https://wiki.mozilla.org/api.php?action=feedcontributions&user=Arvidt&feedformat=atomMozillaWiki - User contributions [en]2024-03-28T14:45:59ZUser contributionsMediaWiki 1.27.4https://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:Aliases&diff=1240580Thunderbird:OpenPGP:Aliases2022-02-14T20:45:34Z<p>Arvidt: configure and enable an alias file: Little Better text formatting and better text structure.</p>
<hr />
<div>This page documents the OpenPGP recipient alias feature, which has been available since Thunderbird release 78.9.1<br />
<br />
In its default configuration, Thunderbird can send encrypted email using OpenPGP, if you have the recipient's public key, you have accepted to use the public key, and a user ID in the public key matches the recipient's email address.<br />
<br />
The alias feature allows you to send email using any OpenPGP public key that is technically acceptable to Thunderbird's OpenPGP engine, regardless of the user IDs contained in the public key.<br />
<br />
Initially no user interface is provided for managing the aliases, it's required to manually edit a text file in the JSON file format.<br />
<br />
An alias can be defined for a specific email address (higher priority), or for a all email addresses of a domain (lower priority, used if no alias is defined that exactly matches a recipient's email address). If neither an email alias nor a domain alias is found for a recipient email address, then Thunderbird will perform the regular lookup by user id for an accepted key.<br />
<br />
Alias keys can be specified by 16-character ID or by full fingerprint. All public keys defined by an alias must be available, not expired, not revoked, and support encryption. Public keys will be used even if they are still in the undecided state, the listing in the alias file is considered as an override for the usual acceptance requirement. However, public keys that are marked as rejected cannot be used. If a problem is found with any key defined in an alias, using the alias and sending the message is prevented. Problems with aliases are logged to the Thunderbird error console. <br />
<br />
To enable the use of aliases, you must manually create a text file, and must configure Thunderbird to use the file.<br />
<br />
To configure and enable an alias file, open preferences, config editor. Set preference <tt>mail.openpgp.alias_rules_file</tt> to the name of a file that you have manually copied to the profile directory. Enter the filename without a path (e.g. <tt>openpgp_alias_to_keys.json</tt>, no <tt>/</tt> or <tt>\\</tt> characters are allowed). To use a file that is stored elsewhere on your system, you may enter a full <tt>file://</tt> URL. Set preference <tt>mail.openpgp.alias_rules_file</tt> to an empty string (default) to disable the use of aliases.<br />
<br />
Note at this time the file will be read by Thunderbird, but not modified. If a future version of Thunderbird adds user interface to edit alias rules, it will overwrite the file.<br />
<br />
The file that you manually edit must follow this structure:<br />
<br />
{<br />
"description": "Thunderbird OpenPGP Alias Rules",<br />
"rules": [<br />
{<br />
"domain": "domain1.example.com",<br />
"keys": [<br />
{<br />
"description": "Catch-all for domain1.example.com",<br />
"fingerprint": "EB85BB5FA33A75E15E944E63F231550C4F47E38E"<br />
}<br />
]<br />
},<br />
{<br />
"domain": "domain2.example.com",<br />
"keys": [<br />
{<br />
"description": "domain2.example.com folks",<br />
"fingerprint": "D1A66E1A23B182C9980F788CFBFCC82A015E7330"<br />
}<br />
]<br />
},<br />
{<br />
"email": "list@domain1.example.com",<br />
"keys": [<br />
{<br />
"description": "John",<br />
"fingerprint": "D1A66E1A23B182C9980F788CFBFCC82A015E7330"<br />
},<br />
{<br />
"description": "Eve",<br />
"id": "F231550C4F47E38E"<br />
}<br />
]<br />
}<br />
]<br />
}<br />
<br />
Note that descriptions are optional.<br />
<br />
After you have provided the alias configuration, you may test it in the following way:<br />
<br />
Start to compose a new message. Enter a recipient that should match one of your alias definitions. Ensure OpenPGP is selected as the technology for this message. Click the security button, to view the message security info.<br />
<br />
Look for a line that contains the recipient email address that you expect to match your alias rule. If a problem was found, the status should be shown as "Alias Problem". If the alias was found to work, you'll see status "a -> b" to indicate that the address will be mapped to something else.<br />
<br />
If it doesn't work as expected, open the error console (Menu Tools, Web Developer), it might contain additional information.<br />
<br />
If you would like to test that the correct keys are used, you may do so without actually sending the message. Use the menu command File / Send later. Then check your local folders, Outbox. Look for the message you have just prepared. Select it, and click the OpenPGP icon, and look at the recipient encryption keys. This allows you to check whic h keys will be used for encryption.<br />
<br />
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1644085<br />
<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP&diff=1240247Thunderbird:OpenPGP2022-01-27T05:16:17Z<p>Arvidt: Revert adding category Thunderbird:Debugging as this category does not exist</p>
<hr />
<div>= Thunderbird and OpenPGP =<br />
<br />
This page lists resources, discussion venues, and plans related to [https://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP] messaging with Thunderbird.<br />
<br />
== Background ==<br />
Prior to Thunderbird version 78.x, the Enigmail Add-On provided OpenPGP encrypted messaging, which required the use of external GnuPG software.<br />
<br />
Thunderbird 78 includes OpenPGP functionality, and no longer requires the installation of external software.<br />
<br />
This improvement is necessary, because Enigmail cannot be used with Thunderbird 78, except to facilitate the migration of existing keys.<br />
<br />
If you are a previous user of Enigmail, please read [[Thunderbird:OpenPGP:Migration-From-Enigmail | How does Thunderbird's OpenPGP implementation differ from Enigmail?]]<br />
<br />
== HOWTO and FAQ ==<br />
<br />
See Mozilla's support [https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq OpenPGP in Thunderbird - HOWTO and FAQ] knowledge base article.<br />
<br />
== Development Status ==<br />
<br />
* Thunderbird 78.0 release - OpenPGP functionality is experimental, and disabled by default.<br />
* <strike>'''[https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html It is hoped to be stable in 78.2] - until then Enigmail users should not attempt to update to 78 until an automatic update occurs.'''</strike> <br />
* Thunderbird 78.2.1 release, August 29, 2020 - OpenPGP is enabled by default (mail.openpgp.enable=true), and the enigmail add-on changed to migrate users to OpenPGP https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/<br />
** See also our [https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ initial announcement] and the [[Thunderbird:OpenPGP:2020 | detailed description from October 2019]].<br />
* Post Thunderbird 78.3 - fixes and improvements<br />
** Experimental support for [[Thunderbird:OpenPGP:Smartcards | smartcard secret key operations]] (no public key operations) is under development.<br />
<br />
See the tb-planning list archive for [https://mail.mozilla.org/pipermail/tb-planning/2019-December/thread.html answers to some commonly asked questions].<br />
<br />
A [https://www.youtube.com/watch?v=zwmPwcC2Ie4 presentation] was given about the development of integrated OpenPGP support as part of the [[Thunderbird/2020_Virtual_Summit | Thunderbird Virtual Summit 2020]].<br />
<br />
== Discussion ==<br />
<br />
'''To help with testing, or for help in using Thunderbird's OpenPGP, please post in [https://thunderbird.topicbox.com/groups/e2ee e2ee topicbox]. Or chat at Matrix: #openpgp:mozilla.org'''<br />
<br />
Please report bugs at [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Security%3A%20OpenPGP Bugzilla, product MailNews Core, component Security: OpenPGP]. (You need to register an account to access that link.)<br />
<br />
To discuss policy aspects of Thunderbird's OpenPGP, please post to the [https://mail.mozilla.org/listinfo/tb-planning public tb-planning mailing list].<br />
<br />
== Open issues and TODO list ==<br />
<br />
The best way to see our progress and open issues is [https://bugzilla.mozilla.org/buglist.cgi?list_id=15255496&component=Security%3A%20OpenPGP&query_format=advanced run a bugzilla query].<br />
<br />
In addition, we have a high level [[Thunderbird:OpenPGP:Status | overview of items that have already been worked on, and which are still ToDo]] (might be outdated).<br />
<br />
== Debugging / Tracing ==<br />
<br />
If you run into a problem, you may try the following mechanisms to obtain additional information, which may be useful for you, or for the Thunderbird developers when reporting a problem, to analyze the cause.<br />
<br />
=== Error Console ===<br />
The simplest is to open the Thunderbird Error Console. You can open it from the menu Tools→Developer Tools→Error Console. Messages shown in red are of particular interest.<br />
<br />
=== OpenPGP log ===<br />
To view some details about the processing of messages, you may set a preference in Thunderbird:<br />
* Open menu Edit→Preferences→General, find the Config Editor.<br />
* Add a new preference of the name <code>temp.openpgp.logDirectory</code> and set it to a string value, which must be the full name of a temporary directory, for example on Linux or macOS you could use value <code>/tmp/</code>.<br />
* Restart Thunderbird.<br />
* Thunderbird will write messages to a file named <code>enigdbug.txt</code> in the set directory.<br />
The log will have a lot of information, most of which is harmless or not interesting. But it may contain clues about the cause of a problem.<br />
<br />
=== Enigmail 2.2.x Add-on log ===<br />
If you're trying to analyze a problem in the migration process that is performed by the Enigmail 2.2.x Add-on, please set the additional preference <code>extensions.enigmail.logDirectory</code> - it must also be set to a directory, but that must be a different directory than the one for OpenPGP log. For example, create a directory named <code>/tmp/enig22</code> and set <code>extensions.enigmail.logDirectory</code> to string value <code>/tmp/enig22</code>. If you set both variables, then two separate debug log files will be created, both named <code>enigdbug.txt</code>.<br />
<br />
=== RNP log ===<br />
Advanced users may attempt to view internal error messages produced by the OpenPGP cryptographic engine that Thunderbird uses (the RNP library). To do so:<br />
* Set the environment variable called <code>RNP_LOG_CONSOLE</code>, e.g. in a Linux terminal you could do that using the command <code>export RNP_LOG_CONSOLE=1</code>.<br />
* Then you must start Thunderbird from within that terminal window, to ensure that it will see the environment variable that you have set.<br />
<br />
== Testing ==<br />
<br />
If you are running 78.x and have the previous Enigmail Add-on installed, then Enigmail will update to version 2.2.x, which is a minimal release that helps you to migrate the keys and settings to Thunderbird 78.<br />
<br />
If you haven't used Enigmail previously, you can enable OpenPGP for an email account in account settings.<br />
<br />
If you want to help with testing see the [[#Discussion|discussion area]] below.<br />
<br />
For advanced users: [[Thunderbird:OpenPGP:Test-Builds | testing experimental builds]].<br />
<br />
[[category:Thunderbird|*]]<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP&diff=1240246Thunderbird:OpenPGP2022-01-27T05:13:51Z<p>Arvidt: Add category tag Thunderbird:Debugging</p>
<hr />
<div>= Thunderbird and OpenPGP =<br />
<br />
This page lists resources, discussion venues, and plans related to [https://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP] messaging with Thunderbird.<br />
<br />
== Background ==<br />
Prior to Thunderbird version 78.x, the Enigmail Add-On provided OpenPGP encrypted messaging, which required the use of external GnuPG software.<br />
<br />
Thunderbird 78 includes OpenPGP functionality, and no longer requires the installation of external software.<br />
<br />
This improvement is necessary, because Enigmail cannot be used with Thunderbird 78, except to facilitate the migration of existing keys.<br />
<br />
If you are a previous user of Enigmail, please read [[Thunderbird:OpenPGP:Migration-From-Enigmail | How does Thunderbird's OpenPGP implementation differ from Enigmail?]]<br />
<br />
== HOWTO and FAQ ==<br />
<br />
See Mozilla's support [https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq OpenPGP in Thunderbird - HOWTO and FAQ] knowledge base article.<br />
<br />
== Development Status ==<br />
<br />
* Thunderbird 78.0 release - OpenPGP functionality is experimental, and disabled by default.<br />
* <strike>'''[https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html It is hoped to be stable in 78.2] - until then Enigmail users should not attempt to update to 78 until an automatic update occurs.'''</strike> <br />
* Thunderbird 78.2.1 release, August 29, 2020 - OpenPGP is enabled by default (mail.openpgp.enable=true), and the enigmail add-on changed to migrate users to OpenPGP https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/<br />
** See also our [https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ initial announcement] and the [[Thunderbird:OpenPGP:2020 | detailed description from October 2019]].<br />
* Post Thunderbird 78.3 - fixes and improvements<br />
** Experimental support for [[Thunderbird:OpenPGP:Smartcards | smartcard secret key operations]] (no public key operations) is under development.<br />
<br />
See the tb-planning list archive for [https://mail.mozilla.org/pipermail/tb-planning/2019-December/thread.html answers to some commonly asked questions].<br />
<br />
A [https://www.youtube.com/watch?v=zwmPwcC2Ie4 presentation] was given about the development of integrated OpenPGP support as part of the [[Thunderbird/2020_Virtual_Summit | Thunderbird Virtual Summit 2020]].<br />
<br />
== Discussion ==<br />
<br />
'''To help with testing, or for help in using Thunderbird's OpenPGP, please post in [https://thunderbird.topicbox.com/groups/e2ee e2ee topicbox]. Or chat at Matrix: #openpgp:mozilla.org'''<br />
<br />
Please report bugs at [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Security%3A%20OpenPGP Bugzilla, product MailNews Core, component Security: OpenPGP]. (You need to register an account to access that link.)<br />
<br />
To discuss policy aspects of Thunderbird's OpenPGP, please post to the [https://mail.mozilla.org/listinfo/tb-planning public tb-planning mailing list].<br />
<br />
== Open issues and TODO list ==<br />
<br />
The best way to see our progress and open issues is [https://bugzilla.mozilla.org/buglist.cgi?list_id=15255496&component=Security%3A%20OpenPGP&query_format=advanced run a bugzilla query].<br />
<br />
In addition, we have a high level [[Thunderbird:OpenPGP:Status | overview of items that have already been worked on, and which are still ToDo]] (might be outdated).<br />
<br />
== Debugging / Tracing ==<br />
<br />
If you run into a problem, you may try the following mechanisms to obtain additional information, which may be useful for you, or for the Thunderbird developers when reporting a problem, to analyze the cause.<br />
<br />
=== Error Console ===<br />
The simplest is to open the Thunderbird Error Console. You can open it from the menu Tools→Developer Tools→Error Console. Messages shown in red are of particular interest.<br />
<br />
=== OpenPGP log ===<br />
To view some details about the processing of messages, you may set a preference in Thunderbird:<br />
* Open menu Edit→Preferences→General, find the Config Editor.<br />
* Add a new preference of the name <code>temp.openpgp.logDirectory</code> and set it to a string value, which must be the full name of a temporary directory, for example on Linux or macOS you could use value <code>/tmp/</code>.<br />
* Restart Thunderbird.<br />
* Thunderbird will write messages to a file named <code>enigdbug.txt</code> in the set directory.<br />
The log will have a lot of information, most of which is harmless or not interesting. But it may contain clues about the cause of a problem.<br />
<br />
=== Enigmail 2.2.x Add-on log ===<br />
If you're trying to analyze a problem in the migration process that is performed by the Enigmail 2.2.x Add-on, please set the additional preference <code>extensions.enigmail.logDirectory</code> - it must also be set to a directory, but that must be a different directory than the one for OpenPGP log. For example, create a directory named <code>/tmp/enig22</code> and set <code>extensions.enigmail.logDirectory</code> to string value <code>/tmp/enig22</code>. If you set both variables, then two separate debug log files will be created, both named <code>enigdbug.txt</code>.<br />
<br />
=== RNP log ===<br />
Advanced users may attempt to view internal error messages produced by the OpenPGP cryptographic engine that Thunderbird uses (the RNP library). To do so:<br />
* Set the environment variable called <code>RNP_LOG_CONSOLE</code>, e.g. in a Linux terminal you could do that using the command <code>export RNP_LOG_CONSOLE=1</code>.<br />
* Then you must start Thunderbird from within that terminal window, to ensure that it will see the environment variable that you have set.<br />
<br />
== Testing ==<br />
<br />
If you are running 78.x and have the previous Enigmail Add-on installed, then Enigmail will update to version 2.2.x, which is a minimal release that helps you to migrate the keys and settings to Thunderbird 78.<br />
<br />
If you haven't used Enigmail previously, you can enable OpenPGP for an email account in account settings.<br />
<br />
If you want to help with testing see the [[#Discussion|discussion area]] below.<br />
<br />
For advanced users: [[Thunderbird:OpenPGP:Test-Builds | testing experimental builds]].<br />
<br />
[[category:Thunderbird|*]]<br />
[[Category:Thunderbird_OpenPGP]]<br />
[[Category:Thunderbird:Debugging]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:Debugging&diff=1240245Thunderbird:Debugging2022-01-27T05:12:35Z<p>Arvidt: Add section OpenPGP Debugging / Tracing</p>
<hr />
<div><small>[[Thunderbird/Development|<< Back to Thunderbird Dev Page]]</small><br />
<br><small>[[Thunderbird:Bug_Triage|<< Back to Thunderbird Bug Triage Page]]</small><br />
<br />
= Basic Debugging =<br />
<br />
The basic debugging techniques only require a release build of Thunderbird. Developers often ask for logs and other items when they can't reproduce a bug. Adding such information to a bug report can greatly help the developers to find and fix a bug.<br />
<br />
== Protocol Errors ==<br />
<br />
If a bug looks like its a problem in communicating with the appropriate server, then one of the following forms of logging can be used to generate logs of Thunderbird's attempted communications with the server:<br />
<br />
* [[MailNews:Logging]]<br />
* [http://wiki.mozilla.org/MailNews:LDAP_Address_Books#LDAP_Logging LDAP Logging]<br />
<br />
== OpenPGP ==<br />
[[Thunderbird:OpenPGP#Debugging_.2F_Tracing|OpenPGP Debugging / Tracing]]<br />
<br />
[[category:Thunderbird|*]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:Debugging&diff=1240244Thunderbird:Debugging2022-01-27T05:05:40Z<p>Arvidt: Remove section "Advanced Debugging" as it only contains three dead links</p>
<hr />
<div><small>[[Thunderbird/Development|<< Back to Thunderbird Dev Page]]</small><br />
<br><small>[[Thunderbird:Bug_Triage|<< Back to Thunderbird Bug Triage Page]]</small><br />
<br />
= Basic Debugging =<br />
<br />
The basic debugging techniques only require a release build of Thunderbird. Developers often ask for logs and other items when they can't reproduce a bug. Adding such information to a bug report can greatly help the developers to find and fix a bug.<br />
<br />
== Protocol Errors ==<br />
<br />
If a bug looks like its a problem in communicating with the appropriate server, then one of the following forms of logging can be used to generate logs of Thunderbird's attempted communications with the server:<br />
<br />
* [[MailNews:Logging]]<br />
* [http://wiki.mozilla.org/MailNews:LDAP_Address_Books#LDAP_Logging LDAP Logging]<br />
<br />
[[category:Thunderbird|*]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP&diff=1238336Thunderbird:OpenPGP2021-10-10T05:45:38Z<p>Arvidt: Remove obsolete information about how to manually activate OpenPGP support</p>
<hr />
<div>= Thunderbird and OpenPGP =<br />
<br />
This page lists resources, discussion venues, and plans related to [https://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP] messaging with Thunderbird.<br />
<br />
== Background ==<br />
Prior to Thunderbird version 78.x, the Enigmail Add-On provided OpenPGP encrypted messaging, which required the use of external GnuPG software.<br />
<br />
Thunderbird 78 includes OpenPGP functionality, and no longer requires the installation of external software.<br />
<br />
This improvement is necessary, because Enigmail cannot be used with Thunderbird 78, except to facilitate the migration of existing keys.<br />
<br />
If you are a previous user of Enigmail, please read [[Thunderbird:OpenPGP:Migration-From-Enigmail | How does Thunderbird's OpenPGP implementation differ from Enigmail?]]<br />
<br />
== HOWTO and FAQ ==<br />
<br />
See Mozilla's support [https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq OpenPGP in Thunderbird - HOWTO and FAQ] knowledge base article.<br />
<br />
== Development Status ==<br />
<br />
* Thunderbird 78.0 release - OpenPGP functionality is experimental, and disabled by default.<br />
* <strike>'''[https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html It is hoped to be stable in 78.2] - until then Enigmail users should not attempt to update to 78 until an automatic update occurs.'''</strike> <br />
* Thunderbird 78.2.1 release, August 29, 2020 - OpenPGP is enabled by default (mail.openpgp.enable=true), and the enigmail add-on changed to migrate users to OpenPGP https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/<br />
** See also our [https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ initial announcement] and the [[Thunderbird:OpenPGP:2020 | detailed description from October 2019]].<br />
* Post Thunderbird 78.3 - fixes and improvements<br />
** Experimental support for [[Thunderbird:OpenPGP:Smartcards | smartcard secret key operations]] (no public key operations) is under development.<br />
<br />
See the tb-planning list archive for [https://mail.mozilla.org/pipermail/tb-planning/2019-December/thread.html answers to some commonly asked questions].<br />
<br />
A [https://www.youtube.com/watch?v=zwmPwcC2Ie4 presentation] was given about the development of integrated OpenPGP support as part of the [[Thunderbird/2020_Virtual_Summit | Thunderbird Virtual Summit 2020]].<br />
<br />
== Discussion ==<br />
<br />
'''To help with testing, or for help in using Thunderbird's OpenPGP, please post in [https://thunderbird.topicbox.com/groups/e2ee e2ee topicbox]. Or chat at Matrix: #openpgp:mozilla.org'''<br />
<br />
Please report bugs at [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Security%3A%20OpenPGP Bugzilla, product MailNews Core, component Security: OpenPGP]. (You need to register an account to access that link.)<br />
<br />
To discuss policy aspects of Thunderbird's OpenPGP, please post to the [https://mail.mozilla.org/listinfo/tb-planning public tb-planning mailing list].<br />
<br />
== Open issues and TODO list ==<br />
<br />
The best way to see our progress and open issues is [https://bugzilla.mozilla.org/buglist.cgi?list_id=15255496&component=Security%3A%20OpenPGP&query_format=advanced run a bugzilla query].<br />
<br />
In addition, we have a high level [[Thunderbird:OpenPGP:Status | overview of items that have already been worked on, and which are still ToDo]] (might be outdated).<br />
<br />
== Debugging / Tracing ==<br />
<br />
If you run into a problem, you may try the following mechanisms to obtain additional information, which may be useful for you, or for the Thunderbird developers when reporting a problem, to analyze the cause.<br />
<br />
=== Error Console ===<br />
The simplest is to open the Thunderbird Error Console. You can open it from the menu Tools→Developer Tools→Error Console. Messages shown in red are of particular interest.<br />
<br />
=== OpenPGP log ===<br />
To view some details about the processing of messages, you may set a preference in Thunderbird:<br />
* Open menu Edit→Preferences→General, find the Config Editor.<br />
* Add a new preference of the name <code>temp.openpgp.logDirectory</code> and set it to a string value, which must be the full name of a temporary directory, for example on Linux or macOS you could use value <code>/tmp/</code>.<br />
* Restart Thunderbird.<br />
* Thunderbird will write messages to a file named <code>enigdbug.txt</code> in the set directory.<br />
The log will have a lot of information, most of which is harmless or not interesting. But it may contain clues about the cause of a problem.<br />
<br />
=== Enigmail 2.2.x Add-on log ===<br />
If you're trying to analyze a problem in the migration process that is performed by the Enigmail 2.2.x Add-on, please set the additional preference <code>extensions.enigmail.logDirectory</code> - it must also be set to a directory, but that must be a different directory than the one for OpenPGP log. For example, create a directory named <code>/tmp/enig22</code> and set <code>extensions.enigmail.logDirectory</code> to string value <code>/tmp/enig22</code>. If you set both variables, then two separate debug log files will be created, both named <code>enigdbug.txt</code>.<br />
<br />
=== RNP log ===<br />
Advanced users may attempt to view internal error messages produced by the OpenPGP cryptographic engine that Thunderbird uses (the RNP library). To do so:<br />
* Set the environment variable called <code>RNP_LOG_CONSOLE</code>, e.g. in a Linux terminal you could do that using the command <code>export RNP_LOG_CONSOLE=1</code>.<br />
* Then you must start Thunderbird from within that terminal window, to ensure that it will see the environment variable that you have set.<br />
<br />
== Testing ==<br />
<br />
If you are running 78.x and have the previous Enigmail Add-on installed, then Enigmail will update to version 2.2.x, which is a minimal release that helps you to migrate the keys and settings to Thunderbird 78.<br />
<br />
If you haven't used Enigmail previously, you can enable OpenPGP for an email account in account settings.<br />
<br />
If you want to help with testing see the [[#Discussion|discussion area]] below.<br />
<br />
For advanced users: [[Thunderbird:OpenPGP:Test-Builds | testing experimental builds]].<br />
<br />
[[category:Thunderbird|*]]<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP&diff=1233704Thunderbird:OpenPGP2021-02-11T20:57:50Z<p>Arvidt: /* HOWTO and FAQ */ slightly more verbose link</p>
<hr />
<div>= Thunderbird and OpenPGP =<br />
<br />
This page lists resources, discussion venues, and plans related to [https://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP] messaging with Thunderbird.<br />
<br />
== Background ==<br />
Previously, until Thunderbird version 68.x, the Enigmail Add-On provided OpenPGP encrypted messaging, which required the use of external GnuPG software.<br />
<br />
Soon, Thunderbird will include OpenPGP functionality, and will no longer require the installation of external software.<br />
<br />
This improvement is necessary, because Enigmail cannot be used with Thunderbird 78, except for key migration purposes.<br />
<br />
If you are a previous user of Enigmail, please read [[Thunderbird:OpenPGP:Migration-From-Enigmail | How does Thunderbird's OpenPGP implementation differ from Enigmail?]]<br />
<br />
== HOWTO and FAQ ==<br />
<br />
See Mozilla's support [https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq OpenPGP in Thunderbird - HOWTO and FAQ] knowledge base article.<br />
<br />
== Development Status ==<br />
<br />
As of the Thunderbird 78.0 release, the OpenPGP functionality is experimental, and disabled by default.<br />
<br />
'''[https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html It is hoped to be stable in 78.2] - until then Enigmail users should not attempt to update to 78 until an automatic update occurs.''' <br />
<br />
See also our [https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ initial announcement] and the [[Thunderbird:OpenPGP:2020 | detailed description from October 2019]].<br />
<br />
See the tb-planning list archive for [https://mail.mozilla.org/pipermail/tb-planning/2019-December/thread.html answers to some commonly asked questions].<br />
<br />
A [https://www.youtube.com/watch?v=zwmPwcC2Ie4 presentation] was given about the development of integrated OpenPGP support as part of the [[Thunderbird/2020_Virtual_Summit | Thunderbird Virtual Summit 2020]].<br />
<br />
Experimental support for [[Thunderbird:OpenPGP:Smartcards | smartcard secret key operations]] (no public key operations) is under development.<br />
<br />
== Testing ==<br />
<br />
'''If you use OpenPGP for non-critical purposes''', then you are welcome to enable it manually and help with testing.<br />
<br />
To enable it in Thunderbird 78.0, use the config editor and change the value of preference '''mail.openpgp.enable''' to true, then restart Thunderbird.<br />
<br />
If you are running 78.x and have the previous Enigmail Add-on installed, then Enigmail will update to version 2.2.x, which is a minimal release that helps you to migrate the keys and settings to Thunderbird 78.<br />
<br />
If you haven't used Enigmail previously, you can enable OpenPGP for an email account in account settings.<br />
<br />
If you want to help with testing see the [[#Discussion|discussion area]] below.<br />
<br />
For advanced users: [[Thunderbird:OpenPGP:Test-Builds | testing experimental builds]].<br />
<br />
== Discussion ==<br />
<br />
'''To help with testing, or for help in using Thunderbird's OpenPGP, please post in [https://thunderbird.topicbox.com/groups/e2ee e2ee topicbox]. Or chat at Matrix: #openpgp:mozilla.org'''<br />
<br />
Please report bugs at [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Security%3A%20OpenPGP Bugzilla, product MailNews Core, component Security: OpenPGP]. (You need to register an account to access that link.)<br />
<br />
To discuss policy aspects of Thunderbird's OpenPGP, please post to the [https://mail.mozilla.org/listinfo/tb-planning public tb-planning mailing list].<br />
<br />
== Open issues and TODO list ==<br />
<br />
The best way to see our progress and open issues is [https://bugzilla.mozilla.org/buglist.cgi?list_id=15255496&component=Security%3A%20OpenPGP&query_format=advanced run a bugzilla query].<br />
<br />
In addition, we have a high level [[Thunderbird:OpenPGP:Status | overview of items that have already been worked on, and which are still ToDo]] (might be outdated).<br />
<br />
== Debugging / Tracing ==<br />
<br />
If you run into a problem, you may try the following mechanisms to obtain additional information, which may be useful for you, or for the Thunderbird developers when reporting a problem, to analyze the cause.<br />
<br />
=== Error Console ===<br />
The simplest is to open the Thunderbird Error Console. You can open it from the menu Tools→Developer Tools→Error Console. Messages shown in red are of particular interest.<br />
<br />
=== OpenPGP log ===<br />
To view some details about the processing of messages, you may set a preference in Thunderbird:<br />
* Open menu Edit→Preferences→General, find the Config Editor.<br />
* Add a new preference of the name <code>temp.openpgp.logDirectory</code> and set it to a string value, which must be the full name of a temporary directory, for example on Linux or macOS you could use value <code>/tmp/</code>.<br />
* Restart Thunderbird.<br />
* Thunderbird will write messages to a file named <code>enigdbug.txt</code> in the set directory.<br />
The log will have a lot of information, most of which is harmless or not interesting. But it may contain clues about the cause of a problem.<br />
<br />
=== Enigmail 2.2.x Add-on log ===<br />
If you're trying to analyze a problem in the migration process that is performed by the Enigmail 2.2.x Add-on, please set the additional preference <code>extensions.enigmail.logDirectory</code> - it must also be set to a directory, but that must be a different directory than the one for OpenPGP log. For example, create a directory named <code>/tmp/enig22</code> and set <code>extensions.enigmail.logDirectory</code> to string value <code>/tmp/enig22</code>. If you set both variables, then two separate debug log files will be created, both named <code>enigdbug.txt</code>.<br />
<br />
=== RNP log ===<br />
Advanced users may attempt to view internal error messages produced by the OpenPGP cryptographic engine that Thunderbird uses (the RNP library). To do so:<br />
* Set the environment variable called <code>RNP_LOG_CONSOLE</code>, e.g. in a Linux terminal you could do that using the command <code>export RNP_LOG_CONSOLE=1</code>.<br />
* Then you must start Thunderbird from within that terminal window, to ensure that it will see the environment variable that you have set.<br />
<br />
[[category:Thunderbird|*]]<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP&diff=1233703Thunderbird:OpenPGP2021-02-11T20:51:26Z<p>Arvidt: Added chapter "HOWTO and FAQ" with link to the according Mozilla Support Knowledge Base website</p>
<hr />
<div>= Thunderbird and OpenPGP =<br />
<br />
This page lists resources, discussion venues, and plans related to [https://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP] messaging with Thunderbird.<br />
<br />
== Background ==<br />
Previously, until Thunderbird version 68.x, the Enigmail Add-On provided OpenPGP encrypted messaging, which required the use of external GnuPG software.<br />
<br />
Soon, Thunderbird will include OpenPGP functionality, and will no longer require the installation of external software.<br />
<br />
This improvement is necessary, because Enigmail cannot be used with Thunderbird 78, except for key migration purposes.<br />
<br />
If you are a previous user of Enigmail, please read [[Thunderbird:OpenPGP:Migration-From-Enigmail | How does Thunderbird's OpenPGP implementation differ from Enigmail?]]<br />
<br />
== HOWTO and FAQ ==<br />
<br />
See [https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq OpenPGP in Thunderbird - HOWTO and FAQ]<br />
<br />
== Development Status ==<br />
<br />
As of the Thunderbird 78.0 release, the OpenPGP functionality is experimental, and disabled by default.<br />
<br />
'''[https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html It is hoped to be stable in 78.2] - until then Enigmail users should not attempt to update to 78 until an automatic update occurs.''' <br />
<br />
See also our [https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ initial announcement] and the [[Thunderbird:OpenPGP:2020 | detailed description from October 2019]].<br />
<br />
See the tb-planning list archive for [https://mail.mozilla.org/pipermail/tb-planning/2019-December/thread.html answers to some commonly asked questions].<br />
<br />
A [https://www.youtube.com/watch?v=zwmPwcC2Ie4 presentation] was given about the development of integrated OpenPGP support as part of the [[Thunderbird/2020_Virtual_Summit | Thunderbird Virtual Summit 2020]].<br />
<br />
Experimental support for [[Thunderbird:OpenPGP:Smartcards | smartcard secret key operations]] (no public key operations) is under development.<br />
<br />
== Testing ==<br />
<br />
'''If you use OpenPGP for non-critical purposes''', then you are welcome to enable it manually and help with testing.<br />
<br />
To enable it in Thunderbird 78.0, use the config editor and change the value of preference '''mail.openpgp.enable''' to true, then restart Thunderbird.<br />
<br />
If you are running 78.x and have the previous Enigmail Add-on installed, then Enigmail will update to version 2.2.x, which is a minimal release that helps you to migrate the keys and settings to Thunderbird 78.<br />
<br />
If you haven't used Enigmail previously, you can enable OpenPGP for an email account in account settings.<br />
<br />
If you want to help with testing see the [[#Discussion|discussion area]] below.<br />
<br />
For advanced users: [[Thunderbird:OpenPGP:Test-Builds | testing experimental builds]].<br />
<br />
== Discussion ==<br />
<br />
'''To help with testing, or for help in using Thunderbird's OpenPGP, please post in [https://thunderbird.topicbox.com/groups/e2ee e2ee topicbox]. Or chat at Matrix: #openpgp:mozilla.org'''<br />
<br />
Please report bugs at [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Security%3A%20OpenPGP Bugzilla, product MailNews Core, component Security: OpenPGP]. (You need to register an account to access that link.)<br />
<br />
To discuss policy aspects of Thunderbird's OpenPGP, please post to the [https://mail.mozilla.org/listinfo/tb-planning public tb-planning mailing list].<br />
<br />
== Open issues and TODO list ==<br />
<br />
The best way to see our progress and open issues is [https://bugzilla.mozilla.org/buglist.cgi?list_id=15255496&component=Security%3A%20OpenPGP&query_format=advanced run a bugzilla query].<br />
<br />
In addition, we have a high level [[Thunderbird:OpenPGP:Status | overview of items that have already been worked on, and which are still ToDo]] (might be outdated).<br />
<br />
== Debugging / Tracing ==<br />
<br />
If you run into a problem, you may try the following mechanisms to obtain additional information, which may be useful for you, or for the Thunderbird developers when reporting a problem, to analyze the cause.<br />
<br />
=== Error Console ===<br />
The simplest is to open the Thunderbird Error Console. You can open it from the menu Tools→Developer Tools→Error Console. Messages shown in red are of particular interest.<br />
<br />
=== OpenPGP log ===<br />
To view some details about the processing of messages, you may set a preference in Thunderbird:<br />
* Open menu Edit→Preferences→General, find the Config Editor.<br />
* Add a new preference of the name <code>temp.openpgp.logDirectory</code> and set it to a string value, which must be the full name of a temporary directory, for example on Linux or macOS you could use value <code>/tmp/</code>.<br />
* Restart Thunderbird.<br />
* Thunderbird will write messages to a file named <code>enigdbug.txt</code> in the set directory.<br />
The log will have a lot of information, most of which is harmless or not interesting. But it may contain clues about the cause of a problem.<br />
<br />
=== Enigmail 2.2.x Add-on log ===<br />
If you're trying to analyze a problem in the migration process that is performed by the Enigmail 2.2.x Add-on, please set the additional preference <code>extensions.enigmail.logDirectory</code> - it must also be set to a directory, but that must be a different directory than the one for OpenPGP log. For example, create a directory named <code>/tmp/enig22</code> and set <code>extensions.enigmail.logDirectory</code> to string value <code>/tmp/enig22</code>. If you set both variables, then two separate debug log files will be created, both named <code>enigdbug.txt</code>.<br />
<br />
=== RNP log ===<br />
Advanced users may attempt to view internal error messages produced by the OpenPGP cryptographic engine that Thunderbird uses (the RNP library). To do so:<br />
* Set the environment variable called <code>RNP_LOG_CONSOLE</code>, e.g. in a Linux terminal you could do that using the command <code>export RNP_LOG_CONSOLE=1</code>.<br />
* Then you must start Thunderbird from within that terminal window, to ensure that it will see the environment variable that you have set.<br />
<br />
[[category:Thunderbird|*]]<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:Test-Builds&diff=1233702Thunderbird:OpenPGP:Test-Builds2021-02-11T20:07:14Z<p>Arvidt: Added category Thunderbird_OpenPGP as agreed with Kai in Mozilla chat</p>
<hr />
<div>This page explains how to use experimental builds for testing the OpenPGP feature in Thunderbird.<br />
<br />
Please also refer to the [[Thunderbird:OpenPGP | primary OpenPGP in Thunderbird information page]].<br />
<br />
== Background / Precautions / Consequences ==<br />
<br />
Users who are looking for a stable experience with no surprises should only use the official Thunderbird releases. If an issue is not yet fixed in the releases, you'll have wait for it to become available.<br />
<br />
If you are willing to experiment, there are several ways to do so, based on your experience and willingness to adopt.<br />
<br />
If any of the descriptions below seem complicated, then it's best to wait for the next official 78.x software update.<br />
<br />
While we're currently working towards the 78.2 release, the Thunderbird developers might offer experimental 78.x builds every few days, which includes unreleased changes. These intention of these builds is to allow reporters of problems to verify if an issue has been correctly fixed.<br />
<br />
However, using these builds requires some skills.<br />
<br />
The way you obtain and use experimental builds differs from the usual way you obtain Thunderbird. You will not use an installation program. Instead, you'll download an archive, you'll have to extract the archive yourself, you'll have to know where the extracted folder is, and you'll have to know how to run the experimental Thunderbird from that folder.<br />
<br />
Thunderbird supports having multiple sets of configuration settings in parallel. This is called Profiles. If you're using an experimental build, the software might decide to automatically use a separate storage for the Thunderbird settings (a separate Profile). If you want to control which Profile is used when starting Thunderbird, you need to pass the command line parameter -P to Thunderbird. Additional information can be found in this support article: [https://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:Test-Builds&action=edit Using Multiple Profiles].<br />
<br />
It is important to be aware of which Profile you are running and which software version you are using.<br />
<br />
If your primary Thunderbird version is still the stable 68.x version, and if you'd like to continue using 68.x, then you should NOT run an experimental 78.x build with the same profile.<br />
<br />
Similarly, if you are already using version 78 as your stable software version, and you'd like to continue to use the same profile with the stable 78.x versions, then you should NOT run any newer build like 79 Beta or 80 Nightly with the same profile.<br />
<br />
The reason for this recommendation is, as soon as a you have used Profile once with a newer version, this Profile will remember that it has been upgraded to a newer version. Later attempts to use the same Profile again with an older software version will result in an error message at startup, and the refusal to start the old version.<br />
<br />
However, if you have already upgraded your primary Thunderbird to a 78.x version, and an experimental build is described as being a 78.x experimental, then it is safe to use it with the same Profile. However, it might still be necessary to use parameter -P to tell Thunderbird which Profile it should use.<br />
<br />
If you are an advanced user, and if you are willing to maintain separate Profiles for the stable and experimental, then you could use regular nightly builds or Beta builds. However, as a consequence, you'll have to perform all configuration steps in the experimental profile, and both profiles will have separate list of keys and settings.<br />
<br />
== Builds ==<br />
<br />
After having said all of the above, below you can find the latest '''inofficial experimental 78.x build''':<br />
<br />
=== Experimental 78.x build from 2020-07-18 ===<br />
<br />
Ensure you're aware of the warnings above.<br />
<br />
Linux 64 bit: [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/KEkDACOWSuCUfc-Lvq9Aog/runs/0/artifacts/public/build/target.tar.bz2]<br />
macOS: [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/YPgxRUEBSsOQAOgF-O7hUA/runs/0/artifacts/public/build/target.dmg]<br />
Windows 64 bit: [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/WhltrnUOSPmg029NSoraBA/runs/0/artifacts/public/build/target.zip]<br />
Info: [https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=66cb8d1364be3f6211d22ee75c052034db5f3e79]<br />
<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:Status&diff=1233701Thunderbird:OpenPGP:Status2021-02-11T20:06:16Z<p>Arvidt: Added category Thunderbird_OpenPGP as agreed with Kai in Mozilla chat</p>
<hr />
<div>This page lists high level completion status for various work items related to Thunderbird's OpenPGP integration.<br />
<br />
This page might be out of date! Even if a feature is marked as done, it might be an initial implementation, only, that needs further improvement. The ToDo list is incomplete, it simply attempts to give an overview what's on our current radar. More items will be added as development continues. See also the [https://bugzilla.mozilla.org/buglist.cgi?list_id=15252937&query_format=advanced&component=Security%3A%20OpenPGP&resolution=--- Bugzilla Query for open bugs].<br />
<br />
Last updated: 2020-07-13 for TB 78.0<br />
<br />
{| class="wikitable"<br />
|-<br />
! ToDo !! Done<br />
|-<br />
| <br />
<br />
'''-- planned for 78.x --'''<br />
<br />
* automatic scanning of received emails for potential correspondent keys<br />
<br />
* automated unit tests for the Thunderbird integration<br />
<br />
* test if we're vulnerable to known security attacks <br />
<br />
'''-- unknown schedule --'''<br />
<br />
* keyserver uploading<br />
<br />
* notify the user if their key will expire in the next months<br />
<br />
* sending an INLINE cleartext signed message without attachments (we don't intend to support sending other kinds of inline OpenPGP messages)<br />
<br />
* sign (certify) someone else's key if a key is marked as verified<br />
<br />
* Should strip keys (to minimize their size) when sending the user's own public key as an attachment<br />
<br />
* an option to disable subject encryption<br />
<br />
* performing secret key generation in a nicer way (currently the UI will block while the key generation is working)<br />
<br />
* an optional mode to automatically encrypt "if possible" without requiring the user to manually enable it for the individual message (if the user has accepted and valid keys for all receipients of a message)<br />
<br />
* actions for message filtering<br />
<br />
* automatic detection if a correspondent’s key has been already been signed (certified) by one of the user’s secret keys (in this case, we should automatically give it acceptance status “verified”)<br />
<br />
* potentially consume and send autocrypt gossip information<br />
<br />
||<br />
<br />
'''-- done between 78.0.1 and 78.2.0 --'''<br />
<br />
* use better defaults for new key generation<br />
<br />
* shouldn't notify the user about attached key if the same key has already been imported<br />
<br />
* account preferenes allow importing an existing key<br />
<br />
* modifying the expiration date of a key<br />
<br />
* importing revocations<br />
<br />
* ambiguity warning when more than one recipient key is available (e.g. unexpected / changed key)<br />
<br />
* automatic scanning of received emails for expiration changes and revocations<br />
<br />
* backup of secret keys,<br />
<br />
* saving encrypted drafts<br />
<br />
* remembering encryption/signature configuration in a draft message<br />
<br />
* partially done: allow distributing sender's key with the autocrypt header mechanism (if sender key has a simple structure)<br />
<br />
* optional for advanced users: use a secret key that's stored on a gnupg smartcard (GPGME API) or managed by the Qubes OS Split GPG System, and use it for decrypting and signing a message<br />
<br />
'''-- done in 78.0 --'''<br />
<br />
* account preferences allow creating and configuring a key with a better UI, and viewing details of personal keys<br />
<br />
* migration of Enigmail settings -> NOT in thundebird, but provided by an updated Enigmail Add-on, that performs migration, only<br />
<br />
* reject messages with missing MDC<br />
<br />
* key import (only by manually exporting from gnupg, then importing the file in thunderbird)<br />
<br />
* give feedback if key discovery got not result<br />
<br />
* better handling of importing keys, give feedback on failure<br />
<br />
* fix linux dependencies, support older distributions<br />
<br />
'''-- done in 77 or earlier --'''<br />
<br />
* integrated RNP library<br />
<br />
* internal key store in TB profile directory (not to be shared)<br />
<br />
* secret keys protected with an automatic passphrase, optionally protected using TB's master password<br />
<br />
* manually generating a new secret key (which automatically saves a revocation certificate and stores it in the user's profile directory)<br />
<br />
* manually importing secret keys from a backup file (e.g. one created by gnupg and exported using gpg --armor --export-secret-keys). The key needs to be unlocked at import time, and will be protected with a random password as described above<br />
<br />
* manually importing a public key from a file, or from an URL, or from an email attachment<br />
<br />
* end-to-end encryption preferences for an email account that covers both OpenPGP and S/MIME<br />
<br />
* sending of OpenPGP messages is configured by selecting the user's preferred OpenPGP key in account preferences (an appropriate key, with a matching email address, must have been manually imported already, or already have been generated inside TB)<br />
<br />
* message composition: selection of the encryption technology to be used (either S/MIME or OpenPGP) while composing a message<br />
<br />
* manually enabling encryption or digital signature while composing a message, and attaching your own public key<br />
<br />
* decryption and verification of received messages, including status icons for the encryption status and/or digital signature status<br />
<br />
* detailed message security info for received messages, open by clicking on status icon<br />
<br />
* a mechanism that allows the user to manually define the validity of a public key. We're (at least temporarily) using the term "Acceptance" for that, to indicate that it's a user decision, whether a key is accepted or not. Before TB will accept a correspondent's public key, it's necessary to use the "OpenPGP Key Manager", find the appropriate key and open the key details (either double-click, or select menu View / Key Properties, or press CTRL-I). In order to allow that a key is used for sending encrypted messages, one of the "Yes" choices needs to be selected. The choice is remembered inside TB's storage.<br />
<br />
* The signature status shown for a received message depends on the validity setting the user has made.<br />
<br />
* The key details view shows the full list of all certifications on the key, even those from keys which are unavailable (Enigmail filtered the list to only show certifications from available keys).<br />
<br />
* The key details view shows the structure of the key<br />
<br />
* send encrypted subject (on by default)<br />
<br />
* we automatically enable signing, if the user manually enables the encryption flag for an email (this automatism could be made configurable later)<br />
<br />
* we automatically attach the user's own public key, if signing is enabled<br />
<br />
* discoverable sender key that's attached using the autocrypt header mechanism, support to manual import of email <br />
<br />
* if unavailable, allow the user to start an Internet search (WKD and keys.openpgp.org) for the key a correspondent used to sign their message (necessary for verifying a signature)<br />
<br />
* allow the user to start an Internet search for a correspondents key (WKD and keys.openpgp.org), using a popop menu command on from/to/cc entries when reading any email.<br />
<br />
* keyserver / WKD retrieval from within email composer<br />
<br />
* assistance to resolve missing recipient keys when composing an email<br />
<br />
* initial preparation for supporting GnuPG smartcards for secret key operations (decryption works, need to enable pref mail.openpgp.allow_external_gnupg)<br />
<br />
<br />
<br />
|-<br />
! end of ToDo !! end of Done<br />
|}<br />
<br />
{| class="wikitable"<br />
|-<br />
! Not Planned<br />
|-<br />
|<br />
* we don't intend to enable the encryption feature automatically, user needs to discover the feature and enable it on their own (by configuring their personal key)<br />
* we don't plan to automatically accept keys that we receive, regardless of mechanism. Users must accept keys of other people before they are used, to encourage them to verify their correctness.<br />
|-<br />
! end of Not Planned<br />
|}<br />
<br />
See also<br />
* [[Thunderbird:OpenPGP:2020 | initial vision for Thunderbird's OpenPGP integration]]<br />
* [[Thunderbird:OpenPGP | Main page for Thunderbird's OpenPGP integration]]<br />
<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:Smartcards&diff=1233700Thunderbird:OpenPGP:Smartcards2021-02-11T20:05:09Z<p>Arvidt: Added category Thunderbird_OpenPGP as agreed with Kai in Mozilla chat</p>
<hr />
<div>[[Thunderbird:OpenPGP | Thunderbird's OpenPGP]] feature contains experimental support for using the secret key on a smartcard using GnuPG. Decryption and Signing works with the 78.1 release, when enabled and configured according to these instructions.<br />
<br />
== How to use Thunderbird 78 with smartcards ==<br />
Thunderbird 78 does NOT use GnuPG by default. Instead, it uses the RNP library. The RNP library does NOT yet support the use of smartcards for secret keys.<br />
<br />
This means, in the default configuration, Thundbird does not support smartcards.<br />
However, using smartcards is possible using an optional, advanced configuration mechanism.<br />
<br />
If you'd like to use a smartcard with Thunderbird 78, you must perform several manual configuration steps.<br />
<br />
== Install GnuPG and GPGME ==<br />
You need to download and install GnuPG yourself. In addition, you must ensure the GPGME C library is installed in a corresponding version. You must ensure that Thunderbird 78 can find GPGME in the system library search path.<br />
<br />
== Install your smartcard ==<br />
You're responsible for installing all software that is required to use your Smartcard. You must use the appropriate tools to prepare your smartcard for use, for example, the card must contain an appropriate key pair. You must make note of the primary key ID of the smartcard's key that you'd like to use. It has 16 characters. It is the same as the last 16 characters of your primary key's fingerprint.<br />
<br />
== Allow the use of external GnuPG ==<br />
Use the Thunderbird config editor (found at the bottom of preferences/options), and search for '''mail.openpgp.allow_external_gnupg'''. Switch the value to true.<br />
<br />
Enabling this preference will cause Thunderbird to attempt to decrypt a message using GnuPG, whenever RNP fails to decrypt a message with the secret keys that are available inside Thunderbird's key storage.<br />
<br />
Enabling this preference is also required for the remaining settings described on this page.<br />
<br />
== Qubes split GPG configuration ==<br />
The Qubes OS offers a mechanism to store your GPG keys in a separate VM. This is similar to using a smartcard, and Thunderbird 78 supports it.<br />
<br />
In addition to the explanations above, you must set a preference that tells thunderbird that you want to use the GnuPG wrapper tool provided by Qubes OS.<br />
<br />
Open the config editor, search for '''mail.openpgp.alternative_gpg_path'''. Set its value to '''/usr/bin/qubes-gpg-client-wrapper''' . Restart Thunderbird after this change.<br />
<br />
== Configure an email account to use an external GnuPG key ==<br />
Open the Account Settings and open the End-to-End Encryption tab of the respective email account. Click the "Add Key" button. You'll be offered the choice "Use your external key through GnuPG". Select it and click Continue.<br />
<br />
Now paste or type the ID of the secret key that you would like to use. Be careful to enter it correctly, because your input isn't verified. It should be exactly 16 characters, as explained further above. Confirm to save this key ID.<br />
<br />
This key ID will be used to digitally sign messages with your account. It will also be used when you send an encrypted message, which will be encrypted for you, in addition to encrypting for the message recipients. For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn't fetch the key from GnuPG, you must manually import it.<br />
<br />
Use GnuPG to export a copy of your public key. Use Thunderbird's Tools menu to open OpenPGP Key Management. In that window, use the File menu to access the Import Public Key command. Open the file with your public key. After the import was successfull, you must open the key details, and you must mark your own key as "accepted".<br />
<br />
Once this is done, you should be able to send an encrypted and signed email. You can try it by sending an email to yourself.<br />
<br />
(For configurations that use an offline primary key: It may also work to configure the ID of a sub key that can be used for signing. Based on feedback, Thunderbird seems to be able to automatically find the related encryption sub key.)<br />
<br />
== Trying decryption ==<br />
Try to open a message that can only be decrypted using the key from your external setup (e.g. from the smartcard of from the Qubes OS setup). You might be prompted by gpg-agent for your key's password, and then decryption should work, and the decrypted message contents should be shown.<br />
<br />
== Limitations of using GnugPG ==<br />
<br />
This page describes the use of GnuPG to use a smartcard. However, please be aware that the optional use of GnuPG is strictly limited to secret key operations. Only decryption and digital signing are supported.<br />
<br />
For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. GnuPG will not be used for encryption, and GnuPG will not be used for signature verification.<br />
<br />
Although the intention is to support secret keys on smartcard, there's currently no strict limitation to this scenario. If a secret key is contained in a GnuPG keyring that's stored on the computer's disk, this setup should work, too.<br />
<br />
== Thunderbird 64 bit on Windows ==<br />
<br />
You must perform a manual configuration to allow the 64-bit version of Thunderbird for Windows to find the 64-bit GPGME library. It's located in Gpg4Win's installation directory, in a bin_64 subdirectory.<br />
<br />
Open the system control panel. Search for the system environment variable settings and open them. In the list of existing system variables, you'll find an existing variable named "Path". Select and edit it. Add a new entry that points to the bin_64 subdirectory.<br />
<br />
For example, the standard installation directory for Gpg4Win is c:\Program Files (x86)\Gpg4Win<br />
<br />
If this directory was used on your system, then add a new entry c:\Program Files (x86)\Gpg4Win\bin_64<br />
<br />
If necessary, move the entry up, to a position before the existing Gpg4Win entry.<br />
<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:Migration-From-Enigmail&diff=1233699Thunderbird:OpenPGP:Migration-From-Enigmail2021-02-11T20:04:36Z<p>Arvidt: Added category Thunderbird_OpenPGP as agreed with Kai in Mozilla chat</p>
<hr />
<div>== Changes from Enigmail to Thunderbird 78 ==<br />
<br />
This document is intended specifically for existing users of Enigmail, who want to start using Thunderbird 78 and its integrated OpenPGP functionality.<br />
<br />
'''If you have never used the Enigmail Add-on, then you can skip this document.'''<br />
<br />
Due to required technology changes, you'll experience a lot of changes. We have tried to make the new OpenPGP functionality easier to understand and use, but on the other hand, some features will work differently than before, or might be missing.<br />
<br />
'''Before you update to Thunderbird 78, you should read this whole document, to understand the changes that you will see.'''<br />
<br />
== Experimental in 78.0, but stable in the near future ==<br />
If you're reading this before OpenPGP has been declared as a stable feature in Thunderbird 78.x (expected for the 78.2 release end of August 2020), then please consider to stay with Thunderbird 68 and Enigmail for another while, especially if you depend on the security of OpenPGP and are worried about correct behavior.<br />
<br />
If you're using an early release version of Thunderbird 78 the OpenPGP functionality is still disabled by default.<br />
<br />
If you would like to test while OpenPGP support is still experimental, you may open Thunderbird preferences, and use the config editor to change the preference with the name "mail.openpgp.enable" to the value "true". Then restart Thunderbird. This will enable the user interface for OpenPGP.<br />
<br />
== GnuPG vs. RNP and key storage ==<br />
Thunderbird no longer uses the external GnuPG software. Previously, all your own keys and the keys of other people were managed by GnuPG, and Enigmail offered you to view, use and manage them. Now that Thunderbird uses a different technology, it's necessary to perform a migration of your existing keys from GnuPG into Thunderbird's own storage (inside the Thunderbird profile directory). Thunderbird will uses its own copy of the keys, sharing your keys between Thunderbird 78 and GnuPG currently isn't supported. (Exception: There is an [[Thunderbird:OpenPGP:Smartcards | optional mechanism to use GnuPG with smartcards]]. It's disabled by default and needs more testing.)<br />
<br />
The migration functionality isn't provided by Thunderbird. Rather, an update for the Enigmail Add-on and Thunderbird 78 will be available, which no longer provides the usual functionality, but rather will help you to perform a migration of your existing keys.<br />
<br />
Once you are using Thunderbird 78, Enigmail will update and will offer you to migrate your keys. Note that this will work, even if OpenPGP is not yet stable. The migration process will attempt to configure your email accounts to use the same keys that you had used previously. After the migration has completed, you should open Account Settings and the End-To-End Encryption tab, to verify the configuration.<br />
<br />
Thunderbird doesn't use on-demand unlocking (key passwords) of your secret keys. Rather, the only way to password protect the use of your OpenPGP secret keys is to set up the global Master Password feature of Thunderbird, which you can find in Thunderbird's security preferences.<br />
<br />
To enable Thunderbird to use your existing secret keys, you must unlock them to import them. This may require you to enter your password twice. First, to confirm that GnuPG is allowed to export the password. Second, to allow Thunderbird to access the raw key and copy it into Thunderbird's configuration storage. This is handled as part of the migration process, offered by the updated Enigmail Add-on, that acts as a migration tool.<br />
<br />
If you were using the ownertrust configuration for keys with GnuPG, this is handled differently in TB. The equivalent of marking a secret key as ownertrust ultimate is to use Thunderbird's OpenPGP key manager, open its details, and confirm that you accept it as a personal key. This flag will be automatically set by the migration. You might have to manually set it when importing a key using Thunderbird's key manager. The stable Thunderbird release is expected to ask you to set that flag at import time.<br />
<br />
== Classic Mode vs. Junior Mode ==<br />
Enigmail had offered multiple modes of operation. If you had started to use Enigmail in recent years, you might have been using Enigmail's Junior Mode, which was operated behind the scenes by pEp software. If you have frequently seen red squares, yellow triangles and green shields with Enigmail, then you were likely using that mode.<br />
<br />
'''Thunderbird 78 does not support the Junior Mode.''' (However, the aforementioned Enigmail migration Add-on is said to offer you the option to install newer pEp Software for Thunderbird. Note that Mozilla and Thunderbird are not affiliated with pEp.)<br />
<br />
Thunderbird's new OpenPGP implementation is more similar to Enigmail's classic mode of operation, which was configured in recent Enigmail releases with the setting "Force using S/MIME and Enigmail". If you have already been using Enigmail for many years, and you already had OpenPGP keys in Enigmail at the time the junior mode was offered for the first time, you have probably been using Enigmail's classic mode, and might have never seen Enigmail's alternative junior mode.<br />
<br />
'''The remainder of this document will not talk about junior mode, but rather will only discuss differences between Enigmail's classic mode and Thunderbird 78.'''<br />
<br />
== The workflow of sending encrypted email ==<br />
Enigmail had a lot of configuration choices to control the email encryption workflow.<br />
<br />
Enigmail's "general preferences for sending" allowed a choice of "default" and "manual". The default settings allowed the opportunistic use of encryption, which could also manually be enabled using the "Automatically send encrypted" choice. Thunderbird 78 does not use an opportunistic mode. Rather, it uses a strict mode, where correspondent keys must be manually accepted before they are used. This is also related to the Enigmail preference that controls which keys are accepted for sending encrypted messages. Enigmail's default was "all usable keys". Thunderbird's new behavior is closer to Enigmail's alternative choice "only trusted keys".<br />
<br />
In order to send an encrypted message, Thunderbird requires that you accept each correspondent's key once. However, it attempts to make that process straightforward. When trying to send an encrypted message, and you haven't yet used a correspondent's key, you will be guided to review the keys that you already have available, and review, accept, and optionally verify them. If keys are missing, you'll be given the choice to discover them online on a WKD server, or on the keys.openpgp.org keyserver.<br />
<br />
The Enigmail migration will help you by marking the keys of your correspondents as accepted, which you have previously certified (signed).<br />
<br />
At this time Thunderbird does not support automatically accepting keys if you they carry your signature on it. This functionality might be added at a later time. Also, the Web of Trust functionality is not supported. In other words, with Enigmail and OpenPGP some keys of your correspondents might have been automatically accepted for use, if there was a path of trust from your keys, along a path of keys that you had signed, eventually pointing to the key you'd like to use. This indirect trust isn't offered in Thunderbird. Instead, you are currently required to manually accept each recipient key that you'd like to use.<br />
<br />
Enigmail offered to show you a prompt at the time you request to send the message, telling you whether the message will be encrypted, signed or not, and offering you to confirm or cancel the sending of the message. At this time, Thunderbird does not provide this prompt. You should look at the message settings prior to sending the message, which is shown in the status bar of the composer window. Or you can open the dropdown menu next to the security button. The shown options will tell you if encryption and signing are enabled. Currently, if encryption is enabled for a message, you cannot send the message, unless you have valid keys available for each recipient (not revoked, not expired), and you have accepted at least one valid key for each recipient email address. The key availability for a message you are sending can be seen by clicking the security button, or by using the classic menu command "view message security info".<br />
<br />
With Enigmail, if you attempted to send an encrypted message, but Enigmail couldn't automatically identify which key should be used to encrypt for a particular recipient, Enigmail would open a rather complex dialog, in which you could manually select the keys to use. Thunderbird will not. Rather, you need to have keys for each recipient, that contain the recipient's email address in one of the key's user IDs. Thunderbird does not support using alternative keys that contain no email address, nor the use of keys that don't contain a matching email address.<br />
<br />
Also, because Enigmail used GnuPG to encrypt, it was possible to use advanced configuration in a GnuPG configuration file, that controlled which keys would be automatically used based on recipient email addresses. At this time, Thunderbird does not offer an equivalent feature.<br />
<br />
Enigmail offered a configuration mechanism named per-recipient-rules. Thunderbird does not support that feature at this time, and will ignore the previous configuration.<br />
<br />
Today, if you enable encryption for a message, then digital signing will be automatically enabled, too. And if digital signing is used, the option to attach your own public key to the message is automatically enabled, too. You may manually disable these options for an individual message, if desired.<br />
<br />
== Other changes ==<br />
Previously, instead of sending your public key as an attachment, Enigmail had the functionality to include your public key in a hidden email header according to the Autocrypt standard. This functionality currently isn't offered, but might be added in the future.<br />
<br />
Because Thunderbird continues to support the S/MIME email security technology, you'll find a new choice in the security or options menu, which allows you to control the encryption technology that you would like to use.<br />
<br />
When receiving an email, to display the OpenPGP security status of a message, Enigmail used a line of text above the message sender information. This has been changed to work similarly to showing the status of S/MIME messages. Instead of a line of text, icons will be shown to visualize the state of the message.<br />
<br />
A padlock in varying appearances is used to show the encryption status of a message you have received.<br />
A stamped envelope icon in varying appearances is used to show the digital signature status of a message you have received.<br />
You may click the icons to view a more detailed explanation.<br />
<br />
The signature status of a message depends on the status you have granted to the signer's key, whether you have accepted it or not. A signature is treated as valid, if it is technically correct, if you have already imported the key, and if you have accepted to use the sender's key. You have the choice to simply accept a correspondent's key without further verification, which will not confirm that you are using the correct key, but at least you will be able to distinguish the use of known keys from the use of keys that you haven't yet accepted. If you prefer, you may perform the more secure fingerprint verification, and mark a key as verified. The digital signature status icon will be different after marking a sender's key as verified.<br />
<br />
When telling Thunderbird that you have verified a correspondent's key, Thunderbird will remember this information separately from the key. The classic way of remembering it is by adding a key certification to your correspondent's key (signing their key). This is not yet supported, but will likely added in the future version.<br />
<br />
Enigmail offered a feature to define automatic message filters, that performed automatic actions based on the properties of an email, and could automatically decrypt a message, and store a decrypted message locally. Thunderbird does not support this functionality at this time, the messages are kept encrypted, and will need to be decrypted each time you are reading them. As a consequence, encrypted messages are not included in global searches and the message search index.<br />
<br />
When receiving an email, Thunderbird will scan the message for attached keys. Currently, attachments of type application/pgp-keys and the autocrypt header are automatically processed. Key updates, for keys that you have previously imported, such as expiration extensions or revocations for keys, will be automatically imported at the time of opening a message, without the requirement for manual confirmation. (Feature expected for 78.1.)<br />
<br />
Other keys, which haven't been imported previously, will be offered for import. If a new key for the sender's email address is seen, although you have previously accepted a different key, Thunderbird will show an extra warning (new feature expected for 78.1).<br />
<br />
Thunderbird will not automatically import keys transferred with the Autocrypt email header mechanism. Thunderbird will not automatically enable encryption with correspondents based on Autocrypt email headers. The user needs to confirm the offer to import the attached key in an email, and then manually accept the use of the key, and also manually enable encryption in messages that are sent.<br />
<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:2020&diff=1233698Thunderbird:OpenPGP:20202021-02-11T20:03:48Z<p>Arvidt: Added category Thunderbird_OpenPGP as agreed with Kai in Mozilla chat</p>
<hr />
<div>Note: This page describes our initial vision from October 2019. '''For changes since 2019, updated plans, resources and discussion venues please refer to the [[Thunderbird:OpenPGP | primary OpenPGP wiki page]].'''<br />
<br />
= OpenPGP support in Thunderbird 78 (summer 2020 release) =<br />
<br />
== Background ==<br />
Two popular technologies exist that add support for end-to-end encryption and digital signatures to email. Thunderbird has been offering built-in support for S/MIME, and will continue to do so.<br />
<br />
The Enigmail Add-on for Thunderbird has made it possible to use the external GnuPG software for OpenPGP messaging.<br />
<br />
Thunderbird extends the Mozilla software platform that is primarily used for the Firefox browser. Enigmail requires the use of extension mechanisms, which will no longer be available in future versions of the Mozilla platform. The Thunderbird 68.x branch, which will be actively maintained until autumn 2020, will be the last versions that supports Enigmail.<br />
<br />
As a replacement for Enigmail, the Thunderbird team intends to develop new, integrated support for OpenPGP messaging, and plans to make it available in the Thunderbird 78 release that is planned for summer 2020.<br />
<br />
We are happy that Patrick Brunschwig, who has been developing and maintaining the Enigmail Add-on for many years, has offered to assist the Thunderbird development team.<br />
<br />
== Primary Objective ==<br />
The primary objective is to be able to send encrypted email, digitally sign email, decrypt received email, verify the correctness of digitally signed email, and to provide this functionality in a secure, compatible, interoperable and user friendly way. We consider encryption and digital signatures as features that can be used either in combination or independently. When sending email, users should be able to decide on their own, which of the features they want to use, and when receiving emails, it should be possible to discover which of those protection mechanisms were used.<br />
<br />
== OpenPGP engine ==<br />
Thunderbird is unable to bundle GnuPG software, because of incompatible licenses (MPL version 2.0 vs. GPL version 3+). Instead of relying on users to obtain and install external software like GnuPG or GPG4Win, we intend to identify and use an alternative, compatible library and distribute it as part of Thunderbird on all supported platforms.<br />
<br />
As a consequence of not using GnuPG, several aspects related to OpenPGP messaging will likely work differently than in today’s Enigmail solution. We intend to identify and use another existing library that provides support for creating and processing OpenPGP messages, and we will try to reuse parts of Enigmail that aren’t specific to GnuPG. However, we’ll need to rethink several aspects, from user interface to trust models, to key management and key exchange. This text will try to outline the most relevant aspects, and offer suggestions on how Thunderbird 78 could implement them.<br />
<br />
== Key storage ==<br />
To process OpenPGP messages, GnuPG stores secret keys, public keys of correspondents, and trust information for public keys in its own file format. Thunderbird 78 will not reuse the GnuPG file format, but will rather implement its own storage for keys and trust.<br />
<br />
Users who already own secret keys from their previous use of Enigmail and GnuPG, and who wish to reuse their existing secret keys, will be required to transfer their keys to Thunderbird 78. On systems that have GnuPG installed, we might be able to offer assisted importing.<br />
<br />
Secret keys managed by GnuPG are commonly protected with a passphrase. By using Thunderbird’s internal key storage, the Master Password feature could be reused to protect OpenPGP keys in the same way it already can be used to protect login credentials and keys used for S/MIME. This could remove the need to remember separate passwords for individual OpenPGP keys.<br />
<br />
== Key ownership verification ==<br />
End-to-end encrypted messaging must protect against Monster-In-The-Middle (MITM) attacks. Behind the scenes, a key used for OpenPGP messaging consists of numbers and meta information, including information about the alleged owner. Since anyone can easily create a new random key with false meta information, it’s necessary to obtain confirmation about key ownership from the alleged owner in order to use OpenPGP securely.<br />
<br />
Directly confirming that a key indeed belongs to the alleged owner requires an out of band communication. For example, it’s possible to calculate a short checksum for the numbers contained in an OpenPGP key. The term fingerprint is often used to describe that checksum. When meeting in person, people may exchange the fingerprints of their OpenPGP keys on paper. If the voice of the other person is known, a phone call might alternatively be used to exchange the fingerprint. Verifying that the fingerprint displayed on the computer is identical with the fingerprint obtained from the communication partner confirms the key ownership.<br />
<br />
Once Alice has confirmed Bob’s public key is genuine, Alice should create a permanent record of having done so. The common approach is that Alice uses her own key to digitally sign Bob’s public key (including its meta information). When using Bob’s key later on, the software used by Alice will notice the signature, and can treat Bob’s key as confirmed.<br />
<br />
Thunderbird 78 should continue to offer this mechanism. The OpenPGP library to be used by Thunderbird 78 should support digitally signing public keys.<br />
(Alternatively, Thunderbird 78 would have to remember information about successful confirmations separately.)<br />
<br />
== Key sharing ==<br />
Often users of OpenPGP share their key confirmations with others, by publishing signed keys on key directories (key servers). GnuPG and Enigmail allow both uploading to, and also downloading from key servers, to obtain other people’s keys, and to learn about key confirmations that others have done.<br />
<br />
Unfortunately we recently saw an increase of concerns about the classic OpenPGP keyserver model, because of ways in which they can be abused, and which has already caused stability and availability issues. New mechanisms for sharing keys are currently being developed by the OpenPGP community, such as Autocrypt, WKD, and a new generation of keyservers such as Hagrid. Although it’s currently unclear which mechanisms will be preferred in the future, Thunderbird 78 will likely continue to support key server interactions, in addition to the trivial mechanism to send and receive OpenPGP keys as email attachments.<br />
<br />
On systems that have GnuPG installed, it maybe be possible to offer assisted importing for public keys of correspondents, which were previously obtained and stored using GnuPG. As part of this import, key ownership confirmations should be imported, too.<br />
<br />
Often, key ownership confirmation through direct human interaction is considered impractical. An alternative is indirect verification. Bob might have signed David’s key. But does Alice trust Bob to confirm key ownership of other people? GnuPG software allows Alice to decide and configure if she considers Bob trustworthy for confirming the key ownership of other people. GnuPG software implements rules, which can allow a number of uncertain, indirect confirmations to be considered equivalent to a direct key confirmation. By combining Alice’s own confirmations with the information found in other keys, usually retrieved from keyservers, GnuPG could automatically treat David’s key as confirmed. This mechanism and the set of all confirmations found on keys is commonly described as the Web of Trust.<br />
<br />
It’s currently undecided if Thunderbird 78 will be able to reuse the trust configurations made using Enigmail and GnuPG software. It’s also still unclear if Thunderbird 78 will implement the Web of Trust model for indirect confirmations.<br />
<br />
To summarize the previous paragraphs, Thunderbird 78 will likely require a direct ownership verification in order to treat an OpenPGP message using that key as fully secure. It’s undecided if an equivalent for indirect confirmation, such as by using the Web Of Trust, will also allow keys to be treated as fully secure.<br />
<br />
== No opportunistic encryption ==<br />
Thunderbird 78 will allow to use either confirmed or unconfirmed keys for OpenPGP messaging. However, the user interface will clearly distinguish the more secure use of confirmed keys from the less secure use of unconfirmed keys. For users who prefer to avoid unencrypted email completely, we might offer an advanced configuration, that could require all outgoing email to be encrypted, either using any available key, or by requiring the use of confirmed keys, only.<br />
<br />
It’s a controversial question whether email software should automatically use opportunistic encryption, or whether the user should be required to actively opt in, prior to using end-to-end email encryption. Should emails be automatically encrypted, whenever possible, without asking the user? Should email software automatically create OpenPGP private keys, distribute them, thereby enabling the automatic use of encryption?<br />
<br />
It’s unrealistic to hope to implement an automatic solution that works for all emails, given the wide variety of different email client software. Although Thunderbird is a popular email client, it seems realistic to assume that a large portion of the emails that Thunderbird users send and receive are with correspondents that don’t use Thunderbird. Consequently, even if Thunderbird supported an automatic solution, a large portion of email would not be covered by it.<br />
<br />
With a fully automatic solution, there’s the potential risk that a Monster-in-the-Middle could trick Alice into using the Monster’s OpenPGP key when intending to encrypt email to Bob, without Alice noticing.<br />
<br />
The Trust On First Use (TOFU) concept attempts to minimize the risk, but there’s still the risk that the first use already involves a false key. And TOFU cannot completely avoid all interactions with the user. It’s a common scenario that users lose their keys, start to use a different computer, or they might use more than one computer with different keys. TOFU cannot automatically handle these scenarios in a secure way. It’s necessary to assist the user in resolving key conflict situations interactively, for example by recommending an out of band communication to confirm the correspondent’s correct key.<br />
<br />
Furthermore, starting to use OpenPGP comes with some responsibility for the future. Once a user distributes their own key to others, they’ve opened Pandora’s box. Others might discover the keys later and send encrypted email at any time in the future. If the key has been lost, either because the computer broke and no backups of they are available, or because the user forgot the passphrase that was used to protect the key, the incoming encrypted email cannot be read. Also, if the key has been lost, the archive of encrypted email that’s still available on your mail server can no longer be read either.<br />
<br />
For the initial version of Thunderbird with OpenPGP support, Thunderbird 78, we’ll not yet enable OpenPGP encryption for emails automatically. Instead, we’ll require that users opt in, prior to using it. However, it should be easy to opt in, and we might implement a smart user interface, that allows the user to discover the the availability of the OpenPGP messaging features, and offer interactive assistance that makes it easy to get started. How exactly this will be done, needs to be worked out during the next year, while we develop Thunderbird 78.<br />
<br />
For users of Thunderbird 78 who had previously installed Enigmail and had opted in to use OpenPGP, we will attempt to migrate their preferences related to the use of OpenPGP.<br />
<br />
= Frequently Asked Questions (FAQ) =<br />
<br />
== Will OpenPGP cards be supported for private key storage ? ==<br />
<br />
Update: How to [[Thunderbird:OpenPGP:Smartcards | use OpenPGP smartcards]] with Thunderbird 78.<br />
<br />
<s>Probably not, because we don't use the GnuPG software that's usually required to access OpenPGP smartcards.<br />
However, we'll investigate potential options.</s><br />
<br />
<br />
------<br />
<br />
[[Thunderbird:OpenPGP]]<br />
<br />
[[category:Thunderbird|*]]<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP&diff=1233697Thunderbird:OpenPGP2021-02-11T20:01:53Z<p>Arvidt: Added category Thunderbird_OpenPGP as agreed with Kai in Mozilla chat</p>
<hr />
<div>= Thunderbird and OpenPGP =<br />
<br />
This page lists resources, discussion venues, and plans related to [https://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP] messaging with Thunderbird.<br />
<br />
== Background ==<br />
Previously, until Thunderbird version 68.x, the Enigmail Add-On provided OpenPGP encrypted messaging, which required the use of external GnuPG software.<br />
<br />
Soon, Thunderbird will include OpenPGP functionality, and will no longer require the installation of external software.<br />
<br />
This improvement is necessary, because Enigmail cannot be used with Thunderbird 78, except for key migration purposes.<br />
<br />
If you are a previous user of Enigmail, please read [[Thunderbird:OpenPGP:Migration-From-Enigmail | How does Thunderbird's OpenPGP implementation differ from Enigmail?]]<br />
<br />
== Development Status ==<br />
<br />
As of the Thunderbird 78.0 release, the OpenPGP functionality is experimental, and disabled by default.<br />
<br />
'''[https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html It is hoped to be stable in 78.2] - until then Enigmail users should not attempt to update to 78 until an automatic update occurs.''' <br />
<br />
See also our [https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ initial announcement] and the [[Thunderbird:OpenPGP:2020 | detailed description from October 2019]].<br />
<br />
See the tb-planning list archive for [https://mail.mozilla.org/pipermail/tb-planning/2019-December/thread.html answers to some commonly asked questions].<br />
<br />
A [https://www.youtube.com/watch?v=zwmPwcC2Ie4 presentation] was given about the development of integrated OpenPGP support as part of the [[Thunderbird/2020_Virtual_Summit | Thunderbird Virtual Summit 2020]].<br />
<br />
Experimental support for [[Thunderbird:OpenPGP:Smartcards | smartcard secret key operations]] (no public key operations) is under development.<br />
<br />
== Testing ==<br />
<br />
'''If you use OpenPGP for non-critical purposes''', then you are welcome to enable it manually and help with testing.<br />
<br />
To enable it in Thunderbird 78.0, use the config editor and change the value of preference '''mail.openpgp.enable''' to true, then restart Thunderbird.<br />
<br />
If you are running 78.x and have the previous Enigmail Add-on installed, then Enigmail will update to version 2.2.x, which is a minimal release that helps you to migrate the keys and settings to Thunderbird 78.<br />
<br />
If you haven't used Enigmail previously, you can enable OpenPGP for an email account in account settings.<br />
<br />
If you want to help with testing see the [[#Discussion|discussion area]] below.<br />
<br />
For advanced users: [[Thunderbird:OpenPGP:Test-Builds | testing experimental builds]].<br />
<br />
== Discussion ==<br />
<br />
'''To help with testing, or for help in using Thunderbird's OpenPGP, please post in [https://thunderbird.topicbox.com/groups/e2ee e2ee topicbox]. Or chat at Matrix: #openpgp:mozilla.org'''<br />
<br />
Please report bugs at [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Security%3A%20OpenPGP Bugzilla, product MailNews Core, component Security: OpenPGP]. (You need to register an account to access that link.)<br />
<br />
To discuss policy aspects of Thunderbird's OpenPGP, please post to the [https://mail.mozilla.org/listinfo/tb-planning public tb-planning mailing list].<br />
<br />
== Open issues and TODO list ==<br />
<br />
The best way to see our progress and open issues is [https://bugzilla.mozilla.org/buglist.cgi?list_id=15255496&component=Security%3A%20OpenPGP&query_format=advanced run a bugzilla query].<br />
<br />
In addition, we have a high level [[Thunderbird:OpenPGP:Status | overview of items that have already been worked on, and which are still ToDo]] (might be outdated).<br />
<br />
== Debugging / Tracing ==<br />
<br />
If you run into a problem, you may try the following mechanisms to obtain additional information, which may be useful for you, or for the Thunderbird developers when reporting a problem, to analyze the cause.<br />
<br />
=== Error Console ===<br />
The simplest is to open the Thunderbird Error Console. You can open it from the menu Tools→Developer Tools→Error Console. Messages shown in red are of particular interest.<br />
<br />
=== OpenPGP log ===<br />
To view some details about the processing of messages, you may set a preference in Thunderbird:<br />
* Open menu Edit→Preferences→General, find the Config Editor.<br />
* Add a new preference of the name <code>temp.openpgp.logDirectory</code> and set it to a string value, which must be the full name of a temporary directory, for example on Linux or macOS you could use value <code>/tmp/</code>.<br />
* Restart Thunderbird.<br />
* Thunderbird will write messages to a file named <code>enigdbug.txt</code> in the set directory.<br />
The log will have a lot of information, most of which is harmless or not interesting. But it may contain clues about the cause of a problem.<br />
<br />
=== Enigmail 2.2.x Add-on log ===<br />
If you're trying to analyze a problem in the migration process that is performed by the Enigmail 2.2.x Add-on, please set the additional preference <code>extensions.enigmail.logDirectory</code> - it must also be set to a directory, but that must be a different directory than the one for OpenPGP log. For example, create a directory named <code>/tmp/enig22</code> and set <code>extensions.enigmail.logDirectory</code> to string value <code>/tmp/enig22</code>. If you set both variables, then two separate debug log files will be created, both named <code>enigdbug.txt</code>.<br />
<br />
=== RNP log ===<br />
Advanced users may attempt to view internal error messages produced by the OpenPGP cryptographic engine that Thunderbird uses (the RNP library). To do so:<br />
* Set the environment variable called <code>RNP_LOG_CONSOLE</code>, e.g. in a Linux terminal you could do that using the command <code>export RNP_LOG_CONSOLE=1</code>.<br />
* Then you must start Thunderbird from within that terminal window, to ensure that it will see the environment variable that you have set.<br />
<br />
[[category:Thunderbird|*]]<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Category:Thunderbird_OpenPGP&diff=1233696Category:Thunderbird OpenPGP2021-02-11T19:59:34Z<p>Arvidt: Initial page</p>
<hr />
<div>Category for [[Thunderbird]] OpenPGP articles.<br />
<br />
[[category:Thunderbird]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:Aliases&diff=1233692Thunderbird:OpenPGP:Aliases2021-02-11T19:42:35Z<p>Arvidt: Added category Thunderbird_OpenPGP as agreed with Kai in Mozilla chat</p>
<hr />
<div>= = = = = = = = = = = = = = = = = = = = = = =<br />
EXPERIMENTAL FEATURE STILL UNDER DEVELOPMENT<br />
= = = = = = = = = = = = = = = = = = = = = = =<br />
<br />
As of Thunderbird 78.6.0, Thunderbird can send encrypted email using OpenPGP, if you have the recipient's public key, you have accepted to use the public key, and a user ID in the public key matches the recipient's email address.<br />
<br />
To send encrypted email to an address that isn't defined in a key's user ID, we need to develop a new recipient alias feature for Thunderbird.<br />
<br />
While we intend to implement a user interface define recipient aliases in a future Thunderbird release, for the stable 78.x we will only offer a manual configuration mechanism. This enhancement is currently being developed. This page documents how to use it.<br />
<br />
At this time only an experimental build is available. Download instructions are below. The instruction below only work with the experimental build.<br />
<br />
A preliminary documentation for using the feature is also provided on this page, but it might change until the feature is declared stable.<br />
Nevertheless, you are invited to test the feature and give feedback in https://bugzilla.mozilla.org/show_bug.cgi?id=1644085 or at https://thunderbird.topicbox.com/groups/e2ee<br />
<br />
Create a new text file, as described here:<br />
https://bug1644085.bmoattachments.org/attachment.cgi?id=9193371<br />
<br />
Save the file, for example use filename openpgp_alias_to_keys.json .<br />
<br />
In Thunderbird, use preferences, config editor. Find preference mail.openpgp.alias_rules_file and set it to the filename you have chosen above. If you have saved the file into your Thunderbird profile directory, then it is sufficient to set the filename, only. If you have saved the file elsewhere on your disk, you must set the preference to the full path where the file can be found, e.g. /home/myself/openpgp_alias_to_keys.json or c:\users\myself\openpgp_alias_to_keys.json . (It hasn't yet been tested on Windows, maybe you need to use c:\\users\\myself\\openpgp_alias_to_keys.json .)<br />
<br />
Restart Thunderbird. Start to compose a new message. Enter a recipient that should match one of your alias definitions. Ensure OpenPGP is selected as the technology for this message. Click the security button, to view the message security info.<br />
<br />
Look for a line that contains the recipient email address that you expect to match your alias rule. If a problem was found, the status should be shown as "Alias Problem". If the alias was found to work, you'll see status "a -> b" to indicate that the address will be mapped to something else.<br />
<br />
If it doesn't work as expected, open the error console (Menu Tools, Web Developer), it might contain additional information.<br />
<br />
Note that it isn't necessary that a key has been marked as accepted. By defining the alias rule, you have declared that you accept the key for this use.<br />
<br />
Note that currently the file is read only once at the time Thunderbird is started. If you make a change to the file, it's currently necessary to restart Thunderbird.<br />
<br />
If you would like to test that the correct keys are used, you may do so without actually sending the message. Use the menu command File / Send later. Then check your local folders, Outbox. Look for the message you have just prepared. Select it, and click the OpenPGP icon, and look at the recipient encryption keys. This allows you to check whic h keys will be used for encryption.<br />
<br />
The build is available for download from Mozilla's "try server".<br />
The build is here:<br />
https://treeherder.mozilla.org/jobs?repo=try-comm-central&revision=08f16db74457760be0a28572a21cf05890f0c290<br />
<br />
You can see the list of patches included in the build, it is based on 78.6.0 plus the changes that are listed.<br />
<br />
Downloading a build works by clicking the green "B" of the platform you need, then clicking "Artifacts" in the lower area that appears, and then downloading the respective archive for your platform. For Linux you need target.tar.bz2 , for Windows you need target.zip , and for macOS you need target.dmg .<br />
<br />
For convenience, here are direct links:<br />
<br />
Linux 64 bit:<br />
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/eK7HevGjRIerrlBbECNgHQ/runs/0/artifacts/public/build/target.tar.bz2<br />
<br />
Linux 32 bit:<br />
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Vl9AKCQuT12fuHx_GuXAgA/runs/0/artifacts/public/build/target.tar.bz2<br />
<br />
macOS:<br />
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Vl9AKCQuT12fuHx_GuXAgA/runs/0/artifacts/public/build/target.tar.bz2<br />
<br />
Windows 64 bit:<br />
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/RGM1smI2TySKHUZM7fqxfg/runs/0/artifacts/public/build/target.zip<br />
<br />
Windows 32 bit:<br />
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/aiQ1BMLiQcmANAWKPjrCtA/runs/0/artifacts/public/build/target.zip<br />
<br />
[[Category:Thunderbird_OpenPGP]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP&diff=1233578Thunderbird:OpenPGP2021-02-07T21:51:32Z<p>Arvidt: /* RNP log */ Better readability through list</p>
<hr />
<div>= Thunderbird and OpenPGP =<br />
<br />
This page lists resources, discussion venues, and plans related to [https://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP] messaging with Thunderbird.<br />
<br />
== Background ==<br />
Previously, until Thunderbird version 68.x, the Enigmail Add-On provided OpenPGP encrypted messaging, which required the use of external GnuPG software.<br />
<br />
Soon, Thunderbird will include OpenPGP functionality, and will no longer require the installation of external software.<br />
<br />
This improvement is necessary, because Enigmail cannot be used with Thunderbird 78, except for key migration purposes.<br />
<br />
If you are a previous user of Enigmail, please read [[Thunderbird:OpenPGP:Migration-From-Enigmail | How does Thunderbird's OpenPGP implementation differ from Enigmail?]]<br />
<br />
== Development Status ==<br />
<br />
As of the Thunderbird 78.0 release, the OpenPGP functionality is experimental, and disabled by default.<br />
<br />
'''[https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html It is hoped to be stable in 78.2] - until then Enigmail users should not attempt to update to 78 until an automatic update occurs.''' <br />
<br />
See also our [https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ initial announcement] and the [[Thunderbird:OpenPGP:2020 | detailed description from October 2019]].<br />
<br />
See the tb-planning list archive for [https://mail.mozilla.org/pipermail/tb-planning/2019-December/thread.html answers to some commonly asked questions].<br />
<br />
A [https://www.youtube.com/watch?v=zwmPwcC2Ie4 presentation] was given about the development of integrated OpenPGP support as part of the [[Thunderbird/2020_Virtual_Summit | Thunderbird Virtual Summit 2020]].<br />
<br />
Experimental support for [[Thunderbird:OpenPGP:Smartcards | smartcard secret key operations]] (no public key operations) is under development.<br />
<br />
== Testing ==<br />
<br />
'''If you use OpenPGP for non-critical purposes''', then you are welcome to enable it manually and help with testing.<br />
<br />
To enable it in Thunderbird 78.0, use the config editor and change the value of preference '''mail.openpgp.enable''' to true, then restart Thunderbird.<br />
<br />
If you are running 78.x and have the previous Enigmail Add-on installed, then Enigmail will update to version 2.2.x, which is a minimal release that helps you to migrate the keys and settings to Thunderbird 78.<br />
<br />
If you haven't used Enigmail previously, you can enable OpenPGP for an email account in account settings.<br />
<br />
If you want to help with testing see the [[#Discussion|discussion area]] below.<br />
<br />
For advanced users: [[Thunderbird:OpenPGP:Test-Builds | testing experimental builds]].<br />
<br />
== Discussion ==<br />
<br />
'''To help with testing, or for help in using Thunderbird's OpenPGP, please post in [https://thunderbird.topicbox.com/groups/e2ee e2ee topicbox]. Or chat at Matrix: #openpgp:mozilla.org'''<br />
<br />
Please report bugs at [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Security%3A%20OpenPGP Bugzilla, product MailNews Core, component Security: OpenPGP]. (You need to register an account to access that link.)<br />
<br />
To discuss policy aspects of Thunderbird's OpenPGP, please post to the [https://mail.mozilla.org/listinfo/tb-planning public tb-planning mailing list].<br />
<br />
== Open issues and TODO list ==<br />
<br />
The best way to see our progress and open issues is [https://bugzilla.mozilla.org/buglist.cgi?list_id=15255496&component=Security%3A%20OpenPGP&query_format=advanced run a bugzilla query].<br />
<br />
In addition, we have a high level [[Thunderbird:OpenPGP:Status | overview of items that have already been worked on, and which are still ToDo]] (might be outdated).<br />
<br />
== Debugging / Tracing ==<br />
<br />
If you run into a problem, you may try the following mechanisms to obtain additional information, which may be useful for you, or for the Thunderbird developers when reporting a problem, to analyze the cause.<br />
<br />
=== Error Console ===<br />
The simplest is to open the Thunderbird Error Console. You can open it from the menu Tools→Developer Tools→Error Console. Messages shown in red are of particular interest.<br />
<br />
=== OpenPGP log ===<br />
To view some details about the processing of messages, you may set a preference in Thunderbird:<br />
* Open menu Edit→Preferences→General, find the Config Editor.<br />
* Add a new preference of the name <code>temp.openpgp.logDirectory</code> and set it to a string value, which must be the full name of a temporary directory, for example on Linux or macOS you could use value <code>/tmp/</code>.<br />
* Restart Thunderbird.<br />
* Thunderbird will write messages to a file named <code>enigdbug.txt</code> in the set directory.<br />
The log will have a lot of information, most of which is harmless or not interesting. But it may contain clues about the cause of a problem.<br />
<br />
=== Enigmail 2.2.x Add-on log ===<br />
If you're trying to analyze a problem in the migration process that is performed by the Enigmail 2.2.x Add-on, please set the additional preference <code>extensions.enigmail.logDirectory</code> - it must also be set to a directory, but that must be a different directory than the one for OpenPGP log. For example, create a directory named <code>/tmp/enig22</code> and set <code>extensions.enigmail.logDirectory</code> to string value <code>/tmp/enig22</code>. If you set both variables, then two separate debug log files will be created, both named <code>enigdbug.txt</code>.<br />
<br />
=== RNP log ===<br />
Advanced users may attempt to view internal error messages produced by the OpenPGP cryptographic engine that Thunderbird uses (the RNP library). To do so:<br />
* Set the environment variable called <code>RNP_LOG_CONSOLE</code>, e.g. in a Linux terminal you could do that using the command <code>export RNP_LOG_CONSOLE=1</code>.<br />
* Then you must start Thunderbird from within that terminal window, to ensure that it will see the environment variable that you have set.<br />
<br />
[[category:Thunderbird|*]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP&diff=1233577Thunderbird:OpenPGP2021-02-07T21:47:07Z<p>Arvidt: /* OpenPGP log */ Add need to restart TB, better readability through list</p>
<hr />
<div>= Thunderbird and OpenPGP =<br />
<br />
This page lists resources, discussion venues, and plans related to [https://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP] messaging with Thunderbird.<br />
<br />
== Background ==<br />
Previously, until Thunderbird version 68.x, the Enigmail Add-On provided OpenPGP encrypted messaging, which required the use of external GnuPG software.<br />
<br />
Soon, Thunderbird will include OpenPGP functionality, and will no longer require the installation of external software.<br />
<br />
This improvement is necessary, because Enigmail cannot be used with Thunderbird 78, except for key migration purposes.<br />
<br />
If you are a previous user of Enigmail, please read [[Thunderbird:OpenPGP:Migration-From-Enigmail | How does Thunderbird's OpenPGP implementation differ from Enigmail?]]<br />
<br />
== Development Status ==<br />
<br />
As of the Thunderbird 78.0 release, the OpenPGP functionality is experimental, and disabled by default.<br />
<br />
'''[https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html It is hoped to be stable in 78.2] - until then Enigmail users should not attempt to update to 78 until an automatic update occurs.''' <br />
<br />
See also our [https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ initial announcement] and the [[Thunderbird:OpenPGP:2020 | detailed description from October 2019]].<br />
<br />
See the tb-planning list archive for [https://mail.mozilla.org/pipermail/tb-planning/2019-December/thread.html answers to some commonly asked questions].<br />
<br />
A [https://www.youtube.com/watch?v=zwmPwcC2Ie4 presentation] was given about the development of integrated OpenPGP support as part of the [[Thunderbird/2020_Virtual_Summit | Thunderbird Virtual Summit 2020]].<br />
<br />
Experimental support for [[Thunderbird:OpenPGP:Smartcards | smartcard secret key operations]] (no public key operations) is under development.<br />
<br />
== Testing ==<br />
<br />
'''If you use OpenPGP for non-critical purposes''', then you are welcome to enable it manually and help with testing.<br />
<br />
To enable it in Thunderbird 78.0, use the config editor and change the value of preference '''mail.openpgp.enable''' to true, then restart Thunderbird.<br />
<br />
If you are running 78.x and have the previous Enigmail Add-on installed, then Enigmail will update to version 2.2.x, which is a minimal release that helps you to migrate the keys and settings to Thunderbird 78.<br />
<br />
If you haven't used Enigmail previously, you can enable OpenPGP for an email account in account settings.<br />
<br />
If you want to help with testing see the [[#Discussion|discussion area]] below.<br />
<br />
For advanced users: [[Thunderbird:OpenPGP:Test-Builds | testing experimental builds]].<br />
<br />
== Discussion ==<br />
<br />
'''To help with testing, or for help in using Thunderbird's OpenPGP, please post in [https://thunderbird.topicbox.com/groups/e2ee e2ee topicbox]. Or chat at Matrix: #openpgp:mozilla.org'''<br />
<br />
Please report bugs at [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Security%3A%20OpenPGP Bugzilla, product MailNews Core, component Security: OpenPGP]. (You need to register an account to access that link.)<br />
<br />
To discuss policy aspects of Thunderbird's OpenPGP, please post to the [https://mail.mozilla.org/listinfo/tb-planning public tb-planning mailing list].<br />
<br />
== Open issues and TODO list ==<br />
<br />
The best way to see our progress and open issues is [https://bugzilla.mozilla.org/buglist.cgi?list_id=15255496&component=Security%3A%20OpenPGP&query_format=advanced run a bugzilla query].<br />
<br />
In addition, we have a high level [[Thunderbird:OpenPGP:Status | overview of items that have already been worked on, and which are still ToDo]] (might be outdated).<br />
<br />
== Debugging / Tracing ==<br />
<br />
If you run into a problem, you may try the following mechanisms to obtain additional information, which may be useful for you, or for the Thunderbird developers when reporting a problem, to analyze the cause.<br />
<br />
=== Error Console ===<br />
The simplest is to open the Thunderbird Error Console. You can open it from the menu Tools→Developer Tools→Error Console. Messages shown in red are of particular interest.<br />
<br />
=== OpenPGP log ===<br />
To view some details about the processing of messages, you may set a preference in Thunderbird:<br />
* Open menu Edit→Preferences→General, find the Config Editor.<br />
* Add a new preference of the name <code>temp.openpgp.logDirectory</code> and set it to a string value, which must be the full name of a temporary directory, for example on Linux or macOS you could use value <code>/tmp/</code>.<br />
* Restart Thunderbird.<br />
* Thunderbird will write messages to a file named <code>enigdbug.txt</code> in the set directory.<br />
The log will have a lot of information, most of which is harmless or not interesting. But it may contain clues about the cause of a problem.<br />
<br />
=== Enigmail 2.2.x Add-on log ===<br />
If you're trying to analyze a problem in the migration process that is performed by the Enigmail 2.2.x Add-on, please set the additional preference <code>extensions.enigmail.logDirectory</code> - it must also be set to a directory, but that must be a different directory than the one for OpenPGP log. For example, create a directory named <code>/tmp/enig22</code> and set <code>extensions.enigmail.logDirectory</code> to string value <code>/tmp/enig22</code>. If you set both variables, then two separate debug log files will be created, both named <code>enigdbug.txt</code>.<br />
<br />
=== RNP log ===<br />
Advanced users may attempt to view internal error messages produced by the OpenPGP cryptographic engine that Thunderbird uses (the RNP library). To do so, you need to set the environment variable called <code>RNP_LOG_CONSOLE</code>, e.g. in a Linux terminal you could do that using the command <code>export RNP_LOG_CONSOLE=1</code>. Then you must start Thunderbird from within that terminal window, to ensure that it will see the environment variable that you have set.<br />
<br />
[[category:Thunderbird|*]]</div>Arvidthttps://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP&diff=1233567Thunderbird:OpenPGP2021-02-06T12:29:56Z<p>Arvidt: /* Debugging / Tracing */ Improve readability through code formatting and dividing into chapters with heading</p>
<hr />
<div>= Thunderbird and OpenPGP =<br />
<br />
This page lists resources, discussion venues, and plans related to [https://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP] messaging with Thunderbird.<br />
<br />
== Background ==<br />
Previously, until Thunderbird version 68.x, the Enigmail Add-On provided OpenPGP encrypted messaging, which required the use of external GnuPG software.<br />
<br />
Soon, Thunderbird will include OpenPGP functionality, and will no longer require the installation of external software.<br />
<br />
This improvement is necessary, because Enigmail cannot be used with Thunderbird 78, except for key migration purposes.<br />
<br />
If you are a previous user of Enigmail, please read [[Thunderbird:OpenPGP:Migration-From-Enigmail | How does Thunderbird's OpenPGP implementation differ from Enigmail?]]<br />
<br />
== Development Status ==<br />
<br />
As of the Thunderbird 78.0 release, the OpenPGP functionality is experimental, and disabled by default.<br />
<br />
'''[https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html It is hoped to be stable in 78.2] - until then Enigmail users should not attempt to update to 78 until an automatic update occurs.''' <br />
<br />
See also our [https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ initial announcement] and the [[Thunderbird:OpenPGP:2020 | detailed description from October 2019]].<br />
<br />
See the tb-planning list archive for [https://mail.mozilla.org/pipermail/tb-planning/2019-December/thread.html answers to some commonly asked questions].<br />
<br />
A [https://www.youtube.com/watch?v=zwmPwcC2Ie4 presentation] was given about the development of integrated OpenPGP support as part of the [[Thunderbird/2020_Virtual_Summit | Thunderbird Virtual Summit 2020]].<br />
<br />
Experimental support for [[Thunderbird:OpenPGP:Smartcards | smartcard secret key operations]] (no public key operations) is under development.<br />
<br />
== Testing ==<br />
<br />
'''If you use OpenPGP for non-critical purposes''', then you are welcome to enable it manually and help with testing.<br />
<br />
To enable it in Thunderbird 78.0, use the config editor and change the value of preference '''mail.openpgp.enable''' to true, then restart Thunderbird.<br />
<br />
If you are running 78.x and have the previous Enigmail Add-on installed, then Enigmail will update to version 2.2.x, which is a minimal release that helps you to migrate the keys and settings to Thunderbird 78.<br />
<br />
If you haven't used Enigmail previously, you can enable OpenPGP for an email account in account settings.<br />
<br />
If you want to help with testing see the [[#Discussion|discussion area]] below.<br />
<br />
For advanced users: [[Thunderbird:OpenPGP:Test-Builds | testing experimental builds]].<br />
<br />
== Discussion ==<br />
<br />
'''To help with testing, or for help in using Thunderbird's OpenPGP, please post in [https://thunderbird.topicbox.com/groups/e2ee e2ee topicbox]. Or chat at Matrix: #openpgp:mozilla.org'''<br />
<br />
Please report bugs at [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Security%3A%20OpenPGP Bugzilla, product MailNews Core, component Security: OpenPGP]. (You need to register an account to access that link.)<br />
<br />
To discuss policy aspects of Thunderbird's OpenPGP, please post to the [https://mail.mozilla.org/listinfo/tb-planning public tb-planning mailing list].<br />
<br />
== Open issues and TODO list ==<br />
<br />
The best way to see our progress and open issues is [https://bugzilla.mozilla.org/buglist.cgi?list_id=15255496&component=Security%3A%20OpenPGP&query_format=advanced run a bugzilla query].<br />
<br />
In addition, we have a high level [[Thunderbird:OpenPGP:Status | overview of items that have already been worked on, and which are still ToDo]] (might be outdated).<br />
<br />
== Debugging / Tracing ==<br />
<br />
If you run into a problem, you may try the following mechanisms to obtain additional information, which may be useful for you, or for the Thunderbird developers when reporting a problem, to analyze the cause.<br />
<br />
=== Error Console ===<br />
The simplest is to open the Thunderbird Error Console. You can open it from the menu Tools→Developer Tools→Error Console. Messages shown in red are of particular interest.<br />
<br />
=== OpenPGP log ===<br />
To view some details about the processing of messages, you may set a preference in Thunderbird. Open menu Edit→Preferences→General, find the Config Editor. Add a new preference of the name <code>temp.openpgp.logDirectory</code> and set it to a string value, which must be the full name of a temporary directory, for example on Linux or macOS you could use value <code>/tmp/</code> . Once set, Thunderbird will write messages to a file named <code>enigdbug.txt</code> in that directory. The log will have a lot of information, most of which is harmless or not interesting. But it may contain clues about the cause of a problem.<br />
<br />
=== Enigmail 2.2.x Add-on log ===<br />
If you're trying to analyze a problem in the migration process that is performed by the Enigmail 2.2.x Add-on, please set the additional preference <code>extensions.enigmail.logDirectory</code> - it must also be set to a directory, but that must be a different directory than the one for OpenPGP log. For example, create a directory named <code>/tmp/enig22</code> and set <code>extensions.enigmail.logDirectory</code> to string value <code>/tmp/enig22</code>. If you set both variables, then two separate debug log files will be created, both named <code>enigdbug.txt</code>.<br />
<br />
=== RNP log ===<br />
Advanced users may attempt to view internal error messages produced by the OpenPGP cryptographic engine that Thunderbird uses (the RNP library). To do so, you need to set the environment variable called <code>RNP_LOG_CONSOLE</code>, e.g. in a Linux terminal you could do that using the command <code>export RNP_LOG_CONSOLE=1</code>. Then you must start Thunderbird from within that terminal window, to ensure that it will see the environment variable that you have set.<br />
<br />
[[category:Thunderbird|*]]</div>Arvidt