Menu

#1101 Encryption/signing broken, when using GnuPG engine

fixed
nobody
None
3.1.5
Support_Request
All
---
nobody
2023-11-22
2023-10-11
Thorsten Schröder
No

After the latest automatic update to enigmail version 3.1.5 it is not possible to use GnuPG engine anymore, sending encrypted email is broken. Only OpenPGP.js engine is functional.

Platforms:
- Windows
- macos

Observation when using GnuPG engine:
- sending encrypted email to own email-address works fine.
- sending encrypted email to other addresses (= you do not own the secret key) does not work.
- sending encrypted email to other addresses with ultimately trusted pubkeys does not work.
- decryption of incoming, encrypted mail is still working.
- deleting all caches and re-installation of all components did not fix the issue.

Workaround:
- Switch to OpenPGP.js and import secret key vom GNUPGHOME secretkey ring, import all public keys from GnuPG's pubkey ring. -> sending encrypted email works.

Remaining problem:
- unfortunately, OpenPGP.js does not support openpgp-keys, stored on smartcard or secure tokens (e. g. nitrokey). Thus, sending encrypted, unsigned email is possible; signing or decrypting email does not work.

  • Conclusion: Users with enhanced security won't be able to use enigmail-based MUA setups anymore.

Error Message: "Error in Enigmail: encryption/signing failed. Send the message unencrypted?"

Problem exist since Monday, 2023 October 9th, after enigmail automatically updated itself. Re-installation of MUA, GnuPG and Enigmail to most recent versions did not solve the problem.

Regards,

Thorsten

Discussion

  • Patrick Brunschwig

    Patrick Brunschwig - 2023-10-11

    In order to use GnuPG with Enigmail 3.1.x, you need to have gpgme-json, a component that is part of GnuPG, but not always distributed.

    On windows, gpgme-json is installed by default with the latest version of gpg4win (4.2.0), make sure you install that version.
    On macos it depends which distribution of GnuPG you're using - I can't tell without further info.

     

    • Thorsten Schröder

      Thorsten Schröder - 2023-10-11

      As i mentioned above, the components are installed with their latest version, including gpg4win and gnupg. gpgme-json.exe is available, and also included in PATH.

       

  • Patrick Brunschwig

    Patrick Brunschwig - 2023-10-11
    • Found in Version: 3.1.3 --> 3.1.5
    • Severity: Minor --> Support_Request
     

  • Patrick Brunschwig

    Patrick Brunschwig - 2023-10-11

    Can you attach a debug log file? (https://www.enigmail.net/index.php/en/faq-en/usage)

     

    • Thorsten Schröder

      Thorsten Schröder - 2023-10-11

      Well, of course i would share parts of the log. however, it contains a lot of sensitive data that i don't want to share in public/on sourceforge. If you're willing to debug this issue together with me, i'd appreciate if we could find a private channel and discuss debugging there, and get back to this tracker with results. lmk if this works for you and drop me a DM with preferred channels (e.g. matrix, signal, ...). thanks!

       

  • Patrick Brunschwig

    Patrick Brunschwig - 2023-10-12

    You can send me an (encrypted) mail to patrick AT enigmail DOT net. My key is on keys.openpgp.org.

     

  • Patrick Brunschwig

    Patrick Brunschwig - 2023-10-13

    I don't know what you're using on macos, but if you're using the GPG Suite then that would explain why Enigmail doesn't work. Unfortunately GPG Suite doesn't provide a component that Enigmail requires (gpgme-json). I'd recommend you install gpgOSX, which is compatible with Enigmail.

     

  • Ron OHara

    Ron OHara - 2023-11-21

    I just encountered the same problem. The debug log (and console) shows Enigmail looks up the email address from the keyring just fine BUT then says that no key with enough trust was found .. so the encryption/signing fails ...

    A work around for urgent individual addresses is to use the Enigmail preferences. Choose the Key Selection tab, then 'Edit Rules'.

    This is where you can Add a rule for the target email address to match a selected PGP public key..

    It looks like this creates a config (json) entry which gets used in preference to the norma; lookup from the keyring (which is broken).

    EDIT
    Note that this public key is marked 'ultimate' for trust

    Example:
    rono@x360:~$ gpg --list-keys irifive
    pub rsa2048 2013-12-28 [SCA]
    A97B249F6EDB627742B50B2202435527389B616F
    uid [ultimate] Toby irifiveh@gmail.com
    sub rsa2048 2013-12-28 [E]

    LOG:

    2023-11-21 14:35:56.852 [DEBUG] errorHandling.jsm: parseErrorOutputWith: statusFlags = 00000000
    2023-11-21 14:35:56.852 [DEBUG] errorHandling.jsm: parseErrorOutputWith: return with c.errorMsg =
    2023-11-21 14:35:56.852 [DEBUG] execution.jsm: EnigmailExecution.fixExitCode: agentType: exitCode: 0 statusFlags undefined
    2023-11-21 14:35:56.852 [CONSOLE]
    2023-11-21 14:35:56.852 [DEBUG] keyRing.jsm: getValidKeyForRecipient(): emailAddr="irifiveh@gmail.com"
    2023-11-21 14:35:56.854 [DEBUG] keyRing.jsm: getValidKeyForRecipient(): no key with enough trust level for 'irifiveh@gmail.com' found
    2023-11-21 14:35:56.854 [DEBUG] keyRing.jsm: doValidKeysForAllRecipients(): return null (no single valid key found for="irifiveh@gmail.com" with minTrustLevel="?")
    2023-11-21 14:35:56.854 [DEBUG] enigmailMsgComposeHelper.js: doValidKeysForAllRecipients(): return null (key missing)
    2023-11-21 14:35:56.854 [DEBUG] enigmailMsgComposeHelper.js: validKeysForAllRecipients(): return 'null'
    2023-11-21 14:35:56.854 [DEBUG] <=== validKeysForAllRecipients()
    2023-11-21 14:35:56.854 [DEBUG] enigmailMsgComposeOverlay.js: Enigmail.msg.encryptTestMessage(): call encryptMessage() for fromAddr="0xF244BB1C319EA06E93928848095AD554F5FB1736" toAddrStr="irifiveh@gmail.com" bccAddrStr=""
    2023-11-21 14:35:56.854 [DEBUG] gpgme.js: encryptMessage(0xF244BB1C319EA06E93928848095AD554F5FB1736, irifiveh@gmail.com, 354, 12)
    2023-11-21 14:35:56.854 [DEBUG] gpgme.js: execJsonCmd({"op":"encrypt","keys":["0xF244BB1C319EA)
    2023-11-21 14:35:56.854 execution.jsm: execAsync: command = '/usr/bin/gpgme-json'
    2023-11-21 14:35:56.854 [CONSOLE]     enigmail> /usr/bin/gpgme-json
    2023-11-21 14:35:56.866 [DEBUG] enigmail> DONE

     

    Last edit: Ron OHara 2023-11-21

  • Ron OHara

    Ron OHara - 2023-11-21

    edited my previous post - a sample key and more information from the log

     

  • Patrick Brunschwig

    Patrick Brunschwig - 2023-11-21

    The (calculated) trust in Enigmail should not be confused with GnuPG's owner trust. Just setting ultimate trust won't help usually.

    From the log provided it's difficult to tell what could be wrong because it doesn't contain much relevant information. I'd need to know the exact version of Enigmail you're using, because I recently made some relevant changes. I'd also need to know you settings. It would help a lot if you could add the 1st part of the log file containing version info and settings.

     

  • Ron OHara

    Ron OHara - 2023-11-21

    Enigmail version 3.1.5
    OS/CPU=Linux x86_64
    Platform=X11
    Non-default preference values:
    keyCheckResult: {"expiredList":[],"lastCheck":1700548217638}
    configuredVersion: 3.1.5
    juniorMode: 0
    cryptoAPI: 1
    advancedUser: true
    displaySignWarn: false
    lastUpdateCheck: 1700548271
    agentPath: /usr/bin/gpg2
    protectedHeaders: 0
    dom.workers.maxPerDomain: 512

     

    • Patrick Brunschwig

      Patrick Brunschwig - 2023-11-22

      Please upgrade to Enigmail 3.1.7. As I said, I fixed quite a few things that are broken in 3.1.5

       
      alternate

  • Ron OHara

    Ron OHara - 2023-11-22

    3.1.7 fixed it for me

     

  • Patrick Brunschwig

    Patrick Brunschwig - 2023-11-22
    • status: open --> fixed
     

Log in to post a comment.