2133263 – [RHEL 9] Thunderbird OpenGPG integration fails

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2133263 - [RHEL 9] Thunderbird OpenGPG integration fails

Summary: [RHEL 9] Thunderbird OpenGPG integration fails

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	thunderbird
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Horak
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-10-09 09:45 UTC by David
Modified:	2023-01-07 11:51 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-12-15 11:09:05 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Series of patches to backport RNP v0.16.2 to Thunderbird ESR 102 (tar.gz) (375.93 KB, application/gzip) 2022-10-28 10:47 UTC, Kai Engert	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-135995	0	None	None	None	2022-10-09 10:07:26 UTC
Red Hat Knowledge Base (Solution)	6980050	0	None	None	None	2022-10-19 20:17:55 UTC

Description David 2022-10-09 09:45:14 UTC

The bug was reported to mozilla:

https://bugzilla.mozilla.org/show_bug.cgi?id=1794157

but it was found to be specific to the RHEL 9 build. I am copy pasting it across for attention here, please see the original linked thread for all the details.

# Problem
"
Steps to reproduce:

Created a keypair using gnupg, and exported both the secret and public key using gpg --export-secret --armor and gpg --export --armor to two separate ASC files. Attempted to add the keys to the key manager via the dropdown menu, as well as using the online key lookup. Attempted to create keypair using all variations of options in the key manager's key generator. Currently using RHEL 9.0 and Thunderbird 102.3.0.

Actual results:

Online key lookup continually "seeks" when a key is present for the desired email, but will act normally if the email is not found on keys.openpgp.org. When importing both private and public keys via the key manager, I get an error stating "Importing the keys failed TypeError:RNPLib is Undefined." I was able to add an external key, but it does not work, instead providing an error saying the key is not found on the keyring, even with mail.openpgp.allow_external_gnupg flag set to true. Generating a key pair via the key manager throws an error saying "OpenPGP Key generation unexpectedly failed.

Expected results:

Key manager should allow public and private keys to be imported, should recognize externally added keys, sand hould be able to import public keys from the online lookup without issue.
"

# Conclusion
"
Downloaded 102.3.2 from the Thunderbird webpage, and OpenPGP works perfect with no issues. Thanks for the suggestion! Very strange that the version through RHEL has this issue; botan2 and botan2-devel were installed by default, but when i try to install librnp it says it cant find the botan2 or libcrypto libraries, even though they are both present.
"

Comment 1 Tomas Popela 2022-10-10 07:00:29 UTC

This is basically a duplicate of a RHEL 7 bug https://bugzilla.redhat.com/show_bug.cgi?id=1886962 and a RHEL 8 bug https://bugzilla.redhat.com/show_bug.cgi?id=1886958.

Comment 2 David 2022-10-10 14:27:04 UTC

I am not sure it is a duplicate, as the last version of Thunderbird I used on RHEL 8.6 worked perfectly. It is possible it was a flatpak, I really can't remember, sorry.

Reading those bug reports, this seems like a dire situation for RHEL Thunderbird, should I expect it to be broken, or is a fix coming soon? How come this is not in known issues, for example in 9.1: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9-beta/html/9.1_release_notes/known-issues

Comment 3 Tomas Popela 2022-10-10 14:31:30 UTC

(In reply to David from comment #2)
> Reading those bug reports, this seems like a dire situation for RHEL
> Thunderbird, should I expect it to be broken, or is a fix coming soon?

There is some work in progress, but nothing to be shared about it (or any outcomes) at the moment.

Comment 4 David 2022-10-10 15:35:21 UTC

Cheers, I really hope this is fixed for 9.1, or at least added to the know issues as it is a serious problem that people need to know about.

Comment 5 Tomas Popela 2022-10-11 07:22:37 UTC

(In reply to David from comment #4)
> Cheers, I really hope this is fixed for 9.1.

We can't share anything about the timeline, but I will just add that Thunderbird (and Firefox) releases in RHEL are not tight to a specific RHEL release, so when the issue will be resolved it will get to all supported RHEL releases (if no low level changes will be needed).

Comment 6 rhtse 2022-10-24 05:06:24 UTC

Hi @david @

Comment 7 rhtse 2022-10-24 05:11:45 UTC

Gosh, sorry for the premature message... @david @tpopela

I write on behalf of the RNP team. The latest Thunderbird version supports the RNP v16.1, which can be built with OpenSSL instead of Botan for cryptographic operations. Switching to using OpenSSL is now a package build configuration option. Could we know the responsible RHEL packaging engineer(s) here so we could work with them in resolving this issue? Thanks!

Comment 8 Tomas Popela 2022-10-24 08:08:13 UTC

(In reply to rhtse from comment #7)
> Gosh, sorry for the premature message... @david
> @tpopela
> 
> I write on behalf of the RNP team. The latest Thunderbird version supports
> the RNP v16.1, which can be built with OpenSSL instead of Botan for
> cryptographic operations. Switching to using OpenSSL is now a package build
> configuration option. Could we know the responsible RHEL packaging
> engineer(s) here so we could work with them in resolving this issue? Thanks!

That will be Jan Horak from the Desktop team (working on Thunderbird itself) and we should also include Simo Sorce from the Crypto team.

Comment 9 Jan Horak 2022-10-24 08:21:04 UTC

(In reply to rhtse from comment #7)
> Gosh, sorry for the premature message... @david
> @tpopela
> 
> I write on behalf of the RNP team. The latest Thunderbird version supports
> the RNP v16.1, which can be built with OpenSSL instead of Botan for
> cryptographic operations. Switching to using OpenSSL is now a package build
> configuration option. Could we know the responsible RHEL packaging
> engineer(s) here so we could work with them in resolving this issue? Thanks!

That's a great news! Looks like the 102 has the 16.0 and 16.1 is in beta code. Any chance there will be an uplift to 102?

Comment 10 Jan Horak 2022-10-26 12:38:35 UTC

Here are test builds for the Thunderbird with bundled sequoia librnp for rhel9 and 8.6:
https://xhorak.fedorapeople.org/thunderbird-102.4.0-2.el9_0.x86_64.rpm
https://xhorak.fedorapeople.org/thunderbird-102.4.0-2.el8_6.x86_64.rpm

Comment 11 rhtse 2022-10-26 13:00:34 UTC

RHEL 9 ships with OpenSSL 3.0 which is supported by RNP 16.1. RHEL 8 ships with OpenSSL 1.1.1 which is supported by RNP 16.2.

@kai-engert-fedora would you have any answer for @jhorak regarding uplift to 102? Thanks!

Comment 12 David 2022-10-28 09:41:44 UTC

Jan, I tested the thunderbird-102.4.0-2 el9 build and it works great, thanks! Hope it can be released officially soon, great work getting this sorted.

Comment 13 Kai Engert 2022-10-28 10:38:42 UTC

Hello Jan,

we have not yet officially backported RNP v0.16.2 to esr102.

Currently, esr102 still uses RNP v0.16.0.
However, the nightly versions of Thunderbird (and Beta) already got the upgrade to v0.16.2

In addition, I am currently testing v0.16.2 with a local esr102 build, and it seems to work.

Ideally I would like to take a little more time to wait for regression reports with Thunderbird nightly/beta, prior to officially uplifting to esr102.

However, given that OpenPGP does not yet work at all in RHEL, I think there's no need for RHEL to wait.

We had added several patches to Thunderbird to allow building with RNP v0.16.2.
Most of them were patches for the Thunderbird build system, but in addition, we also have two patches that are required application code changes.

(a) https://bugzilla.mozilla.org/show_bug.cgi?id=1753683
(b) https://bugzilla.mozilla.org/show_bug.cgi?id=1790446
(c) https://bugzilla.mozilla.org/show_bug.cgi?id=1790116
(d) https://bugzilla.mozilla.org/show_bug.cgi?id=1790662
(e) https://bugzilla.mozilla.org/show_bug.cgi?id=1791195

Would you distribute RNP as part of the Thunderbird package?
If yes, you would need all the patches (a)-(e).

Patches (a)-(d) are build system and libraries.
Patch (e) is for Thunderbird itself, to make its logic compatible with RNP v0.16.2

I can offer the series of patches that I have applied to esr102 and that builds for me (local build, not rpm build).

Comment 14 Kai Engert 2022-10-28 10:47:23 UTC

Created attachment 1920830 [details]
Series of patches to backport RNP v0.16.2 to Thunderbird ESR 102 (tar.gz)

Comment 15 Kai Engert 2022-10-28 10:48:25 UTC

The patches in the attached archive were taken from the above list of bugzilla.mozilla.org bugs, with minor merging.

Comment 16 David 2022-10-29 11:45:09 UTC

Jan, the 102.4.0 build you uploaded has some super annoying visual regressions which I am sure are not related to this encryption issue, but I hope whoever builds the official el9 version can use the latest which is currently https://www.thunderbird.net/en-US/thunderbird/102.4.1/releasenotes/ which will hopefully fix them. Cheers.

Comment 17 Jan Horak 2022-10-31 10:44:32 UTC

Kai thanks a lot, you've did a really nice work. Looking at the: https://searchfox.org/comm-central/source/third_party/rnp/moz.build#42 can I expect that BOTAN is still the used as crypto backend and to change that to openssl I need to patch the moz.build file to use CRYPTO_BACKEND_OPENSSL?

Comment 18 Kai Engert 2022-11-01 09:59:45 UTC

Yes, the patch I've provided is limited to porting esr102 to RNP v0.16.2

I have not made any changes to make it use OpenSSL, that's still a TODO for you.

Comment 19 Kai Engert 2022-11-01 10:00:44 UTC

Yes, that file seems like the right place to patch.

Comment 20 Jan Horak 2022-11-16 14:36:56 UTC

We've rather decided to use openssl implementation of crypto ops in librnp than using sequioa, here are builds for the testing:
https://xhorak.fedorapeople.org/thunderbird-102.4.0-1.el8_6.x86_64.rpm
https://xhorak.fedorapeople.org/thunderbird-102.4.0-1.el9_0.x86_64.rpm

Comment 21 Kai Engert 2022-11-16 17:37:20 UTC

Is it just me, or is the download site from comment 20 very slow for everyone? I get 6 KB/s download speed, estimated more than 4 hours to download.

Comment 22 Kai Engert 2022-11-16 17:56:35 UTC

Never mind, I was able to download from a different network, which was faster.
I have installed the el9 package from comment 20 on CentOS 9 stream, and I was able to use OpenPGP key generation, encrypting, decrypting and signing OpenPGP email.
This is the first time I've actually tried Thunderbird with RNP and OpenSSL. I'm glad to see it working.

Comment 23 Jan Horak 2022-11-21 13:11:55 UTC

Looks like RHEL 7.9 has too old openssl version:
0:03.67 Determining librnp version from version.h.
0:03.68 checking for openssl > 1.1.1... no
0:03.68 WARNING: Requested 'openssl > 1.1.1' but version of OpenSSL is 1.0.2k
0:03.68 Checking for OpenSSL >= 1.1.1
0:03.68 ERROR: OpenSSL not found. Must be locatable with pkg-config or use --with-openssl.

dbelyavs: can we do something about it? Is the newer openssl available in rhel 7.9 in some different way?

Comment 24 David 2022-11-22 16:12:03 UTC

I just updated to RHEL 9.1, the current Thunderbird version is 102.5.0 and is still broken. Is there a link for a new working 102.5.0 el9_1 build for testing? Cheers!

Comment 25 Tomas Popela 2022-12-15 11:09:05 UTC

The support for OpenGPG in Thunderbird on RHEL 9 was implemented by enabling the OpenSSL backend for the RNP. It will be available in Thunderbird 102.6 builds that should be available in following days.

Note You need to log in before you can comment on or make changes to this bug.