Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Questo sito potrebbe offrire funzionalità limitate durante le operazioni di manutenzione per migliorare l'esperienza utente. Se un articolo non risolve il tuo problema e vuoi richiedere supporto, la nostra comunità di supporto è pronta ad aiutarti tramite @FirefoxSupport su Twitter e /r/firefox su Reddit.

Avatar for Username

Cerca nel supporto

Attenzione alle mail truffa. Mozilla non chiederà mai di chiamare o mandare messaggi a un numero di telefono o di inviare dati personali. Segnalare qualsiasi attività sospetta utilizzando l'opzione “Segnala abuso”.

Ulteriori informazioni

Questa discussione è archiviata. Inserire una nuova richiesta se occorre aiuto.

Thunderbird, S/MIME, X509 certificates and Smartcards

  • 1 risposta
  • 0 hanno questo problema
  • 3 visualizzazioni
  • Ultima risposta di Matt

PB64
PB64
more options

Sorry in advance for the long reading.

For my personal needs I'm currently using the general purpose desktop platform UBUNTU 22.04.04 LTS and GNOME/WAYLAND. Thunderbird is my personal e-mail and productivity client application, now in it's stable version 115.8.1 (64 bits).

For many years I used to sign my personal emails using S/MIME and a high assurance (Qualified) X.509 digital certificate, protected by my personal ID card (i.e. a smartcard), which is provided by my government (Belgium). It used to work flawlessly under Xubuntu, my favorite OS flavor until about a year ago, with earlier versions of Thunderbird.

Since I migrated to UBUNTU's standard flavour (using WAYLAND), it doesn't work any longer.

I experienced the same behaviour with Firefox when Canonical started distributing only the SNAP version of the app for Ubuntu. This problem is well known and documented. I applied the recommended solution, which was - and still is - to install the Mozilla binary version along the snap version. I can since happily continue authenticating and connecting securely to any belgian e-government web site using the Mozilla firefox binary version with my certificates/Id card, while using the snap version for other purposes.

So I tried the same recipe with Thunderbird, ... to no avail. Both versions (Ubuntu-snap and Mozilla-binary version 115.8.1) display the same, consistent behaviour. I must precise here that I can load the BELPIC PKCS#11 subsytem and configure Thunderbird like I always did. After asking for my smartcard's PIN, TB can access the smartcard and lets me associate my certificate with my email account. Everything seems to work as usual until there, except that signing a message does not work. TB systematically displays the same error message "... the application does not find the certificate or the certificate has expired". Of course my certificate is not expired. It looks like the message composer (not Thunderbird itself) cannot access the smartcard. Disabling apparmor leads to the same result with both the snap and Mozilla versions of TB.

Still, TB - both versions - works as expected when using low-assurance digital certificates, e.g. issued by CAcert.org. I also use those for receiving encrypted personal messages when needed. But those are stored locally together with their private keys.

There is no interest in signing messages with a digital certificate without any legal value, especially on a system that is meant to be more secure. I migrated to the standard ubuntu desktop for the added security provided by snap, apparmor, Wayland, ...

Before I file in a bug record, would someone be in a position to provide any useful hint?

Many thanks in advance.

Sorry in advance for the long reading. For my personal needs I'm currently using the general purpose desktop platform UBUNTU 22.04.04 LTS and GNOME/WAYLAND. Thunderbird is my personal e-mail and productivity client application, now in it's stable version 115.8.1 (64 bits). For many years I used to sign my personal emails using S/MIME and a high assurance (Qualified) X.509 digital certificate, protected by my personal ID card (i.e. a smartcard), which is provided by my government (Belgium). It used to work flawlessly under Xubuntu, my favorite OS flavor until about a year ago, with earlier versions of Thunderbird. Since I migrated to UBUNTU's standard flavour (using WAYLAND), it doesn't work any longer. I experienced the same behaviour with Firefox when Canonical started distributing only the SNAP version of the app for Ubuntu. This problem is well known and documented. I applied the recommended solution, which was - and still is - to install the Mozilla binary version along the snap version. I can since happily continue authenticating and connecting securely to any belgian e-government web site using the Mozilla firefox binary version with my certificates/Id card, while using the snap version for other purposes. So I tried the same recipe with Thunderbird, ... to no avail. Both versions (Ubuntu-snap and Mozilla-binary version 115.8.1) display the same, consistent behaviour. I must precise here that I can load the BELPIC PKCS#11 subsytem and configure Thunderbird like I always did. After asking for my smartcard's PIN, TB can access the smartcard and lets me associate my certificate with my email account. Everything seems to work as usual until there, except that signing a message does not work. TB systematically displays the same error message "... the application does not find the certificate or the certificate has expired". Of course my certificate is not expired. It looks like the message composer (not Thunderbird itself) cannot access the smartcard. Disabling apparmor leads to the same result with both the snap and Mozilla versions of TB. Still, TB - both versions - works as expected when using low-assurance digital certificates, e.g. issued by CAcert.org. I also use those for receiving encrypted personal messages when needed. But those are stored locally together with their private keys. There is no interest in signing messages with a digital certificate without any legal value, especially on a system that is meant to be more secure. I migrated to the standard ubuntu desktop for the added security provided by snap, apparmor, Wayland, ... Before I file in a bug record, would someone be in a position to provide any useful hint? Many thanks in advance.

Tutte le risposte (1)

Matt
Matt
  • Moderator
  • Top 10 Contributor
more options

I suggest you take your query to the E2EE list. But I am aware that there are issues with smart cards in the Mozilla platform. Perhaps have a look at some of the relevant topics before posting there.

See https://thunderbird.topicbox.com/groups/e2ee

Perhaps this is relevant. https://thunderbird.topicbox.com/groups/e2ee/T908dcfda8ed4b6a6/macos-external-pgp-key-not-working