1

I actually enabled external GPG key id for my email account, so I can decrypt/sign without problem.

However, I found that I cannot use the public key in my system keyring now. I discovered this today because I imported new keys. I cannot remember that I need to do anything special before, but right now apparently the Thunderbird cannot see the new keys in my ~/.gnupg.

Is there a way to import all the pubkey?

Giacomo1968
  • 58,727
Wang
  • 956

1 Answers1

0

In Theory, It Cannot Be Done

At present (or at least as of 2020-12-20), Thunderbird does not have plans to integrate with external/system GPG keyrings:

Public keys have to be imported into Thunderbird OpenPGP. There is no way around that. This is a design choice.

The official FAQ also indicates as much:

I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys?

No. At this time, Thunderbird uses its own copy of keys, and doesn't support synchronizing keys with GnuPG. The exception is the mechanism offered for smartcards, which could be used to use the personal keys managed by GnuPG.

You can import the newer version of your public key via the OpenPGP Key Manager in Tools > OpenPGP Key Manager. If you've uploaded the newer public key to a keyserver, you can try Keyserver > Discover Keys Online to see if Thunderbird can automatically import it. If you have the updated public key in a file, then you can import it with File > Import Public Key(s) From File.

However...

Now, I have found some indication more recently (2024-04-12) that there might be a way to have Thunderbird kinda-sorta automatically pull public keys from your external/system GPG keyring into its own key store as you compose emails to those recipients with the encryption option enabled:

In order to have Thunderbird use my GnuPG public key ring, I had to enable two options in the config editor (Settings -> General -> Config editor):

mail.openpgp.allow_external_gnupg

mail.openpgp.fetch_pubkeys_from_gnupg

Now Thunderbird will offer to import public keys from my gpg keyring when needed.

If these two options are set, then one of the ways that you can "Resolve" the missing public key is by pulling from the external/system GPG keyring, which appears to sometimes work, and sometimes not:

After all, I got the option to import from the gpg keyring under "Resolve…". Seems like it works for some keys, and doesn't for others. It does not offer to import expired keys, which is ok. But also misses some other keys that are not expired. Seems the common factor is non-ASCII characters in the name/email address, but I was unable to pinpoint it yet. Anyway, it imports all public keys into Thunderbird's own keyring before using them. We end up with a duplicated database that needs synchronization. Whats a mess…

I tried this out on my own system, currently running Thunderbird Beta 131.0b5. It does appear to work at least. When I compose an email to an address with a public key that I have in my external/system GPG keyring, but not in Thunderbird's key store, I am prompted to "Resolve" this and get several further prompts to eventually import the public key (not the friendliest UI, but functional at least):

initial compose window with yellow bar at bottom with button labeled "Resolve..."

Pop-up modal indicating that a public key was found, but has not been imported yet, with another button labeled "Resolve..."

Same modal now displaying the fingerprint of the key with a hyperlink, as well as the source of the key as "GnuPG Keyring"

Another pop-up modal showing the public key details with several radio button options for setting the trust level of the key. Here, "" is selected.

Final pop-up modal confirming that the key has been successfully imported and is usable for signatures and encryption. "Close" button is visible.

At which point, I can then continue writing the email and send it, encrypted, to the recipient.

Important

If the email address is not in your external/system GPG keyring, there will be no option present in the dialog about searching for it there; only to check online or import via file:

Modal indicating that there is "No key available" with button options to "Discover Public Keys Online..." or "Import Public Keys From File..." and no indication that the external/system GPG keyring has already been checked for the email address

I think it would be nice, if the mail.openpgp.allow_external_gnupg and mail.openpgp.fetch_pubkeys_from_gnupg options are enabled, to say in the UI that "we already checked your external/system GPG keyring and didn't find anything."

This isn't a perfect sync solution, but there is at least some attempt in the source code to handle keeping your external/system GPG keyring, and Thunderbird's key store, in sync (/mail/extensions/openpgp/content/modules/keyRing.jsm):

if (
  Services.prefs.getBoolPref("mail.openpgp.allow_external_gnupg") &&
  Services.prefs.getBoolPref("mail.openpgp.fetch_pubkeys_from_gnupg") &&
  !this.alreadyCheckedGnuPG.has(email)
) {
  this.alreadyCheckedGnuPG.add(email);
  let keysFromGnuPGMap = lazy.GPGME.getPublicKeysForEmail(email);
  for (let aFpr of keysFromGnuPGMap.keys()) {
    let oldKey = this.getKeyById(aFpr);
    let gpgKeyData = keysFromGnuPGMap.get(aFpr);
    if (oldKey) {
      await this.importKeyDataSilent(null, gpgKeyData, false);
    } else {
      let k = await lazy.RNP.getKeyListFromKeyBlockImpl(gpgKeyData);
      if (!k) {
        continue;
      }
      if (k.length != 1) {
        continue;
      }
      let db = await lazy.CollectedKeysDB.getInstance();
      // If key is known in the db: merge + update.
      let key = await db.mergeExisting(k[0], gpgKeyData, {
        uri: "",
        type: "gnupg",
      });
      await db.storeKey(key);
    }
  }
}
Giacomo1968
  • 58,727
Preston Maness
  • 1,977