

Migrate to Evolution.

Comment 13 Tomas Popela 2020-11-18 06:44:48 UTC
(In reply to Andreas Rogge from comment #11)
> Could somebody please explain why this happened and if there is any chance
> for a fix at all?

Please see the comment above and the linked bug from there.

Comment 14 Fabian Arrotin 2020-11-18 06:58:51 UTC
(In reply to Tomas Popela from comment #12)
> (In reply to Fabian Arrotin from comment #10)
> > So now the question : as Fedora ships thunderbird with that librnp.so file,
> > why is that removed/stripped from RHEL builds ? The line " we cannot deliver
> > that in RHELs" doesn't mention the reason why it was removed.
> 
> It was removed based on the request from Red Hat's Security Response Team
> (SRT) - please see https://bugzilla.redhat.com/show_bug.cgi?id=1837512
> 

Hi Tomas .. thanks a lot for the explanation and pointer

Comment 15 Fabian Arrotin 2021-01-16 08:54:17 UTC
For people still willing to use openpgp through librnp.so, Johnny (from CentOS) built and released it in centosplus repository : 
http://mirror.centos.org/centos/7/centosplus/x86_64/Packages/thunderbird-78.6.1-1.el7.centos.plus.x86_64.rpm

It was also modified for c8 (and so should land in centosplus through next compose I heard) : https://koji.mbox.centos.org/koji/buildinfo?buildID=15507

relevant git change for the centosplus branch:

https://git.centos.org/rpms/thunderbird/commits/c8-plus
https://git.centos.org/rpms/thunderbird/commits/c7-plus

I switched myself to that version and openpgp works fine, as librnp.so is there (use at your own risk, but it's centosplus repository, so opt-in repo)

Comment 16 Thomas Huth 2021-01-26 09:58:04 UTC
I'm also affected by this problem - OpenPGP does not work. Isn't there an easier solution than installing a third party build of Thunderbird (which also does not sound very appealing with regards to security for me)?

Comment 17 Fabian Arrotin 2021-01-26 10:40:07 UTC
(In reply to Thomas Huth from comment #16)
> I'm also affected by this problem - OpenPGP does not work. Isn't there an
> easier solution than installing a third party build of Thunderbird (which
> also does not sound very appealing with regards to security for me)?

Well, thunderbird from CentOS centosplus repository is built from same RHEL8 sources, just with the patch mentioned in git, to build and ship librnp.so (and it works, as that's the pkg I'm using on my RH laptop)
As it seems clear that it's a RH decision to not ship it, I think that using that pkg (or tarball from upstream thunderbird.net or flatpak) is the only way to go ?

Comment 18 Rik Theys 2021-01-28 11:47:34 UTC
Hi,

(In reply to Fabian Arrotin from comment #15)
> For people still willing to use openpgp through librnp.so, Johnny (from
> CentOS) built and released it in centosplus repository : 
> http://mirror.centos.org/centos/7/centosplus/x86_64/Packages/thunderbird-78.
> 6.1-1.el7.centos.plus.x86_64.rpm
> 
> I switched myself to that version and openpgp works fine, as librnp.so is
> there (use at your own risk, but it's centosplus repository, so opt-in repo)

If I enable the plus repo on my system (with the other thunderbird package currently installed) and check if it would upgrade thunderbird:


# dnf --enablerepo plus check-update
Last metadata expiration check: 0:05:57 ago on Thu 28 Jan 2021 12:34:27 PM CET.

perf.x86_64                                4.18.0-240.10.1.el8_3.centos.plus                  plus   
python3-perf.x86_64                        4.18.0-240.10.1.el8_3.centos.plus                  plus   
Obsoleting Packages
kernel-plus-headers.x86_64                 4.18.0-240.10.1.el8_3.centos.plus                  plus   
    kernel-headers.x86_64                  4.18.0-240.10.1.el8_3                              @baseos

Enabling the plus repo would in my case upgrade some packages that don't need to be upgraded, but would not automatically use thunderbird from this repository.

For each thunderbird update, I would have to make sure it's using the package from the plus repo. Since there can be a delay in thunderbird updates in the plus repo compared to the appstream repo, systems would have pulled it from the appstream repo and not upgrade to the plus version once it arrives there as the NVR is the same?

It it an option to ship the librnp.so library in another package (for example thunderbird-gpg) instead? Or is there a nice way to only pull thunderbird from the plus repo?

Regards,
Rik

Comment 19 Fabian Arrotin 2021-01-28 11:53:51 UTC
Hi Rik,

Unsure if discussion can still happen on bugzilla, as I don't think that it will be fixed in RHEL (but it's allowed in Fedora)

Back to centosplus, you can use exclude/includepkgs in your .repo config and so it would pick only the one from CentOS plus :

From /etc/yum.repos.d/CentOS-Linux-AppStream.repo
[appstream]
name=CentOS Linux $releasever - AppStream
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=AppStream&infra=$infra
#baseurl=http://mirror.centos.org/$contentdir/$releasever/AppStream/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
exclude=thunderbird

And from /etc/yum.repos.d/CentOS-Linux-Plus.repo
[plus]
name=CentOS Linux $releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/$contentdir/$releasever/centosplus/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
includepkgs=thunderbird

That way it would only get it from centosplus all the time (and of course if you want other pkgs from Plus repository, you can extend the list, or just exclude from AppStream, up to you :-)

Comment 20 neal 2021-02-03 16:29:09 UTC
(In reply to Tomas Popela from comment #12)
> (In reply to Fabian Arrotin from comment #10)
> > So now the question : as Fedora ships thunderbird with that librnp.so file,
> > why is that removed/stripped from RHEL builds ? The line " we cannot deliver
> > that in RHELs" doesn't mention the reason why it was removed.
> 
> It was removed based on the request from Red Hat's Security Response Team
> (SRT) - please see https://bugzilla.redhat.com/show_bug.cgi?id=1837512
> 
> > Is there a way to consider enabling it back ?
> 
> No, there is no way, unless SRT reconsiders its decision.
> 
> > Only workaround for people using gpg with thunderbird at this stage are : 
> >  * downgrade to previous rpm pkg (after having restored ~/.thunderbird from
> > backup, due to automatic profile upgrade)
> >  * use pre-built binariares from thunderbird.net as they shipped with
> > librnp.so libraries
> >  * rebuild (in copr ?) thunderbird src.rpm but by *not* removing it (and so
> > add it in %files section)
> 
> Use Thunderbird as a Flatpak from Flathub or Fedora Registry.
> 
> or
> 
> Migrate to Evolution.

There is now another alternative.

We (Sequoia PGP, https://sequoia-pgp.org) have created an ABI compatible shim that implements the semantics that rnp implements.  You can find the code here: https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp .  The basic idea is: build it, replace TB's librnp with sequoia-octopus-librnp's RNP, restart TB.  No migration is required (the shim uses the same key stores as RNP and uses the same format), and it is possible to switch back at any time.

The nice thing about this shim is that Sequoia uses Nettle, which is already part of RHEL.  So, AIUI, it is possible for RHEL to ship it.

Note: there is still one function missing: we haven't yet implemented importing keys (existing keys are used), because it has a bit of a funky JSON API.

Several people on the Sequoia team are already using it, as it supports a greater variety of keys than rnp, for instance.

We'd like to hear from users impacted by this issue whether they are interested in this solution.

Comment 21 Thomas Huth 2021-02-04 08:11:35 UTC
(In reply to neal from comment #20)
> Note: there is still one function missing: we haven't yet implemented
> importing keys (existing keys are used), because it has a bit of a funky
> JSON API.

But I assume there is a way to manually import keys on the command line? ... that would be fine for me, at least.

> Several people on the Sequoia team are already using it, as it supports a
> greater variety of keys than rnp, for instance.
> 
> We'd like to hear from users impacted by this issue whether they are
> interested in this solution.

I'm certainly interested! I'd really prefer such a solution than having to take care of installing a 3rd party TB build...

Comment 22 neal 2021-02-04 08:46:41 UTC
(In reply to Thomas Huth from comment #21)
> (In reply to neal from comment #20)
> > Note: there is still one function missing: we haven't yet implemented
> > importing keys (existing keys are used), because it has a bit of a funky
> > JSON API.
> 
> But I assume there is a way to manually import keys on the command line? ...
> that would be fine for me, at least.
> 
> > Several people on the Sequoia team are already using it, as it supports a
> > greater variety of keys than rnp, for instance.
> > 
> > We'd like to hear from users impacted by this issue whether they are
> > interested in this solution.
> 
> I'm certainly interested! I'd really prefer such a solution than having to
> take care of installing a 3rd party TB build...

Rereading my original note, I realize you may have gotten the impression that
the shim is nearly production ready.  I didn't mean to imply that.  It is a two week
hack, and one important function is still missing.  Consider it a tech demo,
even if it works surprisingly well.

I mentioned it here, because we'd like some
feedback to better gauge the degree to which people (in particular, Redhat
and Fedora) are interested.

Now to your specific question: you can't right now import keys using the
command line.  If you want to try it out, use an existing public keyring.
It could be from TB, or you could just do: 'gpg --export > .thunderbird/$MY-PROFILE.default-release/pubring.gpg'.
from TB.

Comment 24 rhtse 2021-03-09 04:54:45 UTC
Joining in this party, the RNP team has been working on a version that should address SRT concerns and can hopefully satisfy the needs of the RHEL Thunderbird package. This version dynamically links to one of the native cryptographic libraries on RHEL; Simo and Kai are well aware of the effort.

The remaining concern on our side is to address immediate algorithm availability (not all OpenPGP algorithms are supported by those cryptographic libraries), but we will work with that particular library (in time) to attempt parity with our usage of Botan.

Last but not least, please feel free to post any RNP unmet needs at our issue tracker: https://github.com/rnpgp/rnp/issues

Thank you to all those who have been patient!

Comment 25 rhtse 2021-03-09 05:05:42 UTC
One more note: technically this issue will be fully resolved once the new RNP version is released and incorporated into Thunderbird (i.e. the RHEL version would not depend on Botan). Hope this helps. Thanks!

Comment 26 neal 2021-04-08 20:18:59 UTC
I'd like to provide an update on the Sequoia option, for those who are interested.  We've just release v1.0.  This implements all of the functionality that Thunderbird uses, and a bit more.  In the end, the project grew to also reintroduce many of the features that we and others miss from Enigmail, in particular, close gpg integration, web of trust support, and background updates.  Along the way, we also discovered some security flaws, which we found workarounds for (see below).  And Sequoia has several non-functional advantages.  More details are available in the release announcement https://sequoia-pgp.org/blog/2021/04/08/202103-a-new-backend-for-thunderbird/ and in the project's README https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp .

Comment 27 Tomas Popela 2021-05-24 10:50:46 UTC
With https://src.fedoraproject.org/rpms/thunderbird/pull-request/11 and https://src.fedoraproject.org/rpms/rust-sequoia-octopus-librnp/pull-request/1 in place it would be possible to see how things are working together at least in Fedora for now.

Comment 33 Thomas Huth 2021-06-22 14:17:12 UTC
(In reply to Fabian Arrotin from comment #15)
> For people still willing to use openpgp through librnp.so, Johnny (from
> CentOS) built and released it in centosplus repository : 
> http://mirror.centos.org/centos/7/centosplus/x86_64/Packages/thunderbird-78.
> 6.1-1.el7.centos.plus.x86_64.rpm

Looks like the latest build (thunderbird-78.11.0-1.el8.x86_64.rpm) disabled openpgp again? It was still working fine in thunderbird-78.10.0-1.el8.x86_64.rpm ...thunderbird-78.10.0-1.el8.x86_64.rpm

Comment 34 Fabian Arrotin 2021-06-22 14:39:02 UTC
(In reply to Thomas Huth from comment #33)
> (In reply to Fabian Arrotin from comment #15)
> > For people still willing to use openpgp through librnp.so, Johnny (from
> > CentOS) built and released it in centosplus repository : 
> > http://mirror.centos.org/centos/7/centosplus/x86_64/Packages/thunderbird-78.
> > 6.1-1.el7.centos.plus.x86_64.rpm
> 
> Looks like the latest build (thunderbird-78.11.0-1.el8.x86_64.rpm) disabled
> openpgp again? It was still working fine in
> thunderbird-78.10.0-1.el8.x86_64.rpm ...thunderbird-78.10.0-1.el8.x86_64.rpm

Yes, I already reported that myself to Johnny as he built it in koji with the correct git hash/branch and then was pushed out (so in fact the one from AppStream landed into centosplus)
The following build is the one pointing to correct git hash/commit/branch and hopefully should land on mirrors soon (don't know when they'll push it out but soon I hope)
https://koji.mbox.centos.org/koji/buildinfo?buildID=18123

Normally you can now already download/dnf localinstall it if needed (and not wait)


Note You need to log in before you can comment on or make changes to this bug.