Ubuntu
thunderbird package

[snap] thunderbird cannot sign messages with external gnupg

Bug #2009825 reported by elodg
46
This bug affects 7 people
Affects Status Importance Assigned to Milestone
thunderbird (Ubuntu)
Confirmed
High
Unassigned

Bug Description

Thunderbird supports smartcards through the external GnuPG option: https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards. However, the snap package cannot sign outgoing messages this way and errors out.
Works (apt list): thunderbird/jammy-updates,jammy-security,now 1:102.7.1+build2-0ubuntu0.22.04.1 amd64 [installed]
Does not work (snap list): thunderbird 102.8.0-2 297 latest/stable canonical✓ -

I don't know if this is an expected consequence of the sandboxed environment, but could not find the error anywhere else reported.

To reproduce:
Set mail.openpgp.allow_external_gnupg to true.
Add external key in account settings. Key is found and set.
Compose empty e-mail message to self, tick Digitally Sign option.

Result:
Message fails to send.

Error console output:
Found 6 public keys and 0 secret keys (0 protected, 0 unprotected) RNPLib.jsm:541:15
Successfully loaded optional OpenPGP library libgpgme.so.11 from system's standard library locations GPGMELib.jsm:69:13
gpgme version: 1.13.1-unknown GPGMELib.jsm:241:15
services.settings: Failed to load last_modified.json: TypeError: NetworkError when attempting to fetch resource. Utils.jsm:330
Trying to load /snap/thunderbird/297/libotr.so OTRLib.jsm:64:11
Successfully loaded OTR library /snap/thunderbird/297/libotr.so OTRLib.jsm:72:13
Loading failed for the <script> with source “https://start.thunderbird.net/media/js/common-bundle.js”. release:9:1
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. MsgComposeCommands.js:10587:14
NS_ERROR_NOT_AVAILABLE: PreferDisplayName: undefined - not a boolean 2 AddrBookCard.jsm:364
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. INBOX>9395
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. blank
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. MsgComposeCommands.js:10587:14
in getEncryptionFlags, gSendEncrypted=true, gSendSigned=true enigmailMsgComposeOverlay.js:1542:13
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. MimeMessageUtils.jsm:148:23
getCryptParams parameters: from=0xA96471A292DD7449, to=<email address>, bcc=, hash=SHA256, flags=53441, ascii=0, errorObj=
Object { value: "" }
 , logObj=
Object { }
encryption.jsm:73:13
getCryptParams, got: to=<email address>, bcc= encryption.jsm:113:13
getCryptParams returning: encryption.jsm:190:13
Object { sender: "0xA96471A292DD7449", sign: true, signatureHash: "SHA256", sigTypeClear: false, sigTypeDetached: true, encrypt: false, encryptToSender: false, armor: true, senderKeyIsExternal: true, to: (1) […], … }
encryption.jsm:191:13
sendFlags=0000d0c1 encryption.jsm:456:13
Error: failure in finishCryptoEncapsulation, exitCode: -1
    finishCryptoEncapsulation chrome://openpgp/content/modules/mimeEncrypt.jsm:580
    createMessageFile resource:///modules/MimeMessage.jsm:86
mimeEncrypt.jsm:597:15
mailnews.send:
Exception { name: "NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS", message: "[JavaScript Error: \"failure in finishCryptoEncapsulation, exitCode: -1\" {file: \"chrome://openpgp/content/modules/mimeEncrypt.jsm\" line: 580}]'[JavaScript Error: \"failure in finishCryptoEncapsulation, exitCode: -1\" {file: \"chrome://openpgp/content/modules/mimeEncrypt.jsm\" line: 580}]' when calling method: [nsIMsgComposeSecure::finishCryptoEncapsulation]", result: 2153185313, filename: "resource:///modules/MimeMessage.jsm", lineNumber: 86, columnNumber: 0, data: XPCWrappedNative_NoHelper, stack: "createMessageFile@resource:///modules/MimeMessage.jsm:86:27\n", location: XPCWrappedNative_NoHelper }
MessageSend.jsm:130:27
mailnews.send: Sending failed; , exitCode=2153185313, originalMsgURI= MessageSend.jsm:335:27
mimeEncrypt.js: caught exception: Error
Message: 'failure in finishCryptoEncapsulation, exitCode: -1'
File: chrome://openpgp/content/modules/mimeEncrypt.jsm
Line: 580
Stack: finishCryptoEncapsulation@chrome://openpgp/content/modules/mimeEncrypt.jsm:580:15
createMessageFile@resource:///modules/MimeMessage.jsm:86:27

Error: failure in finishCryptoEncapsulation, exitCode: -1 mimeEncrypt.jsm:580:15
1678360923822 Toolkit.Telemetry WARN TelemetryStorage::_enforceArchiveQuota - Unable to find the size of ping 77548c81-37cf-41ee-9fb9-ac2aa911df11

See original description
Tags: jammy snap
Revision history for this message
elodg (generic-r) wrote :
Paul White (paulw2u)
tags: added: jammy snap
elodg (generic-r)
description: updated
Revision history for this message
Luci Stanescu (lucistanescu) wrote :

If this is of any help, I've documented the issues that preclude this from working in the snapcraft forum, at https://forum.snapcraft.io/t/thunderbird-snap-and-external-gnupg-for-smart-cards/39553. Unfortunately, the enigmail logging is not terribly useful and nor is the debug log from GPGme.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in thunderbird (Ubuntu):
status: New → Confirmed
Revision history for this message
Giovanni Rito Russo (tigernero79) wrote :

Ubuntu 24.04 LTS now manages Thunderbird with only the snap package, this makes it impossible to use openpgp private keys stored on tokens like yubikey because even activating the "mail.openpgp.allow_external_gnupg" option in the snap package it has no effect, which instead works with thunderbird deb package. in practice it does not recall the gnupgp keys stored in ubuntu. Is there any way to fix this bug?

Oliver Klee (launchpad-oliverklee)
summary: - snap thunderbird cannot sign messages with external gnupg
+ [snap] thunderbird cannot sign messages with external gnupg
Revision history for this message
Giovanni Rito Russo (tigernero79) wrote :

sorry are you telling me that option in thunderbird snap "mail.openpgp.allow_external_gnupg" to true is useless? and therefore yubikey 5 and yubikey 5c and similar tokens that have openpgp functions can no longer be used on thunderbird since ubuntu 24.04 does not allow installation of deb packages but only snap, how can we do it? I would like to point out that Thunderbir deb packages work with external gnupgp and therefore managed to correctly recall the private key on the token.
Is it possible that when there is something that works you delete it?

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for the details, it does sound like an issue with the snap confinement we should work on resolving indeed

Changed in thunderbird (Ubuntu):
importance: Undecided → High
Revision history for this message
alt (jj1lfc) wrote :

I'm also stuck with Ubuntu 24.04 Thunderbird from snap.
Wish it's solved soon.

I tried other installing methods (binary and flatpak) but neither succeeded.
Should I go to bugzilla.mozilla.org? Or anyone experience the same? I can't find.

Revision history for this message
GRR (tigernero) wrote :

Same situation as "L"

Is it possible that in the snap package we can't interface with gnupgp?

Those who professionally use the openpgp/gpg standard use physical tokens see yubico which unfortunately your system does not recognize and the tokens worked by interfacing with gpg, this one with deb package worked with snap things are broken

given that you have put high priority but still nothing, is there any hope of resolution?

Revision history for this message
eviljoel (eviljoel-t) wrote :

A work around for some of you might be to use Thunderbird's official Linux binary from: https://www.thunderbird.net/en-US/download/. It doesn't use Apt or Snap, but it does self update to avoid security issues. That said, you don't get the security sandboxing of Snap.

Revision history for this message
Douglas E Engert (dengert) wrote :

Also see https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632 as FireFox and Thunderbird with smartcards use PCSC and have the same SNAP issue.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.