Skip to content
This repository has been archived by the owner on Jun 5, 2024. It is now read-only.

Smartcard must be unlocked after thunderbird is open #220

Open
dngray opened this issue Jan 11, 2022 · 3 comments
Open

Smartcard must be unlocked after thunderbird is open #220

dngray opened this issue Jan 11, 2022 · 3 comments

Comments

@dngray
Copy link

dngray commented Jan 11, 2022

So I found a weird bug where I can't decrypt emails if I don't set filesystems=home and create a profile.

  1. If you don't set this override the profile will go in ~/.var/app/org.mozilla.Thunderbird/.thunderbird as expected.

  2. Email won't seem to decrypt.

  3. If you then set filesystems=home ie:

    flatpak override --user \
                 --env=MOZ_ENABLE_WAYLAND=1 \
                 --socket=wayland \
                 --filesystem=home \
                 org.mozilla.Thunderbird

  4. The profile will be created in ~/.thunderbird

  5. It seems then you can move it to ~/.var/app/org.mozilla.Thunderbird/.thunderbird and revoke the above --filesystem=home permission.

Additionally I noticed that it seems Thunderbird can't ask you to unlock your Yubikey. I had to do this manually in a terminal ie:

gpg-connect-agent 'scd serialno' /bye
gpg-connect-agent 'scd checkpin <serial>' /bye
@Erick555
Copy link
Collaborator

Weird indeed. In sandbox ~/.var/app/org.mozilla.Thunderbird/.thunderbird and ~/.thunderbird is exactly same location. I guess it wants to access something else from your home initially?

@Erick555
Copy link
Collaborator

Erick555 commented Jan 11, 2022
edited
Loading

You may try test it by pre-creating empty profile path in your home (mkdir ~/.thunderbird) then allow acces only to it instead of all home (--filesystem=~/.thunderbird)

@dngray
Copy link
Author

dngray commented Jan 12, 2022
edited
Loading

Okay, so I've tried to reproduce this again, I think the confusion was that I needed to run the above gpg-connect-agent command again despite not unplugging my Yubikey.

  1. Fresh profile with just: ~/.local/share/flatpak/overrides/org.mozilla.Thunderbird 
    [Context]
sockets=wayland;

[Environment]
MOZ_ENABLE_WAYLAND=1
  2. Add account
  3. Enable mail.openpgp.allow_external_gnupg
  4. Add key id "Use your external key through GnuPG (e.g. from a smart card)
  5. Unlocking the yubikey at this point still won't let you decrypt email
  6. Close Thunderbird
  7. Open Thunderbird
  8. Unlock Yubikey again, even if you unlocked it earlier and didn't disconnect/reconnect it, you'll have to do it again.

it does seem from then after you can

  1. Close Thunderbird
  2. Remove Yubikey
  3. Open Thunderbird
  4. Unlock Yubikey
  5. Decrypt email

If you do it in this order:

  1. Close Thunderbird
  2. Remove Yubikey
  3. Unlock Yubikey
  4. Open Thunderbird
  5. You'll need to unlock your Yubikey again
  6. Decrypt email.

So TLDR you must unlock Yubikey after Thunderbird is open.

Of course this would all be solved if the Thunderbird Flatpak could run gpg-connect-agent without having to do it externally in a terminal.

@dngray dngray changed the title filesystem=home needed for initial creation of profile? Smartcard must be unlocked after thunderbird is open Jan 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Erick555 @dngray