See? I learned since my last post, I’m not referring to Mozilla this time. :D
Some time ago, I wrote [a popular article] about Thunderbird version 78.x, and how built-in PGP was generally a good idea, but the implementation was subpar for advanced users.
I had stopped using Thunderbird after that, and it’s been a bit over a year now since I wrote that article. Thunderbird has since changed its major version to 91.x, and many updates were released addressing PGP.
So, what’s the state of PGP with Thunderbird now?
Well, “it works”, even with external GnuPG and smartcard, which is great, but it’s painful to set up if you don’t know the secret as to how.
I wrote [a guide on how to set it up on a Mac], and I’d like to share now what was painful about the process, and how it could be improved.
But I’d like to take the opportunity to address the fact that Thunderbird is free software, as in gratis and freedom, so, thank you to Thunderbird for providing a free email client. This article is not meant as hate, just some thoughts and suggestions based on my experience. (:
First Problem: “Secret key not available”
So, after setting up PGP with GnuPG, adding my public key to Thunderbird (as per wiki) and specifying my key ID, I got the message that “the secret key that is required to decrypt this message is not available”.
Well, the secret key was very much available in my GnuPG keychain. So, I assumed this message meant “not available in the Thunderbird keychain”.
And I thought to myself, why do you care, silly Thunderbird? Just pass it to GnuPG, it’ll do the thing! You don’t need the key!
Turns out, what was really going on, is that the GPGME C library was either missing or not found by Thunderbird.
First suggestion: Better error messages
I’d suggest that this error message be changed to something more fitting, like “Could not talk to GPG” or “GPGME library not found” or a combination of these.
Had I known what the real problem was, this issue would have been resolved a lot quicker with a lot less frustration. (:
Second Problem: “Send Message Error”
The second problem was equally frustrating because again, no error details were provided.
I could receive emails, decrypt them, and send signed emails. But I was unable to send encrypted ones!
I had read on the Mozilla wiki, that if one uses a detached PGP key (like e.g. with a smartcard), one should specify the signing subkey ID in the GPG settings, and it would find the encryption key, so I did that.
Turns out, it seems to have indeed found the encryption subkey on its own, but only for decryption, not for encryption!
Since I noticed the OpenPGP progress bar was still going when the error message popped up, and since the error only happened when trying to encrypt messages, I eventually remembered that I specified the signing subkey ID as per wiki, and thought I should try specifying the main key ID instead, and that solved it!
Second Suggestion: Error Details
I imagine that in this case, Thunderbird simply calls GPG, it fails (similar to an unclean exit code), so the sending is blocked, and a generic error is output. I can imagine that if works the way I think, creating a nicer error message in this case could be a bit more involved. But I’d imagine creating a little “Details” button that just dumps a debug log would be easy to implement and still be a lot more helpful than no details at all. I could, of course, be entirely wrong, and maybe it’s a no-brainer to implement a meaningful message for this scenario.
The point is, I was again left in the dark and error details would have been helpful.
Third Suggestion: PGP Status Page
I think to troubleshoot the use of external GnuPG, a PGP (or GnuPG?) status page could be added.
Such a GnuPG status page would tell the user:
- Whether GPG was found (or in the case of a manually specified path, if it exists)
- The path of the GPG that is currently used
- What version of GPG is used and if it’s compatible (if that’s a concern)
- Whether GPGME was found
- The path of the used GPGME
- The version of GPGME used and if it’s compatible (if that’s a concern)
Having a status page with green checks and version numbers, or red crosses/yellow warning signs where something is wrong, would have been immensely helpful.
Fourth Suggestion: Easier Setup
To set up external GnuPG, I had to go through quite a few hoops, and even use the config editor (although a friend of mine claims he didn’t need that step, maybe Linux vs Mac?).
- Maybe Thunderbird could detect if GPG is installed, and ask the user if that should be used, or simply try to auto-use it as fallback. (But the option to specify a path for manual override should remain)
- Instead of specifying a key ID manually, perhaps Thunderbird could simply use the email address to get the PGP key from GPG? (But the option to specify an ID for manual override should remain)
- According to the Mozilla wiki, one has to import their own public key to Thunderbird’s internal PGP keyring. It would be nice if the GnuPG keyring could be used instead.
The biggest issue, to me, was the lack of proper error messages and details. Troubleshooting those issues while in the dark is frustrating. But I figured it out, and it works now! Yay! And there’s even [a guide I wrote] for you to follow to get it up and running, too! (:
Now that I know all the steps, it should be easy to set up (but still a tad tedious). But, I’m pleased that Thunderbird now properly works with external GnuPG! Thank you, Thunderbird!
Let me know in the comments what you think and if you use PGP with Thunderbird, and whether you use the built-in or external one and how your experience has been. (:
It takes quite some time to write articles, and I do it in my free time. Consider donating a coffee if you enjoyed what I wrote. (: