Project

General

Profile

Bug #15551

Generating a revocation certificate with Enigmail fails

Added by goupille over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
04/22/2018
Due date:
% Done:

100%

Feature Branch:
feature/15091-thunderbird-60
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Email Client

Description

Open thunderbird, open Enigmail>Key Management, select you key pair and open Generate>Revocation Certificate, choose a place to save this certificate.
Enigmail pops up the following error message :

The revocation certificate could not be created.

There is an apparmor DENIED message, I guess related to that, in the logs :

amnesia audit[8253]: AVC apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name=<Some very long hexadecimal number> pid=8253 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Since it is not possible to generate a revocation certificate with Seahorse, there is no other options for the user than opening a terminal and starting

gpg --generate-revocation <user-id>

Related issues

Blocks Tails - Feature #15334: Core work 2018Q3: Foundations Team Resolved 02/20/2018
Blocked by Tails - Feature #15091: Upgrade to Thunderbird 60 Resolved 05/09/2018

History

#1 Updated by goupille over 1 year ago

  • Subject changed from geneating a revocation certificate with enigmail fails to Generating a revocation certificate with Enigmail fails

#2 Updated by intrigeri over 1 year ago

  • Target version set to Tails_3.8
  • Affected tool set to Email Client

#3 Updated by intrigeri over 1 year ago

#4 Updated by intrigeri over 1 year ago

Interestingly, on bugfix/15602-efail the Enigmail setup wizard is able to save a revokation certificate to the default location (~/test@boum.org (0x815EBDF9A8A8A268DDDDA8D2AAEA1140B21F1077) rev.asc) => I think this is lower priority than I initially thought (the main path we want users to take is already covered and there's a command-line workaround).

But indeed, trying to do so after the fact fails as goupille reported:

apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name=2F686F6D652F616D6E657369612F7465737432207465737440626F756D2E6F7267202830784141454131313430423231463130373729207265762E617363 pid=7847 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I was not asked for the passphrase so I think gpg fails to connect to the agent. I've seen these long hex strings before but cannot remember what they're about and how to fix it => I'll need to ask help to my upstream AppArmor team-mates.

#5 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.8 to Tails_3.9

intrigeri wrote:

I've seen these long hex strings before but cannot remember what they're about and how to fix it => I'll need to ask help to my upstream AppArmor team-mates.

Done: https://gitlab.com/apparmor/apparmor-profiles/issues/1. I'll come back to it during next cycle.

#6 Updated by intrigeri over 1 year ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 20

Send a MR upstream that fixes this: https://gitlab.com/apparmor/apparmor-profiles/merge_requests/18. Relevant commit is https://gitlab.com/apparmor/apparmor-profiles/merge_requests/18/diffs?commit_id=b5a85063f3a2f087b1838855fbb779ac53381156. IMO it's not worth spending time on importing this patch on our side, let's just fix this upstream and let this flow into Tails by way of Debian and then our patched Thunderbird package.

#7 Updated by intrigeri over 1 year ago

  • % Done changed from 20 to 50
  • Type of work changed from Research to Wait

Merged upstream and imported into src:thunderbird's Vcs-Git (debian/sid and debian/experimental branches) => we'll get these changes once the Thunderbird package is updated in Debian and we rebuild our own package of top of it.

#8 Updated by intrigeri over 1 year ago

#9 Updated by intrigeri over 1 year ago

#10 Updated by intrigeri over 1 year ago

#11 Updated by intrigeri over 1 year ago

  • % Done changed from 50 to 100
  • QA Check set to Pass
  • Feature Branch set to feature/15091-thunderbird-60
  • Type of work changed from Wait to Code

I confirm this is fixed on feature/15091-thunderbird-60.

#12 Updated by intrigeri over 1 year ago

  • Status changed from In Progress to 11
  • Assignee deleted (intrigeri)

… at the same time as #15091.

#13 Updated by intrigeri over 1 year ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF