Package: thunderbird
Version: 1:60.3.0-1~deb9u1
Two coworkers experienced the following problem on Debian Stretch after
upgrading from 1:60.2.1-2~deb9u1 to 1:60.3.0-1~deb9u1:
After upgrading they no longer had their X509 certificate for signing
and encryption listed in the "Your certificates" tab.
Running sqlite on their profiles' key4.db made it apparent that the
nssPrivate table contained no entries whatsoever. Also key3.db contained
no entries wrt to certificates and/or private keys.
I then restored a backup of their profiles from last week (before the
upgrade) and I saw that this snapshot didn't contain the new sqlite
versions of cert9.db and key4.db but only the Berkeley DB variants
cert8.db and key3.db. Running strings on the restored key3.db I was able
to see the CA that issued the certificate and the DN.
After starting thunderbird 1:60.3.0-1~deb9u1 with the restored profile
key4.db was created again - and again empty - and the entry in key3.db
vanished.
After restoring the profile once more and starting it with thunderbird
1:60.2.1-2~deb9u1 the certificate was listed in the "Your certificates"
tab and after unlocking it with the master password they could send
signed e-mails again.
Another upgrade to 1:60.3.0-1 wiped the private key again. I suppose
something goes horribly wrong when thunderbird tries to convert from
Berkeley DB to sqlite.
For other users (including myself) who already had a key4.db in place
this issue does not occur.
Even though the original thunderbird profiles were created probably on a
Debian Wheezy icedove back in the day, I think this is a serious bug
since it wipes private keys.
If you need any further information please let me know.
Kind regards,
Bastian