How to tell if signature verification succeeded?
Hello,
I am setting up PGP in Thunderbird. Sometimes I want to send an email which is signed but not encrypted. However, before I send this to someone else I want to make sure that it works. So I sent an email to myself (2 different accounts which I both control and have added to Thunderbird). The email has the signature attached but the Thunderbird UX doesn't give me any information about whether or not it successfully verified the signature. I tried downloading the `.eml` file and checking the signature against that, but it failed (I'm assuming that I tried to verify the wrong thing, not that the signature is actually bad).
Any help would be appreciated.
Chosen solution
Based on the information at https://wiki.gnupg.org/SignatureHandling, in particular the first section about MIME signatures, I think what is happening is that my signature is attached, then the bridge attaches a second signature, and Thunderbird only checks the first signature it finds. I'm not sure what the right thing to do here is because I could see spoofability from checking all signatures or checking only one specific signature. Probably the UX needs to be updated to provide information about multiple signatures when they are present. But I'm not a Thunderbird developer and have no idea how much work that would take, or how common this use-case is. On the Protonmail side, they could let me upload a secondary public key as valid and only sign it with the Protonmail-generated key when the message is not already signed; again, I am not a Protonmail developer.
So for the moment at least it seems the answer is "Protonmail and Thunderbird are currently incompatible if you want to sign messages from your computer", and probably Protonmail is incompatible with this workflow generally unless other clients handle this situation better.
Read this answer in context 👍 1All Replies (5)
Can you post a screenshot with the message header section of the signed message you received?
There is an OpenPGP button at the top right of the message header section. Click it, and it will show the status of the signature.
Hi christ1,
Thanks for the clarifying question. I'm not entirely sure what you mean by the "message header section". I would normally assume that "message header section" refers to the raw email headers, (X-Attached, etc) but I don't think that's what you mean in this context. I've attached a screenshot of what I see when I open the email. There is no OpenPGP button here like there is when I'm drafting a message.
I found a related issue, https://support.mozilla.org/en-US/questions/1418665, but I have the same problem that the final poster on that issue had - the "Folder" option in the menu is grayed out. I do not have any add-ons installed and I am on version 115.7.0 (which appears to be the latest based on the downloads page).
Regards, Skyler
The OpenPGP button would be located right underneath the expanded 'More' drop-down menu at the right-hand side of your screenshot. When there is no OpenPGP button, I'd assume your message isn't signed at all.
Apparently you're using Protonmail, and that may contribute to your problem. I don't know how Thunderbird is supposed to interact with Protonmail. You may first try to use the Thunderbird built-in OpenPGP functionality only without attempting to use Protonmail.
Thanks for the continued help. I set up a different Thunderbird instance connected to 2 gmail accounts and the results are in fact different. In this case I do see the "OpenPGP" badge where you indicated and it implies that the message verified (it gives a notice about a mismatch because the sending address is different than the address listed on the key, and I assume that it would also [or instead] mention that the signature failed to verify if that were the case).
Another difference is the number of attachments. When using the protonmail accounts I get 2 attachments, one with the public key and one with the signature. With gmail only the public key is attached. I'm not sure what is causing this difference, but it seems likely to be related.
Protonmail has a guide for setting up the bridge with Thunderbird but doesn't mention anything about PGP keys. Probably because most people probably use the Protonmail-generated PGP keys and aren't trying to do separate signatures/encryption before sending. I'll post here if I'm able to find any more information or get it working.
Chosen Solution
Based on the information at https://wiki.gnupg.org/SignatureHandling, in particular the first section about MIME signatures, I think what is happening is that my signature is attached, then the bridge attaches a second signature, and Thunderbird only checks the first signature it finds. I'm not sure what the right thing to do here is because I could see spoofability from checking all signatures or checking only one specific signature. Probably the UX needs to be updated to provide information about multiple signatures when they are present. But I'm not a Thunderbird developer and have no idea how much work that would take, or how common this use-case is. On the Protonmail side, they could let me upload a secondary public key as valid and only sign it with the Protonmail-generated key when the message is not already signed; again, I am not a Protonmail developer.
So for the moment at least it seems the answer is "Protonmail and Thunderbird are currently incompatible if you want to sign messages from your computer", and probably Protonmail is incompatible with this workflow generally unless other clients handle this situation better.