Hi,
> this is not differing between the Debian releases(, unfortunately).
> Debian hasn't touched any code here.
>
...
> First we/you need to check please if this behavior is also existing in
> the upstream binaries. To check this you can simply download the
> pre-compiled binary and start the thunderbird binary from that archive.
>
> amd64
> http://ftp.mozilla.org/pub/thunderbird/releases/60.3.0/linux-x86_64/
>
> i386
> http://ftp.mozilla.org/pub/thunderbird/releases/60.3.0/linux-i686/
>
> If the issue is also existing here then this needs to be reported to the
> Mozilla bugtracker and this report needs to be tagged to follow that
report.
>
> https://bugzilla.mozilla.org/
Indeed this seems to be an upstream bug, the upstream release is also
affected.
I also tested some more and found out, that there is a way to avoid
private key loss.
The scenario that hit us was trying to sign a message after upgrade and
when this failed thunderbird was restarted. The certificate was gone.
But when I view an encrypted message before restarting thunderbird will
prompt me for the master password and everything works fine. After
entering it also signing works. While watching the nssPrivate table in
key4.db I noticed that entering the master password will create a new
entry in that table.
After a restart, everything is still there and working.
This also works when e.g. changing a server password and saving it to
the password store, it seems the crucial factor is getting prompted for
the master password and entering it correctly.
I have however not yet tested what happens if you start thunderbird
aftter the upgrade and close it right away (i.e. not trying to sign
anything but also not entering the master password). I will try to test
this later but now I need a working mail client.
I am wondering why thunderbird will not prompt for the master password
when first trying to sign a message, but only for decryption.
I'll report back,
Bastian