The officially official Devuan Forum!

afuerst

Member

Registered: 2017-05-14

Posts: 15  

enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

During the last upgrades, I received the security-upgrade for Thunderbird for version 52.2.1-4~dev8u1.
But this version if Thunderbird is incompatible to enigmail 1.8.2. In Debian-Security, enigmail 1.9.8.1-1~deb8u1 is available, but I don't get this as an update. After downloading this from debian and installing it, it was working again.
Additional info: This brought up a new issue (incompatibility between gnome-keyring and gnupg), but this is (at the moment) just an annoying and optical issue (Details: https://enigmail.net/index.php/en/faq?view=topic&id=14 / "How to Fix it" / 4.).
Does anyone know why enigmail is not updated automatically? Might a configuration issue on my machines be a reason?

Armin

GNUser

Member

Registered: 2017-03-16

Posts: 561  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

Hi, Amin. All my machines receive automatic security upgrades and I was surprised by this same issue: Havoc in proper functioning of Thunderbird's Enigmail plugin after Thunderbird upgrade to version 1:52.2.1-4~deb8u1.

I found that a newer version of Enigmail restored my ability to send encrypted email. However, if I want to both encrypt and sign, sending fails. Error messages appear in two successive windows:

GnuPG reported an error in the communication with gpg-agent (a component of GnuPG)

then

Sending of the message failed.

The "How to fix" tidbit from the Enigmail website (adding "use-standard-socket" to $HOME/.gnupg/gpg-agent.conf and rebooting) made no difference--signing a message still prevents it from being sent.

Enigmail can be obtained as a .deb package and installed by the package manager, or obtained as a .xpi package and installed from within Thunderbird (Thunderbird > Tools > Add-ons > click on down-arrow next to the little gear > "Install Add-on From File").

My workaround for the time being is to stick with the pre-upgrade versions of Thunderbird (45.8.0-3~deb8u1) and Enigmail (1.8.2 xpi package).

To prevent Thunderbird & Enigmail from being upgraded, I created /etc/apt/preferences.d/thunderbird-keep-v45 with these contents...

Package: thunderbird
Pin: version 1:45.8.0-3~deb8u1
Pin-Priority: 1001

...and in Thunderbird > Tools > Add-ons > click the down-arrow next to the little gear > make sure there's no checkmark by "Update Add-ons Automatically".

Last edited by GNUser (2017-07-31 19:48:15)

GNUser

Member

Registered: 2017-03-16

Posts: 561  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

PS: Armin, I just realized that my previous post did not answer your questions.

In my case, Enigmail was not upgraded automatically because it was installed from within Thunderbird. I'm not a Devuan developer, so if you had Enigmail 1.8.2 installed as a .deb package then I do not know why it wasn't upgraded along with Thunderbird. Even if they both had been upgraded together, however, I am finding that Thunderbird 52.2.1-4 + Enigmail 1.9.8 break ability to send signed messages.

Last edited by GNUser (2017-07-31 19:52:13)

afuerst

Member

Registered: 2017-05-14

Posts: 15  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

Thanks for your answers. I do have everything installed using .deb-Packages (I try to install nearly everything from packages because my hope is, that upgrades are as smooth as possible )
Before I made an upgrade on an additional machine, I had a quick look and realized, enigmail 1.8.2 was installed as "amd64" and the amd64 package is still on 1.8.2 in debian. Enigmail 1.9.8 is only available as "all" package and this might explain why it was not upgraded - though in my opinion, there should be at least a transitional package enigmail-amd64 to automate the process. But this seems as a Debian issue to me.
Thank you for your hint about the problem of encrypting messages. Until now, I just tried to decrypt messages and as soon as I got this running, I thought to have solved the issue. I can't verify right now, but I will as soon as possible.
I'm not sure staying at TB 45.8 is a good solution, since the upgrade is marked as a security-upgrade.
Did you have a look at https://enigmail.net/index.php/en/faq?view=topic&id=14 - it did not work for me, but perhaps it helps you

GNUser

Member

Registered: 2017-03-16

Posts: 561  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

I try to install nearly everything from packages because my hope is, that upgrades are as smooth as possible
I'm not sure staying at TB 45.8 is a good solution, since the upgrade is marked as a security-upgrade.

I completely agree. It was pure laziness that was holding me back.

At any rate, since my laziness was called out I went ahead and upgraded thunderbird and installed enigmail (version 1.9.8) from Devuan repository using package manager--then took a deep breath to deal with the fallout.

From reading Enigmail's FAQ, it seems the Enigmail developers are most familiar with gpg-agent/pinentry and not gnome-keyring and the like. I'm on MATE with gnome-keyring and decided to see if my problems would go away if configured Enigmail to use gpg-agent/pinentry instead of gnome-keyring.

Here is how I configured Enigmail to use gpg-agent and pinentry instead of gnome-keyring:

1. Add "use-agent" (without quotes) to ~/.gnupg/gpg.conf

2. Add "use-standard-socket" (without quotes) to ~/.gnupg/gpg-agent.conf (if the file does not already exist, create it)

3. Reboot

Launch Thunderbird and try using Enigmail. If the window that pops up asking for your password is not called "pinentry", then gnome-keyring is forcing itself on Enigmail and you need a few more steps (I needed steps 4-6 as well, so don't feel bad):

4. Create /usr/bin/thunderbird-wrapper with your favorite text editor, put this in it:

#!/bin/bash
unset GPG_AGENT_INFO
exec /usr/bin/thunderbird "$@"

5. In a terminal, make the wrapper script executable:

sudo chmod a+x /usr/bin/thunderbird-wrapper

6. Make sure that the Thunderbird icons in your menu +/- panel point to /usr/bin/thunderbird-wrapper and not /usr/bin/thunderbird

Reboot, launch Thunderbird, and try using Enigmail again. The window asking for your password when you use Enigmail should now be called "pinentry" and everything should work (encryption, signing, decryption, remembering pin for desired time period).

Last edited by GNUser (2017-08-01 18:35:41)

afuerst

Member

Registered: 2017-05-14

Posts: 15  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

Cool, thanks a lot for your detailed instructions. I will try those asap on my machines. BTW: I have the same setup, I'm also using MATE since it is available as packages - and was using Gnome2 before

GNUser

Member

Registered: 2017-03-16

Posts: 561  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

BTW, I tried uninstalling gnome-keyring to see what would happen (i.e., to see if I could get away with not having a wrapper script). Unfortunately, it seems that network-manager requires gnome-keyring (or the like) to prompt for wifi passwords.

If I understood the discussion here correctly (see Hans' post at the very bottom of page 1), it seems that currently there are two options for getting full Enigmail functionality without interfering with packages that need a keyring:

(1) Leave gnome-keyring installed, requiring a wrapper script for Thunderbird (as I outlined in #5 above)
or
(2) Uninstall gnome-keyring, install the better-behaved mate-keyring, dump the wrapper script. The fly in the ointment is that mate-keyring is deprecated and no longer in Debian/Devuan repositories--it would require finding it somewhere and downloading it.

Between using a wrapper script or using a deprecated package not in the repository, the wrapper script option seems to better follow the KISS principle.

If anyone can think of a way to get gnome-keyring to stay out of Enigmail's way without resorting to a TB wrapper script, please do tell.

Last edited by GNUser (2017-08-01 18:36:58)

GNUser

Member

Registered: 2017-03-16

Posts: 561  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

You're welcome, Armin. Ha ha--we're both refugees from Gnome3/systemd

Thanks for inspiring me to do things the right way, and for the link to the Enigmail FAQs. That was huge.

Given how similar our setups are, it's a safe bet that the steps in #5 above will work for you. Please let me know how it goes.

afuerst

Member

Registered: 2017-05-14

Posts: 15  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

Seems as we are similar refugees
I just tried your solution and - as expected - it is working.
But to simplify stuff, I didn't create a wrapper-script, /usr/bin/thunderbird is already a wrapper script. I just added the

unset GPG_AGENT_INFO

after line 38.
I also had a look at the Debian issue (https://bugs.debian.org/cgi-bin/bugrepo … bug=784289). The reporter closed the issue because after the upgrade to GnuPG 2.1.4 it is working again. In ascii, there is GnuPG 2.1.18 available, perhaps this solved the issue?

afuerst

Member

Registered: 2017-05-14

Posts: 15  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

I just made a quick test. I have a VM with ascii just to evaluate stuff - not for real use. I just installed TB and enigmail from scratch and it was working, the passphrase pop-up was provided gnome-pinentry3.

GNUser

Member

Registered: 2017-03-16

Posts: 561  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

I'm happy to hear that you're in good shape, and that these issues are not present in ascii

Adding the "unset" line to /usr/bin/thunderbird is a good idea with one caveat: An upgrade to TB will overwrite the file. A wrapper script is ugly but upgrades will leave it alone.

Last edited by GNUser (2017-08-01 21:06:18)

afuerst

Member

Registered: 2017-05-14

Posts: 15  

Re: enigmail broken since upgrade of Thunderbird to 52.2.1-4~dev8u1

I was thinking about the problem of having this change overwritten during the next upgrade, but I think to remember that the upgrade process would at least inform me.
My problem with the wrapper is to find all references of all users to /usr/bin/thunderbird, so I gave this way a try. And re-adding this "patch" is a quick job
Let's see how soon I will change to the wrapper-script...