mail.identity.id1.pgpkeyId should be a full fingerprint
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
enigmail's per-account configuration includes mail.identity.idX.pgpkeyId
(en_US account preferences pane text: "Use specific OpenPGP key ID (0x1234ABCD)"), which is populated with a short (32-bit) key ID.
forging a 32-bit keyId is trivial. If the account is configured in this way, and an attacker manages to inject a new subkey in the user's keyring, it's conceivable that the attacker's subkey could be used to encrypt the message instead of the user's subkey.
Changed on master for editing in Account selection. Key creation and setup wizard to follow.
Fixed on master. Existing settings are not touched though.