Re: request a replacement for Thunderbird + Enigmail
On 2023-01-03 at 14:12 -0700, Charles Curley wrote: > On Tue, 3 Jan 2023 09:04:12 -0500 > Jeffrey Walton wrote: > > > Claws email with the GPG plugin is popular. It may be a good fit > > for > > you, too. > > > > https://www.claws-mail.org/plugin.php?plugin=gpg > > Concur. You didn't indicate whether you use mbox or maildir format (or > something else). Claws-mail will likely be able to read your existing > emails with no issues. evolution also has good support for OpenPGP mail. Both Claws and evolution use GnuPG as backend (as did the old Enigmail), so you should see no difference wrt. keeping keys in memory without requiring the password (handled by gpg-agent), or trusting the keys of the recipients. I see that evolution filters support playing a sound as an action. I don't know what the Virtual Identity plugin does. Apparently, it's no longer on AMO.
Re: request a replacement for Thunderbird + Enigmail
On Tuesday, 3 Jan 2023 at 21:27, Michel Verdier wrote: > I use Gnus (on emacs). I fetch mails with pop3s from different providers, > send mails to corresponding smtp servers based on sending address (could > be different criteria). I use nnml backend which store 1 mail per file, > so no big database, best perf, easy backup and no mail losses. Gnus use > standard gpg for encryption. I use swish for indexing and searching mails. Pretty much the same for me except for notmuch instead of swish for indexing/searching. Works very well in all respects including gpg. -- Eric S Fraga via gnus (Emacs 30.0.50 2023-01-02) on Debian 11.5
Re: request a replacement for Thunderbird + Enigmail
Am 03.01.2023 um 15:04 schrieb Jeffrey Walton:> Claws email with the GPG plugin is popular. It may be a good fit for you, too. > > https://www.claws-mail.org/plugin.php?plugin=gpg > > Jeff Thank you so much. I am going to check it out, test it and possibly prepare the transition if all goes well. (Not a short term adventure, but i do have the time ...) Have a happy year 2023! DdB
Re: request a replacement for Thunderbird + Enigmail
On Tue, 3 Jan 2023 09:04:12 -0500 Jeffrey Walton wrote: > Claws email with the GPG plugin is popular. It may be a good fit for > you, too. > > https://www.claws-mail.org/plugin.php?plugin=gpg Concur. You didn't indicate whether you use mbox or maildir format (or something else). Claws-mail will likely be able to read your existing emails with no issues. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: request a replacement for Thunderbird + Enigmail
Le 3 janvier 2023 DdB a écrit : > How are YOU dealing with encryption, with multiple providers, with > addresses created on-the-fly, with a huge email history, and so on? I use Gnus (on emacs). I fetch mails with pop3s from different providers, send mails to corresponding smtp servers based on sending address (could be different criteria). I use nnml backend which store 1 mail per file, so no big database, best perf, easy backup and no mail losses. Gnus use standard gpg for encryption. I use swish for indexing and searching mails.
Re: request a replacement for Thunderbird + Enigmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 --- Original Message --- On Tuesday, January 3rd, 2023 at 12:46 AM, DdB wrote: > How are YOU dealing with encryption, with multiple providers, with > addresses created on-the-fly, with a huge email history, and so on? Protonmail with its bridge (to TB or equivalent) might do for you. -- Glenn English -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJjtFQ/CRCf14YxgqyMMhYhBCyicw9CUnAlY0ANl5/XhjGC rIwyAAB2nggAynqMSsq7KMtDFj0dlWAQNMJ0eMnbHpK9kQUWw45nwxW53vU5 KZp/pimz3UEnqSUFaGENWqZPC/sT/Nx1c6kcjCqMAzP7/BsARZnsYlARuAr4 IY9Np6kcjremhSkvNZHVBVxFFm65z95Fq5juW8DDw2wXWC+2q0BhCrQgg2E+ E1NqB6b06dAscv0ItRo7iidcX4VTc1otICnlGU7T/TajIU7Kk5tFofX8uzPU uLemHWdmcnF8f3G6Q20DUrTcSFuq7JJg+p13FFaIFW/VbgVN9tGz6b0UMEzF +hnmgYHNTezMo1FBm4XNYl/pJPJnNpPDanRMleAAw6XER5L5ub9QaA== =Vzpv -END PGP SIGNATURE-
Re: request a replacement for Thunderbird + Enigmail
On Tue, Jan 3, 2023 at 2:47 AM DdB wrote: > > i feel the time has come to find a more up-to-date replacement for my > email-solution, but ... > > Up til now, i am using Thunderbird (52.9.1 (64-Bit) + Enigmail + > ToneQuilla + Virtual Identity and more ...) on stretch from inside a > Virtualbox-VM. > > That allowed to correspond seamlessly with GPG users on more than 20 > addresses (from 6 different providers), while i was acoustically > notified about the different levels of relevance of those mails, since > 20+ years. (makes a huge database) > > While keeping this stuff alive for an extended period of time, i have > been able to prevent the necessity to enter any passphrase manually, to > decrypt/encrypt automatically, and many more convenient solutions to > ease my life. > > Of course, i knew, that this could come to an end, but i have not found > a valid replacement yet. The current Thunderbird fails big time at > solving the GPG part, even worse: They (Mozilla/NSA/???) want to have > control over private keys in their own keystore, built by people > obviously not skilled enough to create a(ny) secure piece of software. > That is why i refused to embark on the path of replacing the isolated, > but integrated solution Enigmail with something less trustworthy, less > flexible, and less stable. > > But i feel, i will have to start building up an alternative, could not > yet make up my mind. > > That is why i am asking for your communities experience and recommendations. > > How are YOU dealing with encryption, with multiple providers, with > addresses created on-the-fly, with a huge email history, and so on? > > Really interested to find a solution, that can last for many years to come. Claws email with the GPG plugin is popular. It may be a good fit for you, too. https://www.claws-mail.org/plugin.php?plugin=gpg Jeff
request a replacement for Thunderbird + Enigmail
Hello List, i feel the time has come to find a more up-to-date replacement for my email-solution, but ... Up til now, i am using Thunderbird (52.9.1 (64-Bit) + Enigmail + ToneQuilla + Virtual Identity and more ...) on stretch from inside a Virtualbox-VM. That allowed to correspond seamlessly with GPG users on more than 20 addresses (from 6 different providers), while i was acoustically notified about the different levels of relevance of those mails, since 20+ years. (makes a huge database) While keeping this stuff alive for an extended period of time, i have been able to prevent the necessity to enter any passphrase manually, to decrypt/encrypt automatically, and many more convenient solutions to ease my life. Of course, i knew, that this could come to an end, but i have not found a valid replacement yet. The current Thunderbird fails big time at solving the GPG part, even worse: They (Mozilla/NSA/???) want to have control over private keys in their own keystore, built by people obviously not skilled enough to create a(ny) secure piece of software. That is why i refused to embark on the path of replacing the isolated, but integrated solution Enigmail with something less trustworthy, less flexible, and less stable. But i feel, i will have to start building up an alternative, could not yet make up my mind. That is why i am asking for your communities experience and recommendations. How are YOU dealing with encryption, with multiple providers, with addresses created on-the-fly, with a huge email history, and so on? Really interested to find a solution, that can last for many years to come. regards, DdB
Re: Thunderbird / enigmail
Greg Marks wrote on 10/21/20 5:23 PM: I had no problems transitioning from Enigmail to Thunderbird 78.3.1, which has removed Enigmail. With an existing GPG installation, it was necessary to run the command "gpg --export-secret-keys --armor > private_key.asc" for importation into Thunderbird. Then in Thunderbird, clicking the main account header in the side panel brings up a link "End-to-end encryption." This brings up "Account Settings," toward the bottom of which is an "End-To-End Encryption" header. From here one can enable OpenPGP by importing the "private_key.asc" file created earlier. OK, but how do I create a sticky setting that tells TB to use encryption? If I go to "Account Settings | End-to-End Encryption" I can select and add a key to an account. But there doesn't seem to be a "save" function, and as soon as I leave the settings page, the setting reverts to "None - do not use OpenPGP for this identity". The first step is not exactly adding a key to an account. The first step is importing a private GPG key stored on your computer for use in Thunderbird; this key can then be used (or not) with any e-mail account you are accessing via Thunderbird. (For example, you might access both a work e-mail account and a personal e-mail account in Thunderbird.) I'll try to elaborate on my previous message with more details. I'm assuming you have an existing GPG key stored in the subdirectory ~/.gnupg of your home directory and have run the command "gpg --export-secret-keys --armor > private_key.asc" already. 1. In Thunderbird, under Account Settings --> End-to-End Encryption," under the "OpenPGP" section, initially it will say, "Thunderbird doesn't have a personal OpenPGP key for [your e-mail address]." Next to that message is a button "Add Key." Yep; that's what I did. 2. Clicking on that button opens a new window with the message, "If you have an existing personal key for this email address, you should import it. Otherwise you will not have access to your archives of encrypted emails, nor be able to read incoming encrypted emails from people who are still using your existing key." You will be able to select either "Create a new OpenPGP Key" or "Import an existing OpenPGP Key." Select "Import an existing OpenPGP Key" and click "Continue." Yep; that's what I did. 3. In the next window that opens, click "Select File to Import" and select the file "private_key.asc" created earlier. Yep; that's what I did. 4. A new window will open that should have a message at the top saying (in my case) "Thunderbird found 2 keys that can be imported"; each will be listed with its ID, e-mail address, and a box you can check saying "Treat this key as a Personal Key." (In my case, I selected my most recent key, the earlier one having been revoked.) Click "Continue." You'll be asked to enter the passphrase used to decrypt access to your private key on your machine. Then a window should open with a green highlighted message saying "OpenPGP Keys successfully imported!" Each key will be listed with a button "Key Properties." Yep; that's what I did. 5. At the bottom of the window there will be a message, "To start using your imported OpenPGP key for email encryption, close this dialog and access your Account Settings to select it." Click Continue. Then, on the Account Settings --> End-to-End Encryption screen, deselect "None" and select the ID of the OpenPGP key. Yep; that's what I did. That's the thing that I don't know how to make sticky. Merely selecting the ID doesn't seem to do anything except that the marked radio button switches from "None" to the key ID. If I leave that screen and return to it, the "None" radio button is marked again. 6. At the bottom of the page you can select default settings for sending messages: whether to encrypt by default, whether to digitally sign be default. If you are using Thunderbird to access multiple accounts, you will set these options on the "Account Settings --> End-to-End Encryption" page for each account. Nope; they remain greyed out, even after step 5. 7. Quit Thunderbird and restart it. (This step is probably unnecessary but couldn't hurt.) I'm afraid that that doesn't help. I still can't use encryption, and when I go back to the e2ee screen under the account settings, "None" is selected, not the key I previously selected. So far as I can tell, account settings in Thunderbird are sticky by default. If I go to Account Settings (accessible under the "Edit" drop-down menu of Thunderbird), change an option, and then simply close the "Account Settings" tab, the option stays as I set it until
Re: Thunderbird / enigmail
> > I had no problems transitioning from Enigmail to Thunderbird 78.3.1, > > which has removed Enigmail. With an existing GPG installation, it > > was necessary to run the command "gpg --export-secret-keys --armor > > > private_key.asc" for importation into Thunderbird. Then in Thunderbird, > > clicking the main account header in the side panel brings up a link > > "End-to-end encryption." This brings up "Account Settings," toward the > > bottom of which is an "End-To-End Encryption" header. From here one can > > enable OpenPGP by importing the "private_key.asc" file created earlier. > > OK, but how do I create a sticky setting that tells TB to use encryption? > > If I go to "Account Settings | End-to-End Encryption" I can select and add a > key to an account. But there doesn't seem to be a "save" function, and as > soon as I leave the settings page, the setting reverts to "None - do not use > OpenPGP for this identity". The first step is not exactly adding a key to an account. The first step is importing a private GPG key stored on your computer for use in Thunderbird; this key can then be used (or not) with any e-mail account you are accessing via Thunderbird. (For example, you might access both a work e-mail account and a personal e-mail account in Thunderbird.) I'll try to elaborate on my previous message with more details. I'm assuming you have an existing GPG key stored in the subdirectory ~/.gnupg of your home directory and have run the command "gpg --export-secret-keys --armor > private_key.asc" already. 1. In Thunderbird, under Account Settings --> End-to-End Encryption," under the "OpenPGP" section, initially it will say, "Thunderbird doesn't have a personal OpenPGP key for [your e-mail address]." Next to that message is a button "Add Key." 2. Clicking on that button opens a new window with the message, "If you have an existing personal key for this email address, you should import it. Otherwise you will not have access to your archives of encrypted emails, nor be able to read incoming encrypted emails from people who are still using your existing key." You will be able to select either "Create a new OpenPGP Key" or "Import an existing OpenPGP Key." Select "Import an existing OpenPGP Key" and click "Continue." 3. In the next window that opens, click "Select File to Import" and select the file "private_key.asc" created earlier. 4. A new window will open that should have a message at the top saying (in my case) "Thunderbird found 2 keys that can be imported"; each will be listed with its ID, e-mail address, and a box you can check saying "Treat this key as a Personal Key." (In my case, I selected my most recent key, the earlier one having been revoked.) Click "Continue." You'll be asked to enter the passphrase used to decrypt access to your private key on your machine. Then a window should open with a green highlighted message saying "OpenPGP Keys successfully imported!" Each key will be listed with a button "Key Properties." 5. At the bottom of the window there will be a message, "To start using your imported OpenPGP key for email encryption, close this dialog and access your Account Settings to select it." Click Continue. Then, on the Account Settings --> End-to-End Encryption screen, deselect "None" and select the ID of the OpenPGP key. 6. At the bottom of the page you can select default settings for sending messages: whether to encrypt by default, whether to digitally sign be default. If you are using Thunderbird to access multiple accounts, you will set these options on the "Account Settings --> End-to-End Encryption" page for each account. 7. Quit Thunderbird and restart it. (This step is probably unnecessary but couldn't hurt.) 8. When you compose or reply to a message, in the Composition Toolbar of the composition window (which will appear at the top, right underneath "File," "Edit," "View," etc.), you should see "Send," "Spelling," "Security," and "Save." 9. "Security" provides a drop-down menu for "Encryption Technology" (choose OpenPGP), "Do Not Encrypt," "Require Encryption," "Digitally Sign This Message," "Attach My Public Key," and "View Security Info." Here you can alter the default settings you chose in "Account Settings --> End-to-End Encryption." So far as I can tell, account settings in Thunderbird are sticky by default. If I go to Account Settings (accessible under the "Edit" drop-down menu of Thunderbird), change an option, and the
Re: Thunderbird / enigmail
Greg Marks wrote on 10/13/20 9:37 AM: I had no problems transitioning from Enigmail to Thunderbird 78.3.1, which has removed Enigmail. With an existing GPG installation, it was necessary to run the command "gpg --export-secret-keys --armor > private_key.asc" for importation into Thunderbird. Then in Thunderbird, clicking the main account header in the side panel brings up a link "End-to-end encryption." This brings up "Account Settings," toward the bottom of which is an "End-To-End Encryption" header. From here one can enable OpenPGP by importing the "private_key.asc" file created earlier. OK, but how do I create a sticky setting that tells TB to use encryption? If I go to "Account Settings | End-to-End Encryption" I can select and add a key to an account. But there doesn't seem to be a "save" function, and as soon as I leave the settings page, the setting reverts to "None - do not use OpenPGP for this identity". Doc PS BTW Thanks very much for the instructions; I would have been completely lost without them. This sure isn't easy/obvious. -- Web: http://enginehousebooks.com/drevans
Re: Thunderbird / enigmail
On 10/13/20 9:14 AM, D. R. Evans wrote: [snip] I'm wondering if any enigmail user here has installed the update, and if they have had any problems with the transition to the new enigmail-less encrypted e-mail system. On Buster, I have installed the thunderbird update and removed enigmail without any issues. The install notes walk you through the simple process. Regards, Ralph OpenPGP_signature Description: OpenPGP digital signature
Re: Thunderbird / enigmail
On 13-10-2020 23:26, D. R. Evans wrote: > I see that the latest official updates to debian stable want to remove > enigmail and install a new version of Thunderbird. > > I recall a couple of years ago the same thing happened, and encrypted e-mail > was effectively broken for a couple of months until a version of enigmail > compatible with the updated Thunderbird became available from the official > repository. But I seem to recall reading somewhere a while back that the > enigmail functionality was going to be incorporated into Thunderbird upstream. > So I am wondering if perhaps this has happened and that that is what the > intended removal of enigmail signifies: i.e., that encrypted e-mail is part of > the newer Thunderbird that is now in the official repository. > > So I'd like to know if anyone who uses encrypted e-mail has taken the plunge > and installed the newer version of Thunderbird that the official buster > repository is offering (and also, therefore, removed enigmail); and, if so, > have there been any issues with using encrypted e-mail following the update. None. There's a transfer agent in the new Thunderbird which transfers the while scenario. But, I took the opportunity to transfer over to Claws-mail, as it broke Lightning, anyway. No negative aspects that I can discern, with the right plug-ins. Cheers! Harry -- `Religion is regarded by the common people as true, by the wise as false, and by the rulers as useful'. — Lucius Annæus Seneca. Terrorism, the new religion. Registered Linux User: 554515
Re: Thunderbird / enigmail
Greg Marks wrote on 10/13/20 9:37 AM: >> So I'd like to know if anyone who uses encrypted e-mail has taken >> the plunge and installed the newer version of Thunderbird that the >> official buster repository is offering (and also, therefore, removed >> enigmail); and, if so, have there been any issues with using encrypted >> e-mail following the update. > > I had no problems transitioning from Enigmail to Thunderbird 78.3.1, > which has removed Enigmail. With an existing GPG installation, it > was necessary to run the command "gpg --export-secret-keys --armor > > private_key.asc" for importation into Thunderbird. Then in Thunderbird, > clicking the main account header in the side panel brings up a link > "End-to-end encryption." This brings up "Account Settings," toward the > bottom of which is an "End-To-End Encryption" header. From here one can > enable OpenPGP by importing the "private_key.asc" file created earlier. > (Afterwards "private_key.asc" should be securely deleted, e.g. with srm.) > Once this is complete, when composing an e-mail in the new Thunderbird, > there is a "Security" tab near the top permitting one to encrypt or > digitally sign the message. It all seems to work fine. > Thank you for that encouraging information. I'll give it a day or two to see if anyone says that they had problems with the transition, and, if not, will give it a shot, hoping and expecting that it will be as smooth as your experience. [The experience a couple of years ago when debian stable for a while wouldn't permit encrypted e-mail from Thunderbird has probably made me over-cautious on this subject.] Doc -- Web: http://enginehousebooks.com/drevans signature.asc Description: OpenPGP digital signature
Re: Thunderbird / enigmail
> So I'd like to know if anyone who uses encrypted e-mail has taken > the plunge and installed the newer version of Thunderbird that the > official buster repository is offering (and also, therefore, removed > enigmail); and, if so, have there been any issues with using encrypted > e-mail following the update. I had no problems transitioning from Enigmail to Thunderbird 78.3.1, which has removed Enigmail. With an existing GPG installation, it was necessary to run the command "gpg --export-secret-keys --armor > private_key.asc" for importation into Thunderbird. Then in Thunderbird, clicking the main account header in the side panel brings up a link "End-to-end encryption." This brings up "Account Settings," toward the bottom of which is an "End-To-End Encryption" header. From here one can enable OpenPGP by importing the "private_key.asc" file created earlier. (Afterwards "private_key.asc" should be securely deleted, e.g. with srm.) Once this is complete, when composing an e-mail in the new Thunderbird, there is a "Security" tab near the top permitting one to encrypt or digitally sign the message. It all seems to work fine. Best regards, Greg Marks signature.asc Description: PGP signature
Re: Thunderbird / enigmail
On 10/13/2020 5:14 PM, D. R. Evans wrote: to...@tuxteam.de wrote on 10/13/20 8:25 AM: On Tue, Oct 13, 2020 at 07:26:28AM -0600, D. R. Evans wrote: repository. But I seem to recall reading somewhere a while back that the enigmail functionality was going to be incorporated into Thunderbird upstream. This is true, AFAIK, from Thunderbird 78 on. See [1]. Cheers [1] https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ - t Yes, that's the post I think I saw. Still, preferring not to be a guinea pig on this occasion, I'm wondering if any enigmail user here has installed the update, and if they have had any problems with the transition to the new enigmail-less encrypted e-mail system. I would go and ask on the enigmail mailing list! :) -- John Doe
Re: Thunderbird / enigmail
to...@tuxteam.de wrote on 10/13/20 8:25 AM: > On Tue, Oct 13, 2020 at 07:26:28AM -0600, D. R. Evans wrote: >> repository. But I seem to recall reading somewhere a while back that the >> enigmail functionality was going to be incorporated into Thunderbird >> upstream. > > This is true, AFAIK, from Thunderbird 78 on. See [1]. > > Cheers > > [1] https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ > - t Yes, that's the post I think I saw. Still, preferring not to be a guinea pig on this occasion, I'm wondering if any enigmail user here has installed the update, and if they have had any problems with the transition to the new enigmail-less encrypted e-mail system. Doc -- Web: http://enginehousebooks.com/drevans signature.asc Description: OpenPGP digital signature
Re: Thunderbird / enigmail
On Tue, Oct 13, 2020 at 07:26:28AM -0600, D. R. Evans wrote: > I see that the latest official updates to debian stable want to remove > enigmail and install a new version of Thunderbird. > > I recall a couple of years ago the same thing happened, and encrypted e-mail > was effectively broken for a couple of months until a version of enigmail > compatible with the updated Thunderbird became available from the official > repository. But I seem to recall reading somewhere a while back that the > enigmail functionality was going to be incorporated into Thunderbird upstream. This is true, AFAIK, from Thunderbird 78 on. See [1]. Cheers [1] https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/ - t signature.asc Description: Digital signature
Thunderbird / enigmail
I see that the latest official updates to debian stable want to remove enigmail and install a new version of Thunderbird. I recall a couple of years ago the same thing happened, and encrypted e-mail was effectively broken for a couple of months until a version of enigmail compatible with the updated Thunderbird became available from the official repository. But I seem to recall reading somewhere a while back that the enigmail functionality was going to be incorporated into Thunderbird upstream. So I am wondering if perhaps this has happened and that that is what the intended removal of enigmail signifies: i.e., that encrypted e-mail is part of the newer Thunderbird that is now in the official repository. So I'd like to know if anyone who uses encrypted e-mail has taken the plunge and installed the newer version of Thunderbird that the official buster repository is offering (and also, therefore, removed enigmail); and, if so, have there been any issues with using encrypted e-mail following the update. Doc -- Web: http://enginehousebooks.com/drevans signature.asc Description: OpenPGP digital signature
Re: Thunderbird 78.3 avec Enigmail ?
Merci de cette explication claire :)) Il se trouve que je ne confie jamais mes mots de passe à un navigateur quel qu'il soit, mais à KeepassXC seulement, et qu'en gros je n'ouvre Thunderbird que pour envoyer et recevoir des mails cryptés, j'utilise habituellement un webmail et Thunderbird est fermé. Dans ces conditions et au vu de tes explications, ça me semble raisonnablement sûr, l'absolu n'existant pas dans ce domaine. Ça n'empêche pas de pousser Thunderbird à être plus exigeant en la matière. Cordialement - Mail original - > De: "Sébastien Dinot" > À: debian-user-french@lists.debian.org > Envoyé: Lundi 12 Octobre 2020 21:57:02 > Objet: Re: Thunderbird 78.3 avec Enigmail ? > Jean Bernon a écrit : > > L'ensemble me semble sûr ? > Plusieurs points me chagrinent dans la démarche de Thunderbird. > Le premier et le plus important est de principe. La cryptographie est > un > savoir-faire à part entière et des plus pointus. Les outils > fournissant > ce service sont critiques. Ils doivent être robustes, fiables et > sûrs, > car ils sont la clé de voûte de trois fonctions essentielles : > * L'authentification > * La signature (et le contrôle d'intégrité) > * Le chiffrement > Or, Thunderbird est notoirement en manque de contributeurs et se > lancer > dans un tel chantier quand on manque de ressources est déraisonnable, > d'autant plus que nous disposons déjà de briques cryptographiques > éprouvées. > En outre, Thunderbird offre un large éventail de fonctions. Il expose > donc une surface d'attaque bien plus grande qu'un outil se limitant à > la > cryptographie. Si j'ai choisi de confier mes identifiants d'accès à > mes > comptes en ligne à KeePassXC plutôt qu'à Firefox, c'est parce que > j'ai > plus confiance en un outil dédié qu'en un outil se livrant à une > surenchère fonctionnelle tout azimut avec ses concurrents. > Mon dernier grief concerne le choix de protéger l'acès aux clés > privées > par le mot de passe maître de Thunderbird. Une fois celui-ci saisi, > les > secrets stockés par Thunderbird sont utilisables sans entrave tant > que > Thunderbird est ouvert. Si l'utilisateur oublie de verrouiller sa > session avant de s'éloigner de son poste, un tiers peut envoyer des > messages signés à son insu ou lire ses messages chiffrés. À > contrario, > GnuPG me demande de saisir le mot de passe verrouillant ma clé à > chaque > fois que je veux signer ou déchiffrer un message et Enigmail oublie > le > mot de passe au bout de 5 minutes. C'est bien plus sûr. > Sébastien > -- > Sébastien Dinot, sebastien.di...@free.fr > http://www.palabritudes.net/ > Ne goûtez pas au logiciel libre, vous ne pourriez plus vous en passer > !
Re: Thunderbird 78.3 avec Enigmail ?
Jean Bernon a écrit : > L'ensemble me semble sûr ? Plusieurs points me chagrinent dans la démarche de Thunderbird. Le premier et le plus important est de principe. La cryptographie est un savoir-faire à part entière et des plus pointus. Les outils fournissant ce service sont critiques. Ils doivent être robustes, fiables et sûrs, car ils sont la clé de voûte de trois fonctions essentielles : * L'authentification * La signature (et le contrôle d'intégrité) * Le chiffrement Or, Thunderbird est notoirement en manque de contributeurs et se lancer dans un tel chantier quand on manque de ressources est déraisonnable, d'autant plus que nous disposons déjà de briques cryptographiques éprouvées. En outre, Thunderbird offre un large éventail de fonctions. Il expose donc une surface d'attaque bien plus grande qu'un outil se limitant à la cryptographie. Si j'ai choisi de confier mes identifiants d'accès à mes comptes en ligne à KeePassXC plutôt qu'à Firefox, c'est parce que j'ai plus confiance en un outil dédié qu'en un outil se livrant à une surenchère fonctionnelle tout azimut avec ses concurrents. Mon dernier grief concerne le choix de protéger l'acès aux clés privées par le mot de passe maître de Thunderbird. Une fois celui-ci saisi, les secrets stockés par Thunderbird sont utilisables sans entrave tant que Thunderbird est ouvert. Si l'utilisateur oublie de verrouiller sa session avant de s'éloigner de son poste, un tiers peut envoyer des messages signés à son insu ou lire ses messages chiffrés. À contrario, GnuPG me demande de saisir le mot de passe verrouillant ma clé à chaque fois que je veux signer ou déchiffrer un message et Enigmail oublie le mot de passe au bout de 5 minutes. C'est bien plus sûr. Sébastien -- Sébastien Dinot, sebastien.di...@free.fr http://www.palabritudes.net/ Ne goûtez pas au logiciel libre, vous ne pourriez plus vous en passer !
Re: Thunderbird 78.3 avec Enigmail ?
Je ne comprends pas toutes les subtilités d'openpgp. J'ai utilisé l'outil de migration d'Enigmail pour importer les clés dans Thunderbird et ensuite j'ai paramétré mon compte de messagerie. Le chiffrement fonctionne comme avec Enigmail. Je vois dans le dossier .thunderbird un fichier openpgp.sqlite et un autre fichier encrypted-openpgp-passphrase.txt. Mais ma clé personnelle ne s'affiche pas en clair dans openpgp.sqlite et le deuxième fichier est effectivement crypté. L'ensemble me semble sûr ?
Re: Thunderbird 78.3 avec Enigmail ?
Sébastien Dinot a écrit : > Du coup, je suis preneur d'un pointeur consistant sur le sujet. Vérification faite, les clés sont « protégées » (reste à savoir ce que signifie exactement ce terme) par un mot de passe, mais : * ce mot de passe est généré à la volée lors de l'import initial (le même étant utilisé pour toute clé ajoutée ultérieurement) ; * ce mot de passe généré à la volée n'est lui-même protégé que si l'utilisateur protège l'ensemble des secrets stockés par Thunderbird par un « mot de passe maître ». cf. https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_how-is-my-personal-key-protected Le mot de passe maître déverrouillant les secrets pour toute la durée de la session Thunderbird, ce choix me chagrine car nos clés cryptographiques sont parmi nos secrets les plus précieux. À cette aune, devoir saisir un mot de passe à chaque fois que nous voulons en utiliser une me semble être une nuisance tout à fait supportable. Et renoncer à utiliser la nouvelle version ESR de Thunderbird n'est qu'une solution à court-terme. Tôt ou tard, la précédente ESR (68) ne sera plus supportée ni par Mozilla, ni par les distributions. Je vais sans doute finir par utiliser Mutt au boulot aussi ou me féliciter de la lente agonie du mail... Sébastien -- Sébastien Dinot, sebastien.di...@free.fr http://www.palabritudes.net/ Ne goûtez pas au logiciel libre, vous ne pourriez plus vous en passer !
Re: Thunderbird 78.3 avec Enigmail ?
Martin Vézina a écrit : > les clés privés sont conservées sans encryptions dans il me semble un > base de donnée SQLite dans le dossier ".thunderbird". C'est dangereux! J'ai du mal à croire qu'un développeur de Thunderbird ait pu faire une telle bêtise sans que personne ne s'en émeuve et ne remette en cause son implantation de la gestion des clés cryptographiques. Je serais en effet fort surpris qu'un tel projet ne compte pas parmi ses contributeurs réguliers quelques personnes tâtillonnes sur la sécurité et la cryptographie. Du coup, je suis preneur d'un pointeur consistant sur le sujet. Sébastien -- Sébastien Dinot, sebastien.di...@free.fr http://www.palabritudes.net/ Ne goûtez pas au logiciel libre, vous ne pourriez plus vous en passer !
Thunderbird 78.3 avec Enigmail ?
J'ai vue que l'intégration d'enigmail de Thunderbird 78.3 n'utilise plus "pgpg" et les clés privés sont conservées sans encryptions dans il me semble un base de donnée SQLite dans le dossier ".thunderbird". C'est dangereux! Puisque la clé n'est plus crypté, il ne demande plus le mot de passe pour une durée limité. Le retour en arrière n'est pas possible... Je suis revenu à la version précédente avec un backup et j'ai figée la version. Il y as il un projet d'amélioration de prévus?
Re: enigmail
Hi. On Fri, Nov 22, 2019 at 10:49:29AM -0800, didier.gau...@gmail.com wrote: > Le vendredi 22 novembre 2019 19:00:05 UTC+1, Alessandro Vesely a écrit : > > On Mon 18/Nov/2019 21:15:41 +0100 Reco wrote: > > > On Mon, Nov 18, 2019 at 12:57:16PM -0700, D. R. Evans wrote: > > >> I see that the update to debian stable that I was going to do today > > >> wants to update thunderbird but remove enigmail. > > > > > > That seems to affect oldstable too, but kept back. I have: > > ~# apt list --upgradable > > Listing... Done > > icedove/oldstable,oldstable 1:68.2.2-1~deb9u1 all [upgradable from: > > 1:60.9.0-1~deb9u1] > > iceowl-extension/oldstable,oldstable 1:68.2.2-1~deb9u1 all [upgradable > > from: 1:60.9.0-1~deb9u1] > > lightning/oldstable,oldstable 1:68.2.2-1~deb9u1 all [upgradable from: > > 1:60.9.0-1~deb9u1] > > thunderbird/oldstable 1:68.2.2-1~deb9u1 amd64 [upgradable from: > > 1:60.9.0-1~deb9u1] > > thunderbird-dbg/oldstable 1:68.2.2-1~deb9u1 amd64 [upgradable from: > > 1:60.9.0-1~deb9u1] > > > > > > If I understand, I should keep TB back until next summer. Correct? > > Debian packages of Firefox/Thunderbird modules are often outdated: You > could simply uninstall the enigmail Debian package and install > enigmail as a Thunderbird module from within Thunderbird. A "security update" just came in today: Package: enigmail DSA 4571-1 updated Thunderbird to the 68.x series, which is incompatible with the Enigmail release shipped in Debian Buster. For the stable distribution (buster), this problem has been fixed in version 2:2.1.3+ds1-4~deb10u2. We recommend that you upgrade your enigmail packages. Reco
Re: enigmail
Le vendredi 22 novembre 2019 19:00:05 UTC+1, Alessandro Vesely a écrit : > On Mon 18/Nov/2019 21:15:41 +0100 Reco wrote: > > On Mon, Nov 18, 2019 at 12:57:16PM -0700, D. R. Evans wrote: > >> I see that the update to debian stable that I was going to do today > >> wants to update thunderbird but remove enigmail. > > > That seems to affect oldstable too, but kept back. I have: > ~# apt list --upgradable > Listing... Done > icedove/oldstable,oldstable 1:68.2.2-1~deb9u1 all [upgradable from: > 1:60.9.0-1~deb9u1] > iceowl-extension/oldstable,oldstable 1:68.2.2-1~deb9u1 all [upgradable from: > 1:60.9.0-1~deb9u1] > lightning/oldstable,oldstable 1:68.2.2-1~deb9u1 all [upgradable from: > 1:60.9.0-1~deb9u1] > thunderbird/oldstable 1:68.2.2-1~deb9u1 amd64 [upgradable from: > 1:60.9.0-1~deb9u1] > thunderbird-dbg/oldstable 1:68.2.2-1~deb9u1 amd64 [upgradable from: > 1:60.9.0-1~deb9u1] > > > If I understand, I should keep TB back until next summer. Correct? > > > Best > Ale Debian packages of Firefox/Thunderbird modules are often outdated: You could simply uninstall the enigmail Debian package and install enigmail as a Thunderbird module from within Thunderbird.
Re: enigmail
On Mon 18/Nov/2019 21:15:41 +0100 Reco wrote: > On Mon, Nov 18, 2019 at 12:57:16PM -0700, D. R. Evans wrote: >> I see that the update to debian stable that I was going to do today >> wants to update thunderbird but remove enigmail. That seems to affect oldstable too, but kept back. I have: ~# apt list --upgradable Listing... Done icedove/oldstable,oldstable 1:68.2.2-1~deb9u1 all [upgradable from: 1:60.9.0-1~deb9u1] iceowl-extension/oldstable,oldstable 1:68.2.2-1~deb9u1 all [upgradable from: 1:60.9.0-1~deb9u1] lightning/oldstable,oldstable 1:68.2.2-1~deb9u1 all [upgradable from: 1:60.9.0-1~deb9u1] thunderbird/oldstable 1:68.2.2-1~deb9u1 amd64 [upgradable from: 1:60.9.0-1~deb9u1] thunderbird-dbg/oldstable 1:68.2.2-1~deb9u1 amd64 [upgradable from: 1:60.9.0-1~deb9u1] If I understand, I should keep TB back until next summer. Correct? Best Ale
Re: enigmail
D. R. Evans wrote on 11/18/19 12:57 PM: > I see that the update to debian stable that I was going to do today wants to > update thunderbird but remove enigmail. Does anyone have any insight into how > long it is likely to take before enigmail will be made compatible with the > thunderbird that debian stable wants to install? > For those who care, these are probably the best threads to follow regarding resolution of this issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945014 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945066 Doc -- Web: http://enginehousebooks.com/drevans signature.asc Description: OpenPGP digital signature
Re: enigmail
Hi. On Mon, Nov 18, 2019 at 12:57:16PM -0700, D. R. Evans wrote: > I see that the update to debian stable that I was going to do today > wants to update thunderbird but remove enigmail. Does anyone have any > insight into how long it is likely to take before enigmail will be > made compatible with the thunderbird that debian stable wants to > install? Currently only unstable provides engimail that's compatible with thunderbird 68. Assuming that things will go as they usually are, the answer to your question is "then they release Debian 11". Maybe some kind soul will do a backport, but given [1] - enigmail has no future anyway, so I'd start looking for alternatives if I were you. Reco [1] https://blog.thunderbird.net/2019/10/thunderbird-enigmail-and-openpgp/
enigmail
I see that the update to debian stable that I was going to do today wants to update thunderbird but remove enigmail. Does anyone have any insight into how long it is likely to take before enigmail will be made compatible with the thunderbird that debian stable wants to install? I remember that this happened once before, and it seemed like a very long (weeks rather than days, if I'm remembering correctly) before I could run the update. I hope it won't be as long this time. Doc -- Web: http://enginehousebooks.com/drevans signature.asc Description: OpenPGP digital signature
Re: gnupg / enigmail excessive processing times
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, > On 24/6/19 12:14 am, The Wanderer wrote: >> The short version of this is that I think I need to clear out a >> lot of irrelevant keys / signatures, et cetera, from my gnupg >> configuration - but I don't want to do anything which risks losing >> my private key(s), or any related information. > > Your problem is most likely polluted keys due to a major design flaw > with SKS serverv. This looks interesting too, but unfortunately there are major problems, performance is, but one, of the major problems. https://daniel-lange.com/archives/159-Cleaning-a-broken-GNUpg-gpg-key.ht ml Kind Regards AndrewM -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXRuMkQAKCRCoFmvLt+/i +02QAQCnB0lAGSsUqjqiFDYhG4RKnng+5xmz5/Hrhm3frVOsWwEAhohuitUo88gI MayoIpBEB0G+4faq+Ehw3QtcOhy5GWY= =YZbA -END PGP SIGNATURE-
Re: gnupg / enigmail excessive processing times
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On 24/6/19 12:14 am, The Wanderer wrote: > The short version of this is that I think I need to clear out a > lot of irrelevant keys / signatures, et cetera, from my gnupg > configuration - but I don't want to do anything which risks losing > my private key(s), or any related information. Your problem is most likely polluted keys due to a major design flaw with SKS serverv. I've seen two keys become extremely large due to junk being added and the behaviour of anything using my public keyring was horribly slow and with the CPU pinning by one process. The following has been sent to a couple of local LUGs that I'm in: For those of us whom use OpenPGP/GPG keys with GNUPG implementation (perhaps everyone whom interacts with SKS servers)... there has been a very long standing technical problem that is currently causing issues. The problem, in a nutshell causes keys to significantly increase in size due to bad data being easily uploaded to the SKS servers without proper validation and consequently severely effecting performance of anything using the public keyring database. If you experience the problem, it will be due to a significant increase of the size of your public keyring file. When processing the public keyring data, the CPU gets pinned at 100% for at least one thread. What I have done is a full export of keys to ASCII armoured files and look at the larger files -- in my case the two largest were for Micah Lee and the Tor Project keys. Delete problematic keys and import fresh sane data for them. Having older backups of the Tor Project's key, I've replaced the key with one that doesn't have the extra bad payload. The former key /may/ not be easily found as the Tor website directs you to an SKS server to collect the data and it doesn't appear to be easily available directly from Tor project's own website. For Micah Lee's key, I got it from keybase.io (micahflee). https://keybase.io/micahflee There are different solutions, keybase.io is but one. In any case the SKS servers are in big trouble as they stand today. A reason for the problem popping up might be related to a simple key refresh; so that is a major problem. It's been said that even just using the keys can cause problems when you don't have any keys with bad data, but I'm not so sure about that. And a follow up: Without any specific refresh, my Tor Project key grew again. I've change my gpg.conf now, let's see if that stops the problem. Using an alternate server: keyserver hkp://keys.openpgp.org More details here: https://sequoia-pgp.org/blog/2019/06/14/20190614-hagrid/ Cheers A. -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXRuDNwAKCRCoFmvLt+/i +zbSAP0Zh8WrQMJaEQRegRl+rBoNCucSSwySGAa4Iy/CbRr+GAD9G4FOYnJMs363 98asLeJ3TGuBWgjEqLVUItNH9HIOblE= =uA5x -END PGP SIGNATURE-
Re: gnupg / enigmail excessive processing times
On 2019-06-23 at 13:32, Teemu Likonen wrote: > The Wanderer [2019-06-23 11:46:34-04:00] wrote: > >> On 2019-06-23 at 11:23, Teemu Likonen wrote: >>> If you add line "auto-key-retrieve" to your ~/.gnupg/gpg.conf >>> then GnuPG will automatically try to retrieve keys from >>> keyservers when you verify a signature made by an unknown key. > >> An interesting suggestion. I'm not sure how it'd interact with >> Enigmail (which is what is actually initiating the verification), >> but it's worth investigating. > > I have never used Enigmail but if it executes "gpg --verify" then > gpg will try to fetch (using dirmngr) a missing key from keyserver > before verifying the signature. I haven't tried this yet, but it's still on my consideration list. The reason I'm replying is to report that 'no-check-trustdb' does seem to have done the trick! Without it, occasionally I would have a random fetch attempt succeed in seconds with no issues; now that seems to be happening every time. I've also added a nightly cron job (in my user-specific crontab) with "gpg --batch --check-trustdb --quiet 2>&1 | grep -v '^gpg: no need for a trustdb check$'", to make sure that the check does get run periodically when it's needed, but also not send me mail every day just to report that nothing was done. (Running that command when a check *is* needed seems to actually print the exact, full text I was seeing in the Enigmail results dialog, as a prefix to the actual fetch results, on every fetch attempt. I suspect that some of it may represent useless or problematic keys, but I don't know how to parse it well enough to figure out what to do about the information.) >>> GnuPG key operations slow down when the keyring is large, >>> especially if the trust model is "pgp" and the program needs to >>> check the web of trust every time a new key arrives. >> >> I'm fairly sure that I'm using the default, which appears to be >> the one specified by '--gnupg', so it's '--openpgp' plus >> compatibility workarounds. I doubt it's any of the '--pgp[678]' >> modes. > > The default --trust-model is "auto" which is means that it uses the > trust model that is saved to trust database (I guess trustdb.gpg). Ah. I was looking at the wrong part of the man page; thanks for clarifying what this was referring to. >>> It also helps if you delete certificates (key signatures) made >>> by unknown keys. >> >> What is an "unknown key" in this context? (And see note below.) > > Unknown to your keyring. See "gpg --list-signatures" and you'll > probably see that there are key many key signatures that can't be > shown because your keyring doesn't have the signer's key. > > Command "--edit-key + clean" removes those unknown key signatures as > well as older key signatures if there are many from same signer. > This "clean" thing can very much reduce the size of your keyring, if > you want that. From gpg(1) man page: I saw that in the man page, but I wasn't sure what it would mean in practice, especially since none of my keys (except my personal key) are signed for web-of-trust purposes. I was afraid that the lack of a web-of-trust signature chain would mean *all* of these keys would be deleted by the clean process. Am I correct in thinking that if I kill any running background gpg-related process (gpg-agent, dirmngr, etc.), make a backup copy of ~/.gnupg/ (or possibly even just ~/.gnupg/pubring.gpg), and run this command, I should be able to just revert to that backup copy in the event that it turns out to have made changes I don't want? >> In case it's relevant, please note that I have done basically >> nothing as far as keysigning or other web-of-trust activity; > > Then perhaps "--trust-model tofu" (or tofu+pgp) is better choice? Of > course you decide all that but web of trust (--trust-model pgp) is > useless unless user has signed (at least locally) some keys and > usually also trusts some others as signers (ownertrust). This is a good suggestion, and I'm considering it, but since things are now working fine without having needed to make that change - and I'm not sure I'll never want to use the web of trust, and I'm not sure how safely reversible (without non-meaningless loss) changing trust models in this direction is - I'm leaving this alone for the time being. Thanks for the advice! -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw signature.asc Description: OpenPGP digital signature
Re: gnupg / enigmail excessive processing times
The Wanderer [2019-06-23 11:46:34-04:00] wrote: > On 2019-06-23 at 11:23, Teemu Likonen wrote: >> If you add line "auto-key-retrieve" to your ~/.gnupg/gpg.conf then >> GnuPG will automatically try to retrieve keys from keyservers when >> you verify a signature made by an unknown key. > An interesting suggestion. I'm not sure how it'd interact with > Enigmail (which is what is actually initiating the verification), but > it's worth investigating. I have never used Enigmail but if it executes "gpg --verify" then gpg will try to fetch (using dirmngr) a missing key from keyserver before verifying the signature. >> GnuPG key operations slow down when the keyring is large, especially >> if the trust model is "pgp" and the program needs to check the web of >> trust every time a new key arrives. > > I'm fairly sure that I'm using the default, which appears to be the > one specified by '--gnupg', so it's '--openpgp' plus compatibility > workarounds. I doubt it's any of the '--pgp[678]' modes. The default --trust-model is "auto" which is means that it uses the trust model that is saved to trust database (I guess trustdb.gpg). That, in turn, means normally trust model "pgp" (i.e., web of trust based on key signatures). And that trust model needs some calculations which take time on large keyrings. >> It also helps if you delete certificates (key signatures) made by >> unknown keys. > > What is an "unknown key" in this context? (And see note below.) Unknown to your keyring. See "gpg --list-signatures" and you'll probably see that there are key many key signatures that can't be shown because your keyring doesn't have the signer's key. Command "--edit-key + clean" removes those unknown key signatures as well as older key signatures if there are many from same signer. This "clean" thing can very much reduce the size of your keyring, if you want that. From gpg(1) man page: --edit-key [...] clean Compact (by removing all signatures except the selfsig) any user ID that is no longer usable (e.g. revoked, or expired). Then, remove any signatures that are not usable by the trust calculations. Specifically, this removes any signature that does not validate, any sig‐ nature that is superseded by a later signature, revoked signatures, and signatures issued by keys that are not present on the keyring. > In case it's relevant, please note that I have done basically nothing as > far as keysigning or other web-of-trust activity; Then perhaps "--trust-model tofu" (or tofu+pgp) is better choice? Of course you decide all that but web of trust (--trust-model pgp) is useless unless user has signed (at least locally) some keys and usually also trusts some others as signers (ownertrust). -- /// Teemu Likonen <https://github.com/tlikonen> // // PGP: 4E1055DC84E9DFF613D78557719D69D324539450 /// signature.asc Description: PGP signature
Re: gnupg / enigmail excessive processing times
On 2019-06-23 at 11:23, Teemu Likonen wrote:
> The Wanderer [2019-06-23 10:14:19-04:00] wrote:
>
>> Some years ago, I got tired of manually importing the key every
>> time I saw a signed message through the Debian mailing lists for
>> which I didn't already have the necessary public key.
>
> If you add line "auto-key-retrieve" to your ~/.gnupg/gpg.conf then
> GnuPG will automatically try to retrieve keys from keyservers when
> you verify a signature made by an unknown key. This may solve the
> problem of importing too much keys and thus making your keyring large
> and slow.
An interesting suggestion. I'm not sure how it'd interact with Enigmail
(which is what is actually initiating the verification), but it's worth
investigating.
>> For reference, the file which I suspect contains those public keys
>> - ~/.gnupg/pubring.gpg - is 131MB in size.
>
> GnuPG key operations slow down when the keyring is large, especially
> if the trust model is "pgp" and the program needs to check the web of
> trust every time a new key arrives.
I'm fairly sure that I'm using the default, which appears to be the one
specified by '--gnupg', so it's '--openpgp' plus compatibility
workarounds. I doubt it's any of the '--pgp[678]' modes.
> One solution is to add "no-auto-check-trustdb" in gpg.conf and only
> run manually "gpg --check-trustdb" from time to time.
I'll try that first; I'm reading through the man page with an eye out
for this right now.
It seems entirely possible that this may be enough to get times back
into a reasonable range, just by itself. Thanks for suggesting it!
> It also helps if you delete certificates (key signatures) made by
> unknown keys.
What is an "unknown key" in this context? (And see note below.)
> You can manually clean such certificates with "--edit-key + clean" or
> automatically for future operations with the following lines in
> gpg.conf:
>
> import-options import-clean
> keyserver-options import-clean
>
> See gpg manual page for more information about --import-options and
> perhaps also --export-options.
I saw the 'clean' options (and 'minimal', relatedly), but wasn't sure
enough about what the impact of reducing the keys that way would be
willing to try it out without either asking for input or taking
backup-related precautions.
> There is no command for cleaning your current keyring but it can be
> automated with a simple script:
>
>
> #!/bin/sh
> gpg --batch --with-colons --list-keys | awk -F: '
> $1 == "pub" {pub = 1}
> pub == 1 && $1 == "fpr" {printf "%s clean save\n", $10; pub = 0}' | \
> xargs -n3 -- gpg --batch --no-auto-check-trustdb --edit-key
>
>
> The above script runs
>
> gpg --batch --no-auto-check-trustdb --edit-key FPR clean save
>
> for every key (FPR is key's fingerprint).
How sure can I/we/etc. be that this will not have any negative side
effects, in terms of eliminating key-related functionality that I
actually want to keep?
In case it's relevant, please note that I have done basically nothing as
far as keysigning or other web-of-trust activity; I'm using signature
verification as primarily a means of confirming A: that "yes, this mail
was signed by the key it says it was signed by", and B: "yes, this mail
was signed by the same key as that mail, so both mails were sent by the
same person". I don't have any web-of-trust confirmation about the
identity of the signer beyond that, and in practice for my purposes I'm
not entirely sure I care about getting it.
Before doing this, I'd probably want to back up ~/.gnupg/ in any case.
I suspect that I'd want to make sure gpg-agent, dirmngr, etc., are
stopped before doing that, or restoring the backup, in order to ensure
consistency.
--
The Wanderer
The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
Re: gnupg / enigmail excessive processing times
The Wanderer [2019-06-23 10:14:19-04:00] wrote:
> Some years ago, I got tired of manually importing the key every time I
> saw a signed message through the Debian mailing lists for which I didn't
> already have the necessary public key.
If you add line "auto-key-retrieve" to your ~/.gnupg/gpg.conf then GnuPG
will automatically try to retrieve keys from keyservers when you verify
a signature made by an unknown key. This may solve the problem of
importing too much keys and thus making your keyring large and slow.
> For reference, the file which I suspect contains those public keys -
> ~/.gnupg/pubring.gpg - is 131MB in size.
GnuPG key operations slow down when the keyring is large, especially if
the trust model is "pgp" and the program needs to check the web of trust
every time a new key arrives. One solution is to add
"no-auto-check-trustdb" in gpg.conf and only run manually "gpg
--check-trustdb" from time to time.
It also helps if you delete certificates (key signatures) made by
unknown keys. You can manually clean such certificates with "--edit-key
+ clean" or automatically for future operations with the following lines
in gpg.conf:
import-options import-clean
keyserver-options import-clean
See gpg manual page for more information about --import-options and
perhaps also --export-options.
There is no command for cleaning your current keyring but it can be
automated with a simple script:
#!/bin/sh
gpg --batch --with-colons --list-keys | awk -F: '
$1 == "pub" {pub = 1}
pub == 1 && $1 == "fpr" {printf "%s clean save\n", $10; pub = 0}' | \
xargs -n3 -- gpg --batch --no-auto-check-trustdb --edit-key
The above script runs
gpg --batch --no-auto-check-trustdb --edit-key FPR clean save
for every key (FPR is key's fingerprint).
--
/// Teemu Likonen //
// PGP: 4E1055DC84E9DFF613D78557719D69D324539450 ///
signature.asc
Description: PGP signature
gnupg / enigmail excessive processing times
The short version of this is that I think I need to clear out a lot of irrelevant keys / signatures, et cetera, from my gnupg configuration - but I don't want to do anything which risks losing my private key(s), or any related information. Just in case I'm wrong about that solution, however, I want to lay out the entire situation. The primary way in which I make use of gnupg is via Thunderbird and the Enigmail extension. In addition to permitting me to sign and/or encrypt messages I send, this serves to validate E-mails received from others, by checking the signature against its associated public key. It includes functionality to reach out to a designated keyserver and download the matching public key for the signature in the currently open E-mail, on demand. Doing this, however, takes at least a few moments - and potentially considerably longer - for each such key request, and blocks the Thunderbird UI until the request either completes or is cancelled. Some years ago, I got tired of manually importing the key every time I saw a signed message through the Debian mailing lists for which I didn't already have the necessary public key. As a handy shortcut, I simply imported all keys from the debian-keyring package, which theoretically should include all Debian developer/etc. public keys. This mostly worked, in terms of reducing how many Debian-mailing-list messages I saw with unrecognized public keys, but not entirely; there were, and are, still a fair number of people whose messages were signed with keys that apparently hadn't been included. That's fine, I can just fetch those keys using the UI method, as before. (I later repeated this import process, using a newer version of the debian-keyring package. I don't know whether that would have had any meaningful effect on the behaviors I observed later.) Unfortunately, over time - and even more after the failed-RAID-array recovery on which I've spent the past 6+ months, and which is the reason I haven't posted here during that time - the time necessary to fetch a new key has gone up to unreasonable levels; by now, processing a typical new-key request seems to take something definitely in excess of 30 minutes, and possibly multiple hours, during which I can't otherwise make use of my mail client. (I don't have any convenient way of timing the process more exactly.) During this time, gnupg is pegging one CPU core at maximum, and doing a not entirely negligible amount of disk I/O. I'm guessing that it's iterating through every single public key I've got in the local keyring, although exactly what it's doing with each one I'm not sure enough to state. For reference, the file which I suspect contains those public keys - ~/.gnupg/pubring.gpg - is 131MB in size. I suspect that importing the entire debian-keyring set was my original mistake, and that I shouldn't have done that. At this point, I'd be willing to un-do that step, and go back to manually importing just the keys needed for the messages I actually receive. Unfortunately, I suspect there's no practical way of un-scrambling that egg; the keys imported that way are mixed in with the ones received by other means, and it would not be trivial to try to separate them out. I'd also be willing to just discard my entire collection of imported public keys, and start from scratch, if I knew of a way to do so which I could be completely certain wouldn't have undesirable side effects on other parts of my cryptographic situation - most particularly and especially, my private key(s). In between those, if there's a way of mass-discarding public keys which fit (or don't fit) some particular criteria, while retaining others, that might be preferable to either extreme. However, so far I've been unable to find any way of removing keys from the local key repository except 'gnupg --delete-keys [name]', which appears to require specifying each key for removal one at a time. This does not really scale to the point where I'm currently at. Any suggestions for how to recover from this situation? -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw signature.asc Description: OpenPGP digital signature
Re: Failed to sign email. Thunderbird or enigmail bug?
Georgios [2019-03-03 10:02:01+02] wrote: > After i send my email to the list I found a forum discussion that led > nowhere. I solved my problem by changing enigmail settings. I changed > "prefer s/mime" to "prefer enigmail(openpgp)" S/MIME format is for X.509 certificates signed by certificate authorities. For OpenPGP keys you need format called PGP/MIME. Some people use PGP/INLINE which is "gpg --clearsign" output in messages' body. "E-Mail Format Preferences" https://wiki.gnupg.org/E-Mail%20Format%20Preferences -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature
Re: Failed to sign email. Thunderbird or enigmail bug?
Thanks for your reply. After i send my email to the list I found a forum discussion that led nowhere. I solved my problem by changing enigmail settings. I changed "prefer s/mime" to "prefer enigmail(openpgp)" On 3/2/19 11:27 PM, riveravaldez wrote: >> I want to report it as a bug. How should i report it as a thunderbird or >> enigmail bug? > > Have you checked upstream on Thunderbird [1,2,3] and Enigmail [4,5] > sites/communities? > > [1] https://www.thunderbird.net/en-US/ > [2] https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird > [3] https://support.mozilla.org/en-US/products/thunderbird > [4] https://enigmail.net/index.php/en/ > [5] https://enigmail.net/index.php/en/support/reporting-defects >
Re: Failed to sign email. Thunderbird or enigmail bug?
I found a discussion in a forum that led nowhere. I "solve" the problem by changing my settings by choosing "prefer enigmail(openpgp)" vs "prefer s/mime". On 3/2/19 11:27 PM, riveravaldez wrote: >> I want to report it as a bug. How should i report it as a thunderbird or >> enigmail bug? > > Have you checked upstream on Thunderbird [1,2,3] and Enigmail [4,5] > sites/communities? > > [1] https://www.thunderbird.net/en-US/ > [2] https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird > [3] https://support.mozilla.org/en-US/products/thunderbird > [4] https://enigmail.net/index.php/en/ > [5] https://enigmail.net/index.php/en/support/reporting-defects >
Re: Failed to sign email. Thunderbird or enigmail bug?
> I want to report it as a bug. How should i report it as a thunderbird or > enigmail bug? Have you checked upstream on Thunderbird [1,2,3] and Enigmail [4,5] sites/communities? [1] https://www.thunderbird.net/en-US/ [2] https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird [3] https://support.mozilla.org/en-US/products/thunderbird [4] https://enigmail.net/index.php/en/ [5] https://enigmail.net/index.php/en/support/reporting-defects
Failed to sign email. Thunderbird or enigmail bug?
Hi. Im running buster (testing) and im trying to send signed email. My keys are on my yubikey. I get the following error message "Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired." If i press encryption button twice (encryption on encryption off) the problem is solved. Any ideas how to solve it? I want to report it as a bug. How should i report it as a thunderbird or enigmail bug? Thanks for your help.
Re: Thunderbird + Enigmail + saving draft with encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/02/2019 12:26, Étienne Mollier wrote: > Dider Gaumet, on 2019-02-03 : >> In my previous test I did not close > Thunderbird before reopening the >> signed and encrypted draft message. >> this time I did it and nothing changed: The right title of the draft was >> still there. > > Good Day, > > It could have been temporary, I've seen these symptoms some time > last week perhaps, but haven't reproduced the phenomenon since > then, on my side. My Thunderbird version is now 60.5 for few > days, on Sid channel. Might have been related... > > My drafts are usually written down with vi, so not much use of > the Draft/ IMAP folder here, actually. :^) > > Kind Regards, That sounds reasonable then, I am guessing that TB 60.5 will find it's way in to Debian9 (Stretch) at some point, or at least Debian 10 (Buster). Thanks for all the help on this. Paul > - -- Paul Sutton http://www.zleap.net https://www.linkedin.com/in/zleap/ gnupg : 7D6D B682 F351 8D08 1893 1E16 F086 5537 D066 302D -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEfW22gvNRjQgYkx4W8IZVN9BmMC0FAlxW6SwACgkQ8IZVN9Bm MC3cwQ/+IXBsuZMdnYlepDhcQ84dFDmz8Qo+9kXGDpsth1uWKIZAlav79Efs5roW udaTTPTLfE1Tx0mbFNae+MTRSctsPDcZxFB1u+flOQsxhQVKtqB/+5inUfA6Xk5p A2LnrXJ/4PeiyoRz1PI6zejqlMVpXfCpGYTsDpEF3zNMl/Q76iJ9wfPG26tNnn1E /ZjMqVi4oY6izngMp9yBoWwUgwK415YAWMDCkQ41aCSpMbdgpMHf4qcRlgfvM7Z9 yS5x0NWWuHS0+3gmON6iwL0rsGiXs6Nn7LMpUWeuuQRVnGjmTUcSHWGQoWK0ngm5 p2WfSXrWqdKuh27BZDscN+MYCee0AbEm23c1M6ba8PjuZORlazE/tHMFh41CKjV4 RQeQ2WENh5dedCI3rETVK4EqlrtV0A7T1amjFnLs3bLNuXNOePcoxPax2F/wCUPJ M7a+Yro22jM8c9VUQO1BLBYhh1rG4ck22RQcVBg3Pfdg9pTS2wUG5ysp9nU5WBjx +AbNgzalGWX5YBJ3jd2Kw+fqVo0HGs3QN9Pxg8rIJr2D003ctrsbnnjg98Vud5JV 21rWZiw6yvftCvA2GWLCFRQ0aDHnPNnEaIpnNFAZi0NWrPbXqsA8m4RAdLBDVb6z x+F/WvEQkKk50g7SVZdYOHOouOVsxGf3h3xIOwFajYaeEquownQ= =XZde -END PGP SIGNATURE-
Re: Thunderbird + Enigmail + saving draft with encryption
Dider Gaumet, on 2019-02-03 : > In my previous test I did not close Thunderbird before reopening the > signed and encrypted draft message. > this time I did it and nothing changed: The right title of the draft was > still there. Good Day, It could have been temporary, I've seen these symptoms some time last week perhaps, but haven't reproduced the phenomenon since then, on my side. My Thunderbird version is now 60.5 for few days, on Sid channel. Might have been related... My drafts are usually written down with vi, so not much use of the Draft/ IMAP folder here, actually. :^) Kind Regards, -- Étienne Mollier
Re: Thunderbird + Enigmail + saving draft with encryption
In my previous test I did not close Thunderbird before reopening the signed and encrypted draft message. this time I did it and nothing changed: The right title of the draft was still there. I prefer to stick to Stable but my main laptop is fairly new, that is why Buster is installed on it. So on a previous laptop, french Debian Stable with all updates installed, with contrib, non-free; proposed-updates, updates, security-updates, backports enable (but no backport package installed) Same test and same result as with Buster on my new laptop: the title is correctly saved and correctly sent after reopening Thunderbird. In case it could be significant: - I use Gnome desktop environment (if you use a lighter DE or a WM it would be possible that a library that improves Thunderbird/Enigmail (but is neither considered recommand or suggest) is not installed. - I used my gmail address, so it's an IMAP remote storage of the draft. Sorry, I have no other clue...
Re: Thunderbird + Enigmail + saving draft with encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/02/2019 20:08, Cindy-Sue Causey wrote: > On 2/2/19, Thomas D Dial wrote: >> I noticed this a few weeks > or a month ago and took it to be a somewhat >> inelegant, maybe incompletely implemented, feature intended to improve >> metadata security. I believe "Encrypted message" also becomes the >> subject of the transmitted message. >> >> Exposure of the metadata showing who is in contact with whom, and when, >> is pretty much inescapable, but the subject line, which is not >> encrypted, also can provide useful information to an eavesdropper, even >> if she cannot decrypt the message body. This is noted in some PGP or GPG >> documentation I have seen, accompanied by recommendations to obscure the >> Subject: line and put the true subject within the body. > > > That's what I was thinking as I read this thread. That's a perfect > spot for it... right at the top of the email's main content/body where > it then sits ready for a quick copy-cut-paste when the time's > appropriate. > > It would be like how at least some of us temporarily save intended > recipient email addresses in that same spot while saving draft email > copies. That's an old netiquette type trick so that things fail in the > event we accidentally click "Send" instead of "Save Draft" or their > equivalents across email clients. :) > > That part I read about how subject lines all look the same once > encrypted > GACK! It sounds like there's room for a wishlist bug > report about an option to somehow save a tickler of a reminder instead > of the real subject. A key as to the meaning of that tickler could > then be saved elsewhere, e.g. as a handwritten note, in the same way > passwords are occasionally saved on scraps of paper scattered > everywhere. :) > > Cindy :) Having the subject header copied to the top of the message body sounds like a good idea. I can do that manually but having software do that could be helpful to people too. A wish list seems a good idea too, anything to help improve software is a good thing. regards Paul :) Paul - -- Paul Sutton http://www.zleap.net https://www.linkedin.com/in/zleap/ gnupg : 7D6D B682 F351 8D08 1893 1E16 F086 5537 D066 302D -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEfW22gvNRjQgYkx4W8IZVN9BmMC0FAlxV+9sACgkQ8IZVN9Bm MC1wsBAArdZx4WupdW4/PbkYXqTv72dsugINC4Mc0E6nlOUKX7mXghh27oVvEZNa HnhH9L0kuOs9NmguQEYEIfoUNo3HJp0l5jkkJB9YB30sJdpycWHBbYBw3zsHrI/K dBYUlo9vIOPTXaFeWbBbUDsTBQfouiuDGzkbbj7UHtZEGr5x1L962O1G6bULNaIH figP391kBV6Zkz1q78g38N8eJTTkDaG075BWbwdvnRghgRIXAP1bRz0MSpaO7ogS Qz4gcUKt17LF5Q1p18iJc93gyIexNaBddTtE7yOlAEfTfKaeY0wGPjHnxzGOanlZ 9gun4rtCMGhbnsdeBp/OUSuTEAaP7BmAZni8eQMdUvuXsdgEJvaltBB2j/uZFDjN +1wkLPt2Szh+Z4vTzGkSa1PfEiqnKVDoIQIdEKjEGrUt81BwJELpKD61RNMViL9U +2+92sv84lQ1awn1nEOgRibsSlN7NgCgqYdfAa24ixHcswHo+e74k69eOUYc3LXd JYGqmobD2DaoVbtSJhuc1huhsrpZAyfxbDBbJPcNOJOAoDHCkH7EzJqhGwhYj9rd 72D5odF/dnHA07E9KUWqpOZa7ww1cbJKEFr0qTS/0OHSDIePx1D/kXmczWq3KAcR 8/zGvb8N1bejGcdMFGCFZmm4dfEheAg3QEvnQBZ0TnfjTk9PhzU= =3WWm -END PGP SIGNATURE-
Re: Thunderbird + Enigmail + saving draft with encryption
On 2/2/19, Thomas D Dial wrote: > I noticed this a few weeks or a month ago and took it to be a somewhat > inelegant, maybe incompletely implemented, feature intended to improve > metadata security. I believe "Encrypted message" also becomes the > subject of the transmitted message. > > Exposure of the metadata showing who is in contact with whom, and when, > is pretty much inescapable, but the subject line, which is not > encrypted, also can provide useful information to an eavesdropper, even > if she cannot decrypt the message body. This is noted in some PGP or GPG > documentation I have seen, accompanied by recommendations to obscure the > Subject: line and put the true subject within the body. That's what I was thinking as I read this thread. That's a perfect spot for it... right at the top of the email's main content/body where it then sits ready for a quick copy-cut-paste when the time's appropriate. It would be like how at least some of us temporarily save intended recipient email addresses in that same spot while saving draft email copies. That's an old netiquette type trick so that things fail in the event we accidentally click "Send" instead of "Save Draft" or their equivalents across email clients. :) That part I read about how subject lines all look the same once encrypted > GACK! It sounds like there's room for a wishlist bug report about an option to somehow save a tickler of a reminder instead of the real subject. A key as to the meaning of that tickler could then be saved elsewhere, e.g. as a handwritten note, in the same way passwords are occasionally saved on scraps of paper scattered everywhere. :) Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with birdseed *
Re: Thunderbird + Enigmail + saving draft with encryption
On Fri, 2019-02-01 at 18:26 +, Paul Sutton wrote: > Hi > > Thunderbird + Enigmail has an option in "account settings" OpenPGP > Security to save a draft of a message with encryption, as expected > this > saves the draft but with a new subject as "Encrypted message" and it > appears in drafts as this. > > If you save the message, close the compose window, then go to > Drafts, > then reopen the message for more editing before sending the subject > remains as "Encrypted message" and you lose the original subject > header. > > I just wondered if this is what is meant to happen ? or is the > original > subject header supposed to be restored. Has anyone else noticed this. I noticed this a few weeks or a month ago and took it to be a somewhat inelegant, maybe incompletely implemented, feature intended to improve metadata security. I believe "Encrypted message" also becomes the subject of the transmitted message. Exposure of the metadata showing who is in contact with whom, and when, is pretty much inescapable, but the subject line, which is not encrypted, also can provide useful information to an eavesdropper, even if she cannot decrypt the message body. This is noted in some PGP or GPG documentation I have seen, accompanied by recommendations to obscure the Subject: line and put the true subject within the body. Tom Dial > > System information > > Thunderbird 60.4.0 (64-bit) > > Enigmail 2.0.9 > > Distributor ID:Debian > Description:Debian GNU/Linux 9.7 (stretch) > Release:9.7 > Codename:stretch > psutton@zleap:~$ > > Linux zleap 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 > GNU/Linux > > > Paul Sutton > > > >
Re: Thunderbird + Enigmail + saving draft with encryption
On 02/02/2019 13:12, Paul Sutton wrote: > On 02/02/2019 09:14, didier gaumet wrote: >> Hello Paul, >> >> Same versions of thunderbird and Enigmail here but Debian Buster. >> >> I do not observe the same thing as you do: the draft is saved with the >> intended title >> >> It is probably of no importance but my Debian (and Thunderbird) is in french > Hi didier > > That perhaps suggests the issue is with my set up somewhere, or it is > fixed in either the French version or Buster. It may be due to another > package which is causing the issue. > > A copy of this e-mail is now in my drafts as "Encrypted Message", but > appears in the compose as it should be. > > Lets keep an eye on it via the list. > > Thanks > > Paul > So yes, steps i take are as follows: With that option enabled, (encrypt message in drafts folder) Create new e-mail Enter subject header Save (so that the message is stored in to drafts) Check drafts folder to see what the message is named close tb and message compose window(s) Re open TB, click Drafts, edit message, (it will be in there as Encrypted Message) Rather than the message reverting to back the original subject header you entered earlier it is now Encrypted Message, so Manually edit This happens on two computers, netbook and Desktop both running Debian 9.7 (non free) with updates applied. Paul 1-- Paul Sutton http://www.zleap.net https://www.linkedin.com/in/zleap/ gnupg : 7D6D B682 F351 8D08 1893 1E16 F086 5537 D066 302D signature.asc Description: OpenPGP digital signature
Re: Thunderbird + Enigmail + saving draft with encryption
On 02/02/2019 09:14, didier gaumet wrote: > Hello Paul, > > Same versions of thunderbird and Enigmail here but Debian Buster. > > I do not observe the same thing as you do: the draft is saved with the > intended title > > It is probably of no importance but my Debian (and Thunderbird) is in french Hi didier That perhaps suggests the issue is with my set up somewhere, or it is fixed in either the French version or Buster. It may be due to another package which is causing the issue. A copy of this e-mail is now in my drafts as "Encrypted Message", but appears in the compose as it should be. Lets keep an eye on it via the list. Thanks Paul -- Paul Sutton http://www.zleap.net https://www.linkedin.com/in/zleap/ gnupg : 7D6D B682 F351 8D08 1893 1E16 F086 5537 D066 302D signature.asc Description: OpenPGP digital signature
Re: Thunderbird + Enigmail + saving draft with encryption
Hello Paul, Same versions of thunderbird and Enigmail here but Debian Buster. I do not observe the same thing as you do: the draft is saved with the intended title It is probably of no importance but my Debian (and Thunderbird) is in french
Re: Thunderbird + Enigmail + saving draft with encryption
On 01/02/2019 21:24, Étienne Mollier wrote: > On 2/1/19 7:26 PM, Paul Sutton wrote: >> If you save the message, close the compose window, then go to Drafts, >> then reopen the message for more editing before sending the subject >> remains as "Encrypted message" and you lose the original subject header. >> >> I just wondered if this is what is meant to happen ? or is the original >> subject header supposed to be restored. Has anyone else noticed this. > Good Day Paul, > > Yep, sounds to me that it is a feature to avoid leaking your email's > metadata. Whom discusses with who and on which topic is an > interesting information indeed, even without being able to decipher > what's inside the fold. > > Not sure if it's worth the pain though, since mail servers use these > metadata to properly route your email anyway; but I may have missed > interesting novelties on autocrypt side. > > Cheers, I will disable it for now, if anyone else notices this, then perhaps it is something that needs to be reported as a bug, I would expect the original subject to be restored, or failing that TB could simply append the subject in some way. It is interesting when you're drafts folder is full of e-mails with the header "Encrypted message" unless you can remember what time you saved the message finding a specific message is impossible. I think the idea is that as messages on say an IMAP server are stored on that remote mail server any messages in draft are also stored there, so saving a message would leave the e-mail in plain text, while the messages in sent and inbox would be encrypted. So encrypting drafts make sense.l Useful feature in a way but not that useful in the current implementation. so as you said not worth it. If we can confirm this it may be worth looking at sending in a bug report. Paul -- Paul Sutton http://www.zleap.net https://www.linkedin.com/in/zleap/ gnupg : 7D6D B682 F351 8D08 1893 1E16 F086 5537 D066 302D signature.asc Description: OpenPGP digital signature
Re: Thunderbird + Enigmail + saving draft with encryption
On 2/1/19 7:26 PM, Paul Sutton wrote: > If you save the message, close the compose window, then go to Drafts, > then reopen the message for more editing before sending the subject > remains as "Encrypted message" and you lose the original subject header. > > I just wondered if this is what is meant to happen ? or is the original > subject header supposed to be restored. Has anyone else noticed this. Good Day Paul, Yep, sounds to me that it is a feature to avoid leaking your email's metadata. Whom discusses with who and on which topic is an interesting information indeed, even without being able to decipher what's inside the fold. Not sure if it's worth the pain though, since mail servers use these metadata to properly route your email anyway; but I may have missed interesting novelties on autocrypt side. Cheers, -- Étienne Mollier
Thunderbird + Enigmail + saving draft with encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Thunderbird + Enigmail has an option in "account settings" OpenPGP Security to save a draft of a message with encryption, as expected this saves the draft but with a new subject as "Encrypted message" and it appears in drafts as this. If you save the message, close the compose window, then go to Drafts, then reopen the message for more editing before sending the subject remains as "Encrypted message" and you lose the original subject header. I just wondered if this is what is meant to happen ? or is the original subject header supposed to be restored. Has anyone else noticed this. System information Thunderbird 60.4.0 (64-bit) Enigmail 2.0.9 Distributor ID: Debian Description: Debian GNU/Linux 9.7 (stretch) Release: 9.7 Codename: stretch psutton@zleap:~$ Linux zleap 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux Paul Sutton - -- Paul Sutton http://www.zleap.net https://www.linkedin.com/in/zleap/ gnupg : 7D6D B682 F351 8D08 1893 1E16 F086 5537 D066 302D -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEfW22gvNRjQgYkx4W8IZVN9BmMC0FAlxUj0AACgkQ8IZVN9Bm MC1rjw//aRxAixKK8Q0XFWa5kHu8qUVrRihHaT0SrBj9uJGH8W8Ht00XdnQwjYk+ EyeeJFMHX6rOONx+xIPEPsyRPKqUumvjF1L1As9dFUn4yPCA1Nb/6MwfxGPLpQeB r3QjoOWD6mg1gE44PljzlIcdkjMsDFONLxRPPJcCpYGh9XJBO194cGEpcehc3+An g13W0LMUuLcoISKdEuCoFi7iyny6rdpwxd7YvtSbfsana7Moz5fMU/UGXkWeCQHC 4W+5NG5g1+gjrSFhmJkDa8PezO0f8s96zfeVxUnSeN1Jn4HiZ9j4G7hqsh0I29RH Bzy50PCfKbXM8zd2+WdKLTBl0iCWDV/4zEBkxImLgrEMfXNnAJG9CfqE3UStMYe/ 3vwmGn6cahqNFYlQvBxd9U4zYeJD3qhs3N8GJKTNZ/hQTbno0Wq5VauEO6TgKLzD X+jcNHYep5gMnTFmKoeTTH8iUKap2ZF2BrFBBwwl9CEOzK0Cn8nA5Mg1BLo9eS5u O7sAfbiIai6S2GKuBWA51y6oDIYoqfgSPKBVDE0jOY9L/90o3F08CGFq3RGrOisF hN+5Styo+n3VckW9m1uDz8u8zhNe+YE4g26LWxx+YlgHe+Ff9Mwvkz40o9PVgxSI enpWk+NmOplAZ+urPhPPs3Ba9rAMHfM+C5O9y/ETQtZrYYKm71Y= =tqpc -END PGP SIGNATURE-
Re: stretch update of thunderbird wants to remove enigmail
On Tuesday, September 18, 2018 8:55:00 PM EDT you wrote: > Le 18-09-17 à 17 h 10, ernst doubt a écrit : > > Greetings, > > > > I run debian stretch: > > > > ni@quark:/etc$ cat debian_version > > 9.5 > > > > and I use a number of email clients. I see there is currently an update > > (presumably security related?) for thunderbird. But as this upgrade would > > remove enigmail I chose (at least for the moment) to not implement it. > > > > Does anyone know if there are plans in the works for an associated upgrade > > of enigmail so that it might be possible in the near future to upgrade > > thunderbird without losing embedded support for gnupg? > > > > I'm not subscribed to this list (but will check the archives on-line for a > > while to make sure I don't miss a reply), so CCs to me are fine (and even > > appreciated if you are willing). > > > > thanks so very much in advance, > > > > ~e > > I let apt remove enigmail, and then manually reinstalled the addon from > Thunderbird's Tools>Addon menu. All my user settings were retrieved > correctly as far as I can see. Bouncing back to the list, since you replied to me only privately. Interesting data point; thanks so much. Though I think I would feel better (security-wise) about installing the debian version of enigmail. Of course running with the currently unupgraded version of thunderbird as I am is also suboptimal. ~e
Re: stretch update of thunderbird wants to remove enigmail
Le 18-09-17 à 17 h 10, ernst doubt a écrit : > Greetings, > > I run debian stretch: > > ni@quark:/etc$ cat debian_version > 9.5 > > and I use a number of email clients. I see there is currently an update > (presumably security related?) for thunderbird. But as this upgrade would > remove enigmail I chose (at least for the moment) to not implement it. > > Does anyone know if there are plans in the works for an associated upgrade of > enigmail so that it might be possible in the near future to upgrade > thunderbird without losing embedded support for gnupg? > > I'm not subscribed to this list (but will check the archives on-line for a > while to make sure I don't miss a reply), so CCs to me are fine (and even > appreciated if you are willing). > > thanks so very much in advance, > ~e > I let apt remove enigmail, and then manually reinstalled the addon from Thunderbird's Tools>Addon menu. All my user settings were retrieved correctly as far as I can see. -- Benjamin Rochefort http://benwen.info
Re: stretch update of thunderbird wants to remove enigmail
Hi, Sven. On 17/09/18 18:36, Sven Joachim wrote: >> I run debian stretch: >> >> ni@quark:/etc$ cat debian_version >> 9.5 >> >> and I use a number of email clients. I see there is currently an update >> (presumably security related?) for thunderbird. But as this upgrade would >> remove enigmail I chose (at least for the moment) to not implement it. >> >> Does anyone know if there are plans in the works for an associated upgrade >> of >> enigmail so that it might be possible in the near future to upgrade >> thunderbird without losing embedded support for gnupg? > This is discussed in bug #909000[1], you may want to subscribe to it. > > 1. https://bugs.debian.org/909000 Thanks for the reference in Debian BTS. The weekend I was looking for if there was an open issue but I didn't find it. I see the issue was opened today. Kind regards, Daniel signature.asc Description: OpenPGP digital signature
Re: stretch update of thunderbird wants to remove enigmail
On 2018-09-17 16:46 -0400, ernst doubt wrote: > I run debian stretch: > > ni@quark:/etc$ cat debian_version > 9.5 > > and I use a number of email clients. I see there is currently an update > (presumably security related?) for thunderbird. But as this upgrade would > remove enigmail I chose (at least for the moment) to not implement it. > > Does anyone know if there are plans in the works for an associated upgrade of > enigmail so that it might be possible in the near future to upgrade > thunderbird without losing embedded support for gnupg? This is discussed in bug #909000[1], you may want to subscribe to it. Cheers, Sven 1. https://bugs.debian.org/909000
Re: stretch update of thunderbird wants to remove enigmail
On 17/09/18 17:46, ernst doubt wrote: > Greetings, Hi, Ernst. > I run debian stretch: > > ni@quark:/etc$ cat debian_version > 9.5 > > and I use a number of email clients. I see there is currently an update > (presumably security related?) for thunderbird. But as this upgrade would > remove enigmail I chose (at least for the moment) to not implement it. > > Does anyone know if there are plans in the works for an associated upgrade of > enigmail so that it might be possible in the near future to upgrade > thunderbird without losing embedded support for gnupg? > > I'm not subscribed to this list (but will check the archives on-line for a > while to make sure I don't miss a reply), so CCs to me are fine (and even > appreciated if you are willing). > > thanks so very much in advance, I have also found this issue in my update yesterday. I'm not sure if it will be related but in later attempts to update I got this internal error: -- root@orion:~# aptitude upgrade -V Resolving dependencies... Internal error: found 2 (choice -> promotion) mappings for a single choice. No packages will be installed, upgraded, or removed. 0 packages upgraded, 0 newly installed, 0 to remove and 8 not upgraded. Need to get 0 B of archives. After unpacking 0 B will be used. -- Kind regards, Daniel signature.asc Description: OpenPGP digital signature
stretch update of thunderbird wants to remove enigmail
Greetings, I run debian stretch: ni@quark:/etc$ cat debian_version 9.5 and I use a number of email clients. I see there is currently an update (presumably security related?) for thunderbird. But as this upgrade would remove enigmail I chose (at least for the moment) to not implement it. Does anyone know if there are plans in the works for an associated upgrade of enigmail so that it might be possible in the near future to upgrade thunderbird without losing embedded support for gnupg? I'm not subscribed to this list (but will check the archives on-line for a while to make sure I don't miss a reply), so CCs to me are fine (and even appreciated if you are willing). thanks so very much in advance, ~e
Re: enigmail et gpg-agent
Le 24/12/2017 à 05:19, hamster a écrit : [...] > J'ai essayé de supprimer gnome-keyring. La ca fait quelque chose. La > variable GPG_AGENT_INFO reste vide, enigmail me demande ma clef dans une > fenetre différente de celle dont j'ai l'habitude et qui s'appelle > "pinentry", mais… ne reconnais plus ma phrase de passe. > > Si quelqu'un a une idée… de mémoire, j'avais il y a des années eu des problèmes avec claws-mail, et de ce que j'avais compris, quelque soit l'environnement utilisé (DE, console...) ça nécessitait pinentry à un stade ou un autre pour rentrer la clé gpg. Je te suggérerais bien de regarder si ton système est à jour avec les màj de sécurité, quelles versions de pinentry* sont installées, quelle alternative est utilisée (cf alternatives ou galternatives) et éventuellement de mettre à jour ceux de ces paquets (pinentry-gtk2? pinentry-gnome3?) qui te sont nécessaires depuis jessie-backports: comme ce ne sont pas des paquets offrant des fonctionnalités de nature à attirer les utilisateurs par un rétroportage, je soupçonne que si ils ont été rétroportés, c'est que les anciennes versions ne sont plus forcément toujours fonctionnelles. En plus il me semble qu'entre Jessie et Stretch, gpg2 est devenue obligatoire alors que gpg1 et ggp2 cohabitaient auparavant et que gpg pointait implicitement vers gpg1 mais pointe maintenant vers gpg2...
Re: enigmail et gpg-agent
Ha je me demande si ce n'était pas ce bug qui m'avait fait passé du coté XFCE de l'interface graphique... j'avais du laisser tomber :/ C'est pas tout jeune ca ! signature.asc Description: OpenPGP digital signature
Re: enigmail et gpg-agent
Le 24/12/2017 à 10:02, Fabien R a écrit : > Je ne sais pas si ça peut aider. Sur la page, il est indiqué d'utiliser > le package debian au lieu du add-on. Moi, j'ai dû faire l'inverse, sans > quoi, impossible de le configurer J'ai essayé les deux.
Re: enigmail et gpg-agent
On 24/12/2017 05:19, hamster wrote: > Hello. > > Je suis sous jessie / mate. > > Depuis plusieurs mois, enigmail me fait des misères. Mon problème est > très bien décrit la : > https://www.zenzla.com/astuces/1266-erreur-de-communication-avec-gpg-agent.html Je ne sais pas si ça peut aider. Sur la page, il est indiqué d'utiliser le package debian au lieu du add-on. Moi, j'ai dû faire l'inverse, sans quoi, impossible de le configurer.-- Fabien
enigmail et gpg-agent
Hello. Je suis sous jessie / mate. Depuis plusieurs mois, enigmail me fait des misères. Mon problème est très bien décrit la : https://www.zenzla.com/astuces/1266-erreur-de-communication-avec-gpg-agent.html J'ai essayé tout ce qui est sur cette page, et aussi ce qui est la : https://wiki.gnupg.org/GnomeKeyring https://blog.josefsson.org/2015/01/02/openpgp-smartcards-and-gnome/ http://www.gniibe.org/memo/notebook/gnome3-gpg-settings.html et aussi ce que j'ai trouvé dans /usr/share/doc/gnome-keyring/README.Debian J'ai essayé de reinstaller thunderbird, enigmail, gnupg et gpg-agent. Rien n'y fait. J'ai toujours le meme blocage dans enigmail, et toujours la meme réponse pour la variable : echo $GPG_AGENT_INFO /run/user/1000/keyring/gpg:0:1 J'ai essayé de supprimer gnome-keyring. La ca fait quelque chose. La variable GPG_AGENT_INFO reste vide, enigmail me demande ma clef dans une fenetre différente de celle dont j'ai l'habitude et qui s'appelle "pinentry", mais… ne reconnais plus ma phrase de passe. Si quelqu'un a une idée…
Re: Thunderbird 52.2.1 and Enigmail
D. R. Evans wrote on 08/07/2017 10:45 AM: > Daniel Bareiro wrote on 08/07/2017 09:36 AM: > >>> >>> BUT enigmail won't run because it seems that the current update requires a >>> version of gnupg that is more recent than the official version that is part >>> of >>> the repositories :-( >> >> I don't remember having this issue. I think I just did "aptitude install >> enigmail" and it installed only that package. So I assume that the >> dependencies would already be satisfied with the other packages I had >> installed. >> >> root@orion:~# aptitude show gnupg | grep Versión >> Versión: 1.4.18-7+deb8u3 >> > > Very strange. That's the same version I have installed, but after the official > update of thunderbird and enigmail this morning, enigmail immediately > complained on start-up that it needed a later version of gnupg. Idiotically, I > didn't write down the number, but I think it was 1.5.something. > OK, I just went through the process again. I brought jessie completely up to date, including the thunderbird and enigmail apps, then tried to run thunderbird. At that point, enigmail pops up a box that says that it requires gnupg 2.0.7 or newer (which is obviously later than the 1.4.18 offered by the official repository). See image at: https://www.dropbox.com/s/6s3z6jy5ns3z9qd/gnupg1.png?dl=0 I then downgraded using the same sequence as before, which is how I am able to send this e-mail. Doc -- Web: http://enginehousebooks.com/drevans signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
Daniel Bareiro wrote on 08/07/2017 09:36 AM: >> >> BUT enigmail won't run because it seems that the current update requires a >> version of gnupg that is more recent than the official version that is part >> of >> the repositories :-( > > I don't remember having this issue. I think I just did "aptitude install > enigmail" and it installed only that package. So I assume that the > dependencies would already be satisfied with the other packages I had > installed. > > root@orion:~# aptitude show gnupg | grep Versión > Versión: 1.4.18-7+deb8u3 > Very strange. That's the same version I have installed, but after the official update of thunderbird and enigmail this morning, enigmail immediately complained on start-up that it needed a later version of gnupg. Idiotically, I didn't write down the number, but I think it was 1.5.something. I guess that I need to do it all again and write down the number next time, and then go immediately back to the current (working) installation. I won't have time for that today, but maybe tomorrow. Doc -- Web: http://enginehousebooks.com/drevans signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
Hi, Doc. On 07/08/17 10:05, D. R. Evans wrote: > I have been away for a week, and this morning saw that enigmail had been > updated in my absence, so I updated all the jessie updates offered me by the > official repositories. > > This updated thunderbird and enigmail, as expected. > > BUT enigmail won't run because it seems that the current update requires a > version of gnupg that is more recent than the official version that is part of > the repositories :-( I don't remember having this issue. I think I just did "aptitude install enigmail" and it installed only that package. So I assume that the dependencies would already be satisfied with the other packages I had installed. root@orion:~# aptitude show gnupg | grep Versión Versión: 1.4.18-7+deb8u3 Kind regards, Daniel signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
I have been away for a week, and this morning saw that enigmail had been updated in my absence, so I updated all the jessie updates offered me by the official repositories. This updated thunderbird and enigmail, as expected. BUT enigmail won't run because it seems that the current update requires a version of gnupg that is more recent than the official version that is part of the repositories :-( So I downgraded using the suggested sequence: >>> apt remove thunderbird icedove >>> apt install thunderbird=1:45.8.0-3~deb8u1 >>> apt install thunderbird-l10n-nl=1:45.8.0-3~deb8u1 >>> apt install lightning=1:45.8.0-3~deb8u1 >>> apt install lightning-l10n-nl=1:45.8.0-3~deb8u1 >>> apt install icedove=1:45.8.0-3~deb8u1 >>> apt install enigmail=2:1.8.2-4~deb8u1 >>> apt -t jessie-backports install xul-ext-sogo-connector >>> Just wanted to mention this so that others won't be surprised if they hit the same problem. Doc -- Web: http://enginehousebooks.com/drevans signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
Hi, Jason. On 25/07/17 21:54, Jason Wittlin-Cohen wrote: > Sorry for the oversight. No problem. > I am actually running on Stretch, so I'm using > Enigmail 1.9.7. Perhaps someone can backport the version from Stretch > to Jessie to resolve this issue. It seems that it is already solved. Thanks too, Frank, for your contribution. It seems that now it is possible to install it without making the change in sources.list that you had suggested. Kind regards, Daniel signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
Op 30-07-17 om 04:52 schreef Daniel Bareiro: Hi, Paul. On 27/07/17 08:41, Paul van der Vlis wrote: I just updated Thunderbird on Jessie. Support for the 45.x series has ended, so starting with this update Debian is now following the 52.x releases. I've tried much, but it did not work. So I downgraded, this worked for me: apt remove thunderbird icedove apt install thunderbird=1:45.8.0-3~deb8u1 apt install thunderbird-l10n-nl=1:45.8.0-3~deb8u1 apt install lightning=1:45.8.0-3~deb8u1 apt install lightning-l10n-nl=1:45.8.0-3~deb8u1 apt install icedove=1:45.8.0-3~deb8u1 apt install enigmail=2:1.8.2-4~deb8u1 apt -t jessie-backports install xul-ext-sogo-connector And you need some kind of pinning... Thanks for your contribution. I see that yesterday was published the DSA-3921-1 referring to the bug 869774 talking about Enigmail 1.9.8.1 to restore full compatibility. But I still don't see the update available. Do you see it? As I mentioned in another thread, this appears to be caused by the fact the new version of the package is no longer -amd64/-i386 but -all. Somehow, apt doesn't see it, unless you add another line to your sources.list. This seemed to do it here: deb [arch=all] http://security.debian.org/ jessie/updates main Regards, Frank
Re: Thunderbird 52.2.1 and Enigmail
Hi, Paul. On 27/07/17 08:41, Paul van der Vlis wrote: >> I just updated Thunderbird on Jessie. Support for the 45.x series has >> ended, so starting with this update Debian is now following the 52.x >> releases. > I've tried much, but it did not work. So I downgraded, this worked for me: > > apt remove thunderbird icedove > apt install thunderbird=1:45.8.0-3~deb8u1 > apt install thunderbird-l10n-nl=1:45.8.0-3~deb8u1 > apt install lightning=1:45.8.0-3~deb8u1 > apt install lightning-l10n-nl=1:45.8.0-3~deb8u1 > apt install icedove=1:45.8.0-3~deb8u1 > apt install enigmail=2:1.8.2-4~deb8u1 > apt -t jessie-backports install xul-ext-sogo-connector > > And you need some kind of pinning... Thanks for your contribution. I see that yesterday was published the DSA-3921-1 referring to the bug 869774 talking about Enigmail 1.9.8.1 to restore full compatibility. But I still don't see the update available. Do you see it? Kind regards, Daniel
Re: What mirrors serve upgraded package version? (enigmail 2:1.9.8.1-1~deb8u1)
Op 29-07-17 om 12:56 schreef Alessandro Vesely: On Sat 29/Jul/2017 12:31:03 +0200 Frank wrote: Op 29-07-17 om 12:20 schreef Alessandro Vesely: (I tried ``deb http://security.debian.org/ jessie-security main'' but got W: Failed to fetch http://security.debian.org/dists/jessie-security/main/binary-amd64/Packages 404 Not Found [IP: 217.196.149.233 80]) What do I miss? Try: deb http://security.debian.org/ jessie/updates main Yes, I have that already, but according to apt-cache it still has enigmail 2:1.8.2-4~deb8u1. Indeed. Looking at https://packages.debian.org/search?keywords=enigmail I would expect 2:1.9.8.1-1~deb8u1 to be available from security and it is, but it doesn't show up after apt-get update with that repository line. Curious. I think it's because this package is in binary-all instead of the separate binary-amd64, binary-i386, etc. channels. If I add another line with deb [arch=all] http://security.debian.org/ jessie/updates main apt-cache does show the correct version after another apt-get update. I'm not sure this is the correct way to handle this, though... Regards, Frank
Re: What mirrors serve upgraded package version? (enigmail 2:1.9.8.1-1~deb8u1)
On Sat 29/Jul/2017 12:31:03 +0200 Frank wrote: > Op 29-07-17 om 12:20 schreef Alessandro Vesely: >> (I tried ``deb http://security.debian.org/ jessie-security main'' but got W: >> Failed to fetch >> http://security.debian.org/dists/jessie-security/main/binary-amd64/Packages >> 404 Not Found [IP: 217.196.149.233 80]) >> >> What do I miss? > > Try: deb http://security.debian.org/ jessie/updates main Yes, I have that already, but according to apt-cache it still has enigmail 2:1.8.2-4~deb8u1. signature.asc Description: OpenPGP digital signature
Re: What mirrors serve upgraded package version? (enigmail 2:1.9.8.1-1~deb8u1)
Op 29-07-17 om 12:20 schreef Alessandro Vesely: (I tried ``deb http://security.debian.org/ jessie-security main'' but got W: Failed to fetch http://security.debian.org/dists/jessie-security/main/binary-amd64/Packages 404 Not Found [IP: 217.196.149.233 80]) What do I miss? Try: deb http://security.debian.org/ jessie/updates main Regards, Frank
Re: What mirrors serve upgraded package version? (enigmail 2:1.9.8.1-1~deb8u1)
On Tue 20/Jun/2017 14:14:56 +0200 Greg Wooledge wrote: > On Tue, Jun 20, 2017 at 10:38:05AM +0200, Alessandro Vesely wrote: >> root@pcale:~# apt-cache policy firefox-esr >> [... output snipped ...] > > You appear to be missing your security.debian.org source. Adding security.debian.org solved the problem for firefox-esr. However, enigmail seems to be somewhere else. root@pcale:/tmp# apt-cache policy enigmail enigmail: Installed: 2:1.8.2-4~deb8u1 Candidate: 2:1.8.2-4~deb8u1 Version table: *** 2:1.8.2-4~deb8u1 0 500 http://debian.fastweb.it/debian/ jessie/main amd64 Packages 500 http://ftp.it.debian.org/debian/ jessie/main amd64 Packages 500 http://mirror.iway.ch/debian/ jessie/main amd64 Packages 500 http://security.debian.org/ jessie/updates/main amd64 Packages 100 /var/lib/dpkg/status The [SECURITY] [DSA 3921-1] enigmail update of 28 July 2017 21:15 said: For the oldstable distribution (jessie), this problem has been fixed in version 2:1.9.8.1-1~deb8u1. And https://qa.debian.org/madison.php?package=enigmail says: enigmail | 2:1.9.8.1-1~deb8u1 | jessie-security | source, all (I tried ``deb http://security.debian.org/ jessie-security main'' but got W: Failed to fetch http://security.debian.org/dists/jessie-security/main/binary-amd64/Packages 404 Not Found [IP: 217.196.149.233 80]) What do I miss? TIA Ale signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
Op 25-07-17 om 23:18 schreef Daniel Bareiro: > Hi all! > > I just updated Thunderbird on Jessie. Support for the 45.x series has > ended, so starting with this update Debian is now following the 52.x > releases. I've tried much, but it did not work. So I downgraded, this worked for me: apt remove thunderbird icedove apt install thunderbird=1:45.8.0-3~deb8u1 apt install thunderbird-l10n-nl=1:45.8.0-3~deb8u1 apt install lightning=1:45.8.0-3~deb8u1 apt install lightning-l10n-nl=1:45.8.0-3~deb8u1 apt install icedove=1:45.8.0-3~deb8u1 apt install enigmail=2:1.8.2-4~deb8u1 apt -t jessie-backports install xul-ext-sogo-connector And you need some kind of pinning... With regards, Paul van der Vlis -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/
Re: Thunderbird 52.2.1 and Enigmail
Hi, Doc. On 26/07/17 11:05, D. R. Evans wrote: >> I just updated Thunderbird on Jessie. Support for the 45.x series has >> ended, so starting with this update Debian is now following the 52.x >> releases. >> >> But after the update, Enigmail stopped working. In fact, when I go to >> (my email account) -> Settings-> OpenGPG security, none of the buttons >> are working. Not even "OK" to accept the changes. >> >> Is someone going through this too? > Having seen your post before I was presented a few minutes ago with the > Thunderbird update, I've refrained from applying it. > > Has anyone other than Daniel applied the jessie Thunderbird update? and, if > so, did you also lose access to enigmail? (It seems strange that there hasn't > been a whole chorus of people chiming in to warn about the Thunderbird > update.) Yesterday I filled out a bug report for this issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869745 There several others having confirmed this bug. For now I have uninstalled the Debian package and installed the addon from the official site, as rpr suggested. Everything worked again after that. Kind regards, Daniel signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
Hi, rpr. On 26/07/17 07:20, rpr // wrote: > According I see, the Debian Jessie package has the version 1.8.2 for > Enigmail: > > root@orion:~# aptitude show enigmail | grep Versión > Versión: 2:1.8.2-4~deb8u1 > > But this version does not seem to be compatible with Thunderbird 52 [1]. > Enigmail 1.8.2 is compatible with Thunderbird 29.0 to 46.0. That's why > it was running on the previous packaged version of Thunderbird 45.x. > Daniel, if I were you I would try to uninstall the enigmail package and > then add the newest version of Enigmail addon (v. 1.9.7) directly in > Thunderbird (Tools > Add-ons > Browse all add-ons > find Enigmail > Add > to Thunderbird). Yes, that's what I decided to do. Thanks for the recommendation. Now with Enigmail 1.9.7 I can see the signatures again and access the encrypted emails. Kind regards, Daniel signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
Daniel Bareiro wrote on 07/25/2017 03:18 PM: > Hi all! > > I just updated Thunderbird on Jessie. Support for the 45.x series has > ended, so starting with this update Debian is now following the 52.x > releases. > > But after the update, Enigmail stopped working. In fact, when I go to > (my email account) -> Settings-> OpenGPG security, none of the buttons > are working. Not even "OK" to accept the changes. > > Is someone going through this too? Having seen your post before I was presented a few minutes ago with the Thunderbird update, I've refrained from applying it. Has anyone other than Daniel applied the jessie Thunderbird update? and, if so, did you also lose access to enigmail? (It seems strange that there hasn't been a whole chorus of people chiming in to warn about the Thunderbird update.) Doc -- Web: http://enginehousebooks.com/drevans signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
On 26 July 2017 at 01:47, Daniel Bareiro <daniel-lis...@gmx.net> wrote: > > According I see, the Debian Jessie package has the version 1.8.2 for > Enigmail: > > root@orion:~# aptitude show enigmail | grep Versión > Versión: 2:1.8.2-4~deb8u1 > > But this version does not seem to be compatible with Thunderbird 52 [1]. > Enigmail 1.8.2 is compatible with Thunderbird 29.0 to 46.0. That's why > it was running on the previous packaged version of Thunderbird 45.x. > > Daniel, if I were you I would try to uninstall the enigmail package and then add the newest version of Enigmail addon (v. 1.9.7) directly in Thunderbird (Tools > Add-ons > Browse all add-ons > find Enigmail > Add to Thunderbird). -- rpr.
Re: Thunderbird 52.2.1 and Enigmail
Sorry for the oversight. I am actually running on Stretch, so I'm using Enigmail 1.9.7. Perhaps someone can backport the version from Stretch to Jessie to resolve this issue. On Tue, Jul 25, 2017 at 7:26 PM, Daniel Bareiro <daniel-lis...@gmx.net> wrote: > Hi, Jason. > > Thanks for your reply. But please respond to the list so that we can all > take advantage of the contribution. > > On 25/07/17 18:54, Jason Wittlin-Cohen wrote: > > > I'm not seeing the behavior you described with Thunderbird + Enigmail. > > Thats weird. Are you using Debian Jessie packages for both? > > > Thanks again for your reply. > > Kind regards, > Daniel > >
Re: Thunderbird 52.2.1 and Enigmail
Hi again, Georgi. On 25/07/17 20:21, Daniel Bareiro wrote: >>>> I'll try to sign this message because I have not used Enigmail for a >>>> long time. >>> Thanks for trying this. I appreciate it. Did you manage to sign it? >> Yes, I signed the message, you should be able to see my signature. > Thanks for trying. Unfortunately I am not able to see your signature. I > also don't see the signature from other emails sent by myself nor I'm > able to open encrypted messages that I have received. Before the upgrade According I see, the Debian Jessie package has the version 1.8.2 for Enigmail: root@orion:~# aptitude show enigmail | grep Versión Versión: 2:1.8.2-4~deb8u1 But this version does not seem to be compatible with Thunderbird 52 [1]. Enigmail 1.8.2 is compatible with Thunderbird 29.0 to 46.0. That's why it was running on the previous packaged version of Thunderbird 45.x. So it looks like we have a problem here. Kind regards, Daniel [1] https://addons.mozilla.org/es/thunderbird/addon/enigmail/versions/?page=1#version-1.8.2
Re: Thunderbird 52.2.1 and Enigmail
Hi, Jason. Thanks for your reply. But please respond to the list so that we can all take advantage of the contribution. On 25/07/17 18:54, Jason Wittlin-Cohen wrote: > I'm not seeing the behavior you described with Thunderbird + Enigmail. Thats weird. Are you using Debian Jessie packages for both? Thanks again for your reply. Kind regards, Daniel
Re: Thunderbird 52.2.1 and Enigmail
Hi, Georgi. On 25/07/17 19:26, Georgi Naplatanov wrote: >>> I'll try to sign this message because I have not used Enigmail for a >>> long time. >> Thanks for trying this. I appreciate it. Did you manage to sign it? > Yes, I signed the message, you should be able to see my signature. Thanks for trying. Unfortunately I am not able to see your signature. I also don't see the signature from other emails sent by myself nor I'm able to open encrypted messages that I have received. Before the upgrade it worked without problems. >> I'm not sure if this is some incompatibility between the Debian versions >> for Thunderbird and Enigmail. > I'm not sure either. I saw standard dialog box for crash report several > times on my computer but I didn't see anything odd and therefor I didn't > create bug report. Yes, I've also filled the Thunderbird report dialog box every time Thunderbird crashed. But I meant an incompatibility between Thunderbird and Enignail for the issue I mentioned in this thread, considering it as something independent of Thunderbird crashes. Thanks for your time. Kind regards, Daniel
Re: Thunderbird 52.2.1 and Enigmail
On 07/26/2017 01:05 AM, Daniel Bareiro wrote: > > On 25/07/17 18:23, Georgi Naplatanov wrote: > >>> I just updated Thunderbird on Jessie. Support for the 45.x series has >>> ended, so starting with this update Debian is now following the 52.x >>> releases. >>> >>> But after the update, Enigmail stopped working. In fact, when I go to >>> (my email account) -> Settings-> OpenGPG security, none of the buttons >>> are working. Not even "OK" to accept the changes. >>> >>> Is someone going through this too? >>> >>> >>> Thanks in advance. > >> Hi Daniel, > > Hi, Georgi. > >> I'm not sure what happens with Thunderbird in Debian but I had crashes >> almost daily with both - Jessie and Stretch and at the end I downloaded >> latest version from mozilla.org. > > Yes, I also experienced that behavior. Then the frequency of occurrence > diminished, but in any case I continued observing this crashes. > >> I'll try to sign this message because I have not used Enigmail for a >> long time. > > Thanks for trying this. I appreciate it. Did you manage to sign it? Yes, I signed the message, you should be able to see my signature. > I'm not sure if this is some incompatibility between the Debian versions > for Thunderbird and Enigmail. I'm not sure either. I saw standard dialog box for crash report several times on my computer but I didn't see anything odd and therefor I didn't create bug report. Kind regards Georgi signature.asc Description: OpenPGP digital signature
Re: Thunderbird 52.2.1 and Enigmail
On 25/07/17 18:23, Georgi Naplatanov wrote: >> I just updated Thunderbird on Jessie. Support for the 45.x series has >> ended, so starting with this update Debian is now following the 52.x >> releases. >> >> But after the update, Enigmail stopped working. In fact, when I go to >> (my email account) -> Settings-> OpenGPG security, none of the buttons >> are working. Not even "OK" to accept the changes. >> >> Is someone going through this too? >> >> >> Thanks in advance. > Hi Daniel, Hi, Georgi. > I'm not sure what happens with Thunderbird in Debian but I had crashes > almost daily with both - Jessie and Stretch and at the end I downloaded > latest version from mozilla.org. Yes, I also experienced that behavior. Then the frequency of occurrence diminished, but in any case I continued observing this crashes. > I'll try to sign this message because I have not used Enigmail for a > long time. Thanks for trying this. I appreciate it. Did you manage to sign it? I'm not sure if this is some incompatibility between the Debian versions for Thunderbird and Enigmail. Kind regards, Daniel
Re: Thunderbird 52.2.1 and Enigmail
On 07/26/2017 12:18 AM, Daniel Bareiro wrote: > Hi all! > > I just updated Thunderbird on Jessie. Support for the 45.x series has > ended, so starting with this update Debian is now following the 52.x > releases. > > But after the update, Enigmail stopped working. In fact, when I go to > (my email account) -> Settings-> OpenGPG security, none of the buttons > are working. Not even "OK" to accept the changes. > > Is someone going through this too? > > > Thanks in advance. > > Kind regards, > Daniel > Hi Daniel, I'm not sure what happens with Thunderbird in Debian but I had crashes almost daily with both - Jessie and Stretch and at the end I downloaded latest version from mozilla.org. I'll try to sign this message because I have not used Enigmail for a long time. Kind regards Georgi signature.asc Description: OpenPGP digital signature
Thunderbird 52.2.1 and Enigmail
Hi all! I just updated Thunderbird on Jessie. Support for the 45.x series has ended, so starting with this update Debian is now following the 52.x releases. But after the update, Enigmail stopped working. In fact, when I go to (my email account) -> Settings-> OpenGPG security, none of the buttons are working. Not even "OK" to accept the changes. Is someone going through this too? Thanks in advance. Kind regards, Daniel
Re: Issues with Enigmail @ Icedove and a huge keyring
Am 02.04.2015 um 14:37 schrieb Jonathan Dowland: Hi, On Thu, Apr 02, 2015 at 12:15:44PM +0200, Frank Lanitz wrote: I've got a quiet big keyring (2k keys inside it) and since last updates of enigmail I'm recognizing issues with it. Ehenever it's about verifying a signature Enigmail is starting a gpg2 process like that /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --with-fingerprint --fixed-list-mode --with-colons --list-keys which consumes 100% of one core for quiet some time and is blocking the signature thing. This is happening about sind update to 1.8.x of Enigmail. Before I report an issue upstream to Enigmail I'd like to ask you whether some of you is experincing some similar issue and/or is might having an idea for fixing/workaround. Try (if possible) adding --no-auto-check-trustdb to the GPG2 invocation of enigmail, and separately cron a 'gpg --check-trustdb' (with possibly some of --batch or --no-tty etc. added). I'm not sure what an appropriate frequency for the cron should be, but gpg will not check the trust db even when asked if it doesn't think it necessary. (unless you add --yes). I've tried it and it didn't irmpoe things much. I was able to put it doen to 2 cases: 1) Decrypting and verifing and encrypted + signed mail 2) Creating a mail (and most likely searching for a fitting key) and signing it -- most times only on first attempt. Cheers, Frank signature.asc Description: OpenPGP digital signature
Issues with Enigmail @ Icedove and a huge keyring
Hi folks, I've got a quiet big keyring (2k keys inside it) and since last updates of enigmail I'm recognizing issues with it. Ehenever it's about verifying a signature Enigmail is starting a gpg2 process like that /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --with-fingerprint --fixed-list-mode --with-colons --list-keys which consumes 100% of one core for quiet some time and is blocking the signature thing. This is happening about sind update to 1.8.x of Enigmail. Before I report an issue upstream to Enigmail I'd like to ask you whether some of you is experincing some similar issue and/or is might having an idea for fixing/workaround. Cheers, Frank signature.asc Description: OpenPGP digital signature
Re: Issues with Enigmail @ Icedove and a huge keyring
Hi, On Thu, Apr 02, 2015 at 12:15:44PM +0200, Frank Lanitz wrote: I've got a quiet big keyring (2k keys inside it) and since last updates of enigmail I'm recognizing issues with it. Ehenever it's about verifying a signature Enigmail is starting a gpg2 process like that /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --with-fingerprint --fixed-list-mode --with-colons --list-keys which consumes 100% of one core for quiet some time and is blocking the signature thing. This is happening about sind update to 1.8.x of Enigmail. Before I report an issue upstream to Enigmail I'd like to ask you whether some of you is experincing some similar issue and/or is might having an idea for fixing/workaround. Try (if possible) adding --no-auto-check-trustdb to the GPG2 invocation of enigmail, and separately cron a 'gpg --check-trustdb' (with possibly some of --batch or --no-tty etc. added). I'm not sure what an appropriate frequency for the cron should be, but gpg will not check the trust db even when asked if it doesn't think it necessary. (unless you add --yes). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150402123734.ga26...@chew.redmars.org
jessie: enigmail breaks (?) icedove
Dear fellows, I have recently noticed that it is no longer possible to install enigmail from Debian (Jessie) repositories without uninstalling icedove. Aptitude reports: enigmail breaks icedove This is puzzling because enigmail without icedove is not useful. My workaround is to install enigmail through that *.xpi provided by mozilla, but that is exactly what I do not normally want to do (use some random semi-package-managers people tend to invent) My question is, what happened with the enigmail package? Does it behave as expected (and is it somehow useful without icedove) or is it broken and a bugreport has to be filed? Thanks in advance for any good advice. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5272b31f.8090...@gmail.com
Re: jessie: enigmail breaks (?) icedove
On 2013-10-31 20:44 +0100, Matej Kosik wrote: I have recently noticed that it is no longer possible to install enigmail from Debian (Jessie) repositories without uninstalling icedove. Aptitude reports: enigmail breaks icedove This is puzzling because enigmail without icedove is not useful. I tend to agree, but it is possible to use it with iceape instead. Not that I would recommend that, the iceape package is horribly outdated and ought to be removed, at least from testing. My workaround is to install enigmail through that *.xpi provided by mozilla, but that is exactly what I do not normally want to do (use some random semi-package-managers people tend to invent) My question is, what happened with the enigmail package? Does it behave as expected (and is it somehow useful without icedove) or is it broken and a bugreport has to be filed? It's broken, see http://bugs.debian.org/726517. Thanks in advance for any good advice. Install the enigmail version from unstable (I assume you do not use kfreebsd so are unaffected by the above bug). Cheers, Sven -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/874n7xw6jg@turtle.gmx.de
Re: Enigmail en SSH onder Gnome3
Op 07-09-13 18:00, Geert Stappers schreef: Op 2013-09-06 om 17:27 schreef Paul van der Vlis: Hallo, Sinds enige tijd hoef ik geen paswoord meer in te tikken als ik een PGP encrypted mailtje ontvang, het wordt vanzelf gedecrypt zo lang het mailprogramma aan staat. knip/ Ook SSH heeft soms de neiging om gebruik te maken van Gnome voor het opslaan van paswoorden. Ik vind dit onplezierig omdat ik niet goed weet hoe dit te controleren. Weet hier iemand meer? Daar is het `ssh-agent` die meehelpt om gesloten deuren te openen. In Gnome NL blijkt het GPG wachtwoord agent en SSH sleutelagent te heten. Zie ook het stukje van Winfried. Bedankt! Groet, Paul. -- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl -- To UNSUBSCRIBE, email to debian-user-dutch-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5231cf28.1070...@vandervlis.nl
Re: Enigmail en SSH onder Gnome3
On 06-09-13 17:27, Paul van der Vlis wrote: Hoi, Weet hier iemand meer? Gnome(3) heeft een vrij uitgebreide infrastructuur voor key management. (Al behoorlijk volwassen, alhoewel ik nog wel wat dingen mis). Onderdeel daarvan is een eigen ssh-agent en een eigen gpg-password agent. Voordeel: ze zijn mooi geïntegreerd in de gnome-keyring / seahorse. Nadeel: ze nemen de boel over en missen wat functionaliteiten die de 'standaard' agents wel hebben. Gelukkig zijn ze bij Gnome zo slim geweest om van die agents aparte programma's te maken, die je probleemloos uit kunt zetten: $ gnome-session-properties En dan GPG Password Agent (Gnome keyring: GPG Agent) en SSH key Agent (Gnome Keyring: SSH Agent) uitzetten. Mocht je apart de GPG agent of de SSH-agent geïnstalleerd hebben: als je ze naast de agents van Gnome draait, kan dat rare effecten hebben. Als die van Gnome uitzet: dan worden de agents die je hebt geïnstalleerd weer actief, en zal je in die settings alles moeten kneden naar jouw wens. groet, Winfried -- To UNSUBSCRIBE, email to debian-user-dutch-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522d770a.7060...@tilanus.com
Enigmail en SSH onder Gnome3
Hallo, Sinds enige tijd hoef ik geen paswoord meer in te tikken als ik een PGP encrypted mailtje ontvang, het wordt vanzelf gedecrypt zo lang het mailprogramma aan staat. Op de een of andere manier wordt het paswoord onthouden, waarschijnlijk door Seahorse (paswoorden programma van Gnome). Ik vind dit welliswaar handig, maar niet secure genoeg. Weet iemand hier hoe ik dit kan instellen? In de instellingen van Enigmail staat dat het paswoord 5 minuten wordt onthouden als het niet gebruikt wordt, maar het is dus veel langer. In Seahorse vind ik geen instellingen. Ook SSH heeft soms de neiging om gebruik te maken van Gnome voor het opslaan van paswoorden. Ik vind dit onplezierig omdat ik niet goed weet hoe dit te controleren. Weet hier iemand meer? Groet, Paul. -- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl -- To UNSUBSCRIBE, email to debian-user-dutch-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5229f45b.70...@vandervlis.nl
Re: Enigmail stopped working
It's magically started working. Thank you, computer Gods. On Sat, Jun 22, 2013 at 11:55 AM, John Tate j...@johntate.org wrote: Enigmail is no longer automatically decrypting emails or allowing me to do it manually in Icedove. There is nothing out of the ordinary in the console output. -- www.johntate.org -- www.johntate.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cahnfuav5n_cpwt9f2rmyf4_pwvdakognn55b6orlrxj5qh_...@mail.gmail.com
Enigmail stopped working
Enigmail is no longer automatically decrypting emails or allowing me to do it manually in Icedove. There is nothing out of the ordinary in the console output. -- www.johntate.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cahnfuaudie_6xe4pmx5rjmr5qkeveuxvdzp6hvho36aner1...@mail.gmail.com
