search

flathub / org.mozilla.Thunderbird

https://flathub.org/apps/details/org.mozilla.Thunderbird
43 stars 18 forks source link

Smartcard must be unlocked after thunderbird is open #220

Open dngray opened 2 years ago

dngray commented 2 years ago

So I found a weird bug where I can't decrypt emails if I don't set filesystems=home and create a profile.

  1. If you don't set this override the profile will go in ~/.var/app/org.mozilla.Thunderbird/.thunderbird as expected.

  2. Email won't seem to decrypt.

  3. If you then set filesystems=home ie:

    flatpak override --user \
                --env=MOZ_ENABLE_WAYLAND=1 \
                --socket=wayland \
                --filesystem=home \
                org.mozilla.Thunderbird

  4. The profile will be created in ~/.thunderbird

  5. It seems then you can move it to ~/.var/app/org.mozilla.Thunderbird/.thunderbird and revoke the above --filesystem=home permission.

Additionally I noticed that it seems Thunderbird can't ask you to unlock your Yubikey. I had to do this manually in a terminal ie:

gpg-connect-agent 'scd serialno' /bye
gpg-connect-agent 'scd checkpin <serial>' /bye
Erick555 commented 2 years ago

Weird indeed. In sandbox ~/.var/app/org.mozilla.Thunderbird/.thunderbird and ~/.thunderbird is exactly same location. I guess it wants to access something else from your home initially?

Erick555 commented 2 years ago

You may try test it by pre-creating empty profile path in your home (mkdir ~/.thunderbird) then allow acces only to it instead of all home (--filesystem=~/.thunderbird)

dngray commented 2 years ago

Okay, so I've tried to reproduce this again, I think the confusion was that I needed to run the above gpg-connect-agent command again despite not unplugging my Yubikey.

  1. Fresh profile with just: ~/.local/share/flatpak/overrides/org.mozilla.Thunderbird

    [Context]
sockets=wayland;

[Environment]
MOZ_ENABLE_WAYLAND=1
  2. Add account
  3. Enable mail.openpgp.allow_external_gnupg
  4. Add key id "Use your external key through GnuPG (e.g. from a smart card)
  5. Unlocking the yubikey at this point still won't let you decrypt email
  6. Close Thunderbird
  7. Open Thunderbird
  8. Unlock Yubikey again, even if you unlocked it earlier and didn't disconnect/reconnect it, you'll have to do it again.

it does seem from then after you can

  1. Close Thunderbird
  2. Remove Yubikey
  3. Open Thunderbird
  4. Unlock Yubikey
  5. Decrypt email

If you do it in this order:

  1. Close Thunderbird
  2. Remove Yubikey
  3. Unlock Yubikey
  4. Open Thunderbird
  5. You'll need to unlock your Yubikey again
  6. Decrypt email.

So TLDR you must unlock Yubikey after Thunderbird is open.

Of course this would all be solved if the Thunderbird Flatpak could run gpg-connect-agent without having to do it externally in a terminal.