Closed Bug 1765740 Opened 3 years ago Closed 3 years ago

GPG Key disappears after update to 91.8.0 - key uses SHA-1 , expiration date has not been changed.

Categories

(MailNews Core :: Security: OpenPGP, defect)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1763641

People

(Reporter: ralph.staudigl, Unassigned)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

Steps to reproduce:

updating to Thunderbird 91.8.0 / 91.8.1

Actual results:

one of my GPG Keys is no longer shown and cannot be imported again.
When trying to import it again I get the error:
OpenPGP Alert
Importing the keys failed.
Can be reproduced with:
https://keys.openpgp.org/vks/v1/by-fingerprint/07B9BD485A78EAF7B9DBE96C4C423EBF340BD0C2

Expected results:

All present GPG keys should be shown like in TB 91.7.0
Also key should be able to be imported like in TB 91.7.0

Is the key SHA-1? See bug 1763641

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

Yes according to pgpdump

...
Old: Signature Packet(tag 2)(575 bytes)
Ver 4 - new
Sig type - Positive certification of a User ID and Public Key packet(0x13).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA1(hash 2)
...

It seems to be SHA-1.
But in contrast to bug 1763641 the expiration date has not been changed.

Yes according to pgpdump:
...
Old: Signature Packet(tag 2)(575 bytes)
Ver 4 - new
Sig type - Positive certification of a User ID and Public Key packet(0x13).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA1(hash 2)
...
It seems to be SHA-1.
But in contrast to bug 1763641 the expiration date has not been changed.

After switching the key's Hash alg to SHA-512 the import worked as expected.
Since SHA-1 is still supported by current GPG versions it still would be nice if those keys would not disappear with new TB Versions.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Keywords: regression
Resolution: --- → DUPLICATE
Summary: GPG Key disappears after update to 91.8.0 → GPG Key disappears after update to 91.8.0 - key uses SHA-1 , expiration date has not been changed.

Ralph, did you use GnuPG to create your key in 2019, or other software?

If it was GnuPG, do you know which version you had used?

I think all versions of GnuPG from 2.0.13 (2009) used something better than SHA-1.
Did you have a GnuPG configuration file that requests the use of SHA-1 ?

Hello Kai,
when I created the key in 2019, I was using Linux Solus, and I didn't have gpg.conf. Since 2020 I switched to Fedora (back then 33) and currently 35. In order to change the digest of the key and the subkeys now, I had to exclude SHA1 in the gpg.conf.
Best, Ralph

You need to log in before you can comment on or make changes to this bug.