Menu

What to do if Enigmail suddenly doesn't start or doesn't respond for several minutes

2019-07-27
2021-08-07
  • Patrick Brunschwig

    If Enigmail worked correctly until recently and all of a sudden, it looks like Enigmail wouldn't initialize anymore, does not decrypt any messages anymore or is otherwise extremely slow, then it's likely that you got a key on your keyring that is spoiled with 100.000s of useless signatures (also known as DOS attack on SKS keyservers).

    Here is how to resolve this issue:

    Step 1

    Find out any poisoned keys. The following script is for Linux/macOS/Unix:

    < ${GNUPGHOME:-~/.gnupg}/pubring.gpg gpg --list-packets | awk -F= -v oldoff=-1 -v keyid=unset '
    /^# off=/{ off = $2 + 0 }
    /^:public key/{
        if (oldoff>-1) { print (off - oldoff) " " keyid };
        oldoff = off; keyid = "unset";
    }
    /keyid:/ {if (keyid == "unset") { keyid = $1; } }
    END { print (off - oldoff) " " keyid ; };' | sort -n
    

    The biggest keys ones are probably the poisoned. There should be no lines with values greater than 10.000. Let's assume your list starts like this:

    1424542     keyid: D2BB0D0165D0FD58
    8203788     keyid: EE8192A6E443D6D8
    15874931     keyid: DB1187B9DD5F693B
    8762     keyid: 781617319CE311C4
    ...
    

    Then you should repair the top 3 keys.

    Step 2

    To clean a key from the unusable signatures, type the following command, replacing KEYIDwith the keyid of the poisoned key. Repeat this for all affected keys :

    gpg --edit-key KEYID clean save
    

    This can take up to 60 minutes on a reasonably fast notebook.

    Step 3

    After the clean-up of all keys, pick the top key and execute:

    gpg --edit-key KEYID check clean save
    

    This should now be pretty quick. Enigmail should be responsive again after this.

     
    • Olav Seyfarth

      Olav Seyfarth - 2019-07-27

      I just tried that script on my Arch Linux laptop. I only have GnuPG 2.2 installed, keys are converted to the new keyDB format. Thus I don't have a pubring.gpg so the script yields

      script: line 1: /home/olav/.gnupg/pubring.gpg: file not found
      1 unset

       

      Last edit: Olav Seyfarth 2019-07-27
  • Patrick Brunschwig

    Correct, But if you have a new keyDB database, you won't see the symptoms I described. In this case, you will only experience very slow performance if youdirectly access one of the keys affected. Loading the keylist etc. (which is the cause for the symptoms I described) will be OK.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.