After following this guide, you should be able to encrypt, decrypt and sign emails within Thunderbird, even with a smartcard.

This guide assumes you already have a GPG keyring or know how to set it up.

Install GPG Suite

Download and install GPG Suite from [here].

Install MacPorts and gpgme

Download and install MacPorts from [here].

Afterwards, open a Terminal and run:

sudo port install gpgme

Confirm with a yes, and let it do its thing.

Configure GPG in Thunderbird

Go to the preferences, scroll all the way down and open the config editor.

Search for mail.openpgp.allow_external_gnupg and set it to TRUE

Search for mail.openpgp.alternative_gpg_path and set it to /opt/local/bin/gpg

Configure GPG identity in Thunderbird

Go to the account settings, go to the end-to-end encryption tab, choose “Add key” and then “Use your external key through GnuPG”.

Tip: For email aliases, instead go to the alias settings, and go to the end-to-end encryption tab there.

Paste the key ID (the last 16 characters of your fingerprint, no spaces, no 0x or anything) into the field and hit save.

In the top menu, go to Tools > OpenPGP key manager.

Then, with that manager window active, File > Import public key.

Import your own public key. When asked, set it to “accepted”.

Important: Now restart Thunderbird for the changes to fully apply


If it still can’t find your key, and you’re using a detached key (for example for smartcards), try specifying the key ID of the signing key instead.

I had gotten this info from the Mozilla wiki, turns out this info is wrong (probably outdated). Use the main key ID.

Known issues

In my case, decrypting and signing works, but encrypting when sending fails. But this is a start.

Use the main key ID.

Final notes

Thunderbird is still not great for PGP, ever since they moved from supporting GPG+Enigmail to rolling their own PGP.

I run this blog in my free time, if this guide helped you out, consider leaving a tip for a coffee? (:

That’s all there is to it!