Digitally Signing Mail with Thunderbird

Eliter · April 10, 2019, 12:31am

So I am trying to work on a fork that support emailing users announcements we have for administrators (see Mail-in-a-Box Mailing List ).

Anyways, I am trying to get an “example” email sent to myself, but I’m trying to digitally sign it (WITHOUT ENCRYPTING IT) with Thunderbird, but I can’t seem to figure out how to do that.

Now, as far as I know, there are no certificate authorities that will give certificates for email signing that will do it for free, so I tried creating my own certificate authority, and my own certificate signed by my own certificate authority, having Thunderbird trust the CA, but it never seems to work.

Here is what I’ve tried:
Here is my command prompt for trying to create the CA: https://paste.ubuntu.com/p/wpvSjZHdYj/
I did not password/passphrase anything.

In Thunderbird, I have Enigmail installed, not sure if that is relevant here.

Under Edit -> Account Settings -> user@mail.example.com -> security:

If I click “select…” under “Digital Signing”, I get this error:

“Certificate Manager can’t locate a valid certificate that can be used to digitally sign your messages with an address of user@mail.example.com.”

So I tried clicking “Manage Certificates”, and then “Import…”, navigating to my “CA/ca.crt”, clicking “open”, then checking both boxes: “Trust this CA to identify web sites.” and “Trust this CA to identify email users.”, then clicking “OK”

Then I tried click “select…” under “Digital Signing” again, and no luck.

pulloh · April 10, 2019, 8:17am

AFAIK what you need is GPG not a CA in order to sign/encrypt emails or files. Have a look at this tutorial. https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages

Eliter · April 10, 2019, 8:53am

@pulloh, thanks. I went through the slight pain to figure that out. I got distracted with the Legal Notice fork, so my next step is to make a Pull Request about email announcements, which is when I’ll use the GPG keys.

Then the next step after I make a decent proposal is to figure out how to manage keys, since someone has to store them and keep them secure. I also am not sure if end-users would have to trust the GPG keys, or not, but it’s definitely a step towards adding security to email announcements.

alento · April 10, 2019, 12:03pm

Just commenting on the GPG keys … your public key is usually shared, publically, so not actually sure what you are keeping them secure from? Most people publish them to a key repository such as MIT.

https://pgp.mit.edu/

As far as your PRIVATE key, it is up to you to keep it secure.

murgero · April 11, 2019, 7:37pm

I cannot stress this enough:

Generate GPG/PGP keys with a passcode!
Keep the private key SAFE AWAY FROM THE INTERNET!
Only use trusted software with your private key!

Public key, as the name implies, can be publicly see-able (like when you look at an SSL certificate from a website, you can’t do anything with it, it only identifies the site / user)

ravenstar68 · May 11, 2019, 8:53am

First of all I’d like to point out that while not being a personal signature. DKIM does provide a level of trust as to the authenticity of the mail.

This is because:

It uses a public/private keypair so that the server signs mails with the private key and the receiving server then uses the public key to verify the signature.
It also hashes the contents of the email body as well as headers defined in the DKIM header. The receiving server then checks to see if the body hash passes.

That said I have seen Microsoft being slightly naughty in that they do a DKIM check but then alter parts of the MIME headers slightly, while not changing the actual look of the mail this does in fact mean that the body has been changed. The problem is that if the Microsoft account is set to automatically forward mails to a third party - this breaks DKIM as it forwards the amended mail. It would also break your mail signature as well.

Tim