Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Thunderbird, S/MIME, X509 certificates and Smartcards

  • 1 odgovor
  • 0 ima ovaj problem
  • 10 views
  • Posljednji odgovor poslao Matt

more options

Sorry in advance for the long reading.

For my personal needs I'm currently using the general purpose desktop platform UBUNTU 22.04.04 LTS and GNOME/WAYLAND. Thunderbird is my personal e-mail and productivity client application, now in it's stable version 115.8.1 (64 bits).

For many years I used to sign my personal emails using S/MIME and a high assurance (Qualified) X.509 digital certificate, protected by my personal ID card (i.e. a smartcard), which is provided by my government (Belgium). It used to work flawlessly under Xubuntu, my favorite OS flavor until about a year ago, with earlier versions of Thunderbird.

Since I migrated to UBUNTU's standard flavour (using WAYLAND), it doesn't work any longer.

I experienced the same behaviour with Firefox when Canonical started distributing only the SNAP version of the app for Ubuntu. This problem is well known and documented. I applied the recommended solution, which was - and still is - to install the Mozilla binary version along the snap version. I can since happily continue authenticating and connecting securely to any belgian e-government web site using the Mozilla firefox binary version with my certificates/Id card, while using the snap version for other purposes.

So I tried the same recipe with Thunderbird, ... to no avail. Both versions (Ubuntu-snap and Mozilla-binary version 115.8.1) display the same, consistent behaviour. I must precise here that I can load the BELPIC PKCS#11 subsytem and configure Thunderbird like I always did. After asking for my smartcard's PIN, TB can access the smartcard and lets me associate my certificate with my email account. Everything seems to work as usual until there, except that signing a message does not work. TB systematically displays the same error message "... the application does not find the certificate or the certificate has expired". Of course my certificate is not expired. It looks like the message composer (not Thunderbird itself) cannot access the smartcard. Disabling apparmor leads to the same result with both the snap and Mozilla versions of TB.

Still, TB - both versions - works as expected when using low-assurance digital certificates, e.g. issued by CAcert.org. I also use those for receiving encrypted personal messages when needed. But those are stored locally together with their private keys.

There is no interest in signing messages with a digital certificate without any legal value, especially on a system that is meant to be more secure. I migrated to the standard ubuntu desktop for the added security provided by snap, apparmor, Wayland, ...

Before I file in a bug record, would someone be in a position to provide any useful hint?

Many thanks in advance.

Sorry in advance for the long reading. For my personal needs I'm currently using the general purpose desktop platform UBUNTU 22.04.04 LTS and GNOME/WAYLAND. Thunderbird is my personal e-mail and productivity client application, now in it's stable version 115.8.1 (64 bits). For many years I used to sign my personal emails using S/MIME and a high assurance (Qualified) X.509 digital certificate, protected by my personal ID card (i.e. a smartcard), which is provided by my government (Belgium). It used to work flawlessly under Xubuntu, my favorite OS flavor until about a year ago, with earlier versions of Thunderbird. Since I migrated to UBUNTU's standard flavour (using WAYLAND), it doesn't work any longer. I experienced the same behaviour with Firefox when Canonical started distributing only the SNAP version of the app for Ubuntu. This problem is well known and documented. I applied the recommended solution, which was - and still is - to install the Mozilla binary version along the snap version. I can since happily continue authenticating and connecting securely to any belgian e-government web site using the Mozilla firefox binary version with my certificates/Id card, while using the snap version for other purposes. So I tried the same recipe with Thunderbird, ... to no avail. Both versions (Ubuntu-snap and Mozilla-binary version 115.8.1) display the same, consistent behaviour. I must precise here that I can load the BELPIC PKCS#11 subsytem and configure Thunderbird like I always did. After asking for my smartcard's PIN, TB can access the smartcard and lets me associate my certificate with my email account. Everything seems to work as usual until there, except that signing a message does not work. TB systematically displays the same error message "... the application does not find the certificate or the certificate has expired". Of course my certificate is not expired. It looks like the message composer (not Thunderbird itself) cannot access the smartcard. Disabling apparmor leads to the same result with both the snap and Mozilla versions of TB. Still, TB - both versions - works as expected when using low-assurance digital certificates, e.g. issued by CAcert.org. I also use those for receiving encrypted personal messages when needed. But those are stored locally together with their private keys. There is no interest in signing messages with a digital certificate without any legal value, especially on a system that is meant to be more secure. I migrated to the standard ubuntu desktop for the added security provided by snap, apparmor, Wayland, ... Before I file in a bug record, would someone be in a position to provide any useful hint? Many thanks in advance.

All Replies (1)

more options

I suggest you take your query to the E2EE list. But I am aware that there are issues with smart cards in the Mozilla platform. Perhaps have a look at some of the relevant topics before posting there.

See https://thunderbird.topicbox.com/groups/e2ee

Perhaps this is relevant. https://thunderbird.topicbox.com/groups/e2ee/T908dcfda8ed4b6a6/macos-external-pgp-key-not-working