Digitally Signing Mail with Thunderbird

Eliter · 2019-04-10 00:31:41 UTC

So I am trying to work on a fork that support emailing users announcements we have for administrators (see Mail-in-a-Box Mailing List ).

Anyways, I am trying to get an “example” email sent to myself, but I’m trying to digitally sign it (WITHOUT ENCRYPTING IT) with Thunderbird, but I can’t seem to figure out how to do that.

Now, as far as I know, there are no certificate authorities that will give certificates for email signing that will do it for free, so I tried creating my own certificate authority, and my own certificate signed by my own certificate authority, having Thunderbird trust the CA, but it never seems to work.

Here is what I’ve tried:
Here is my command prompt for trying to create the CA: https://paste.ubuntu.com/p/wpvSjZHdYj/
I did not password/passphrase anything.

In Thunderbird, I have Enigmail installed, not sure if that is relevant here.

Under Edit -> Account Settings -> user@mail.example.com -> security:

If I click “select…” under “Digital Signing”, I get this error:

“Certificate Manager can’t locate a valid certificate that can be used to digitally sign your messages with an address of user@mail.example.com.”

So I tried clicking “Manage Certificates”, and then “Import…”, navigating to my “CA/ca.crt”, clicking “open”, then checking both boxes: “Trust this CA to identify web sites.” and “Trust this CA to identify email users.”, then clicking “OK”

Then I tried click “select…” under “Digital Signing” again, and no luck.

pulloh · 2019-04-10 08:17:19 UTC

AFAIK what you need is GPG not a CA in order to sign/encrypt emails or files. Have a look at this tutorial. https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages

Eliter · 2019-04-10 08:53:18 UTC

@pulloh, thanks. I went through the slight pain to figure that out. I got distracted with the Legal Notice fork, so my next step is to make a Pull Request about email announcements, which is when I’ll use the GPG keys.

Then the next step after I make a decent proposal is to figure out how to manage keys, since someone has to store them and keep them secure. I also am not sure if end-users would have to trust the GPG keys, or not, but it’s definitely a step towards adding security to email announcements.

alento · 2019-04-10 12:03:37 UTC

Just commenting on the GPG keys … your public key is usually shared, publically, so not actually sure what you are keeping them secure from? Most people publish them to a key repository such as MIT.

https://pgp.mit.edu/

As far as your PRIVATE key, it is up to you to keep it secure.

murgero · 2019-04-11 19:37:46 UTC

I cannot stress this enough:

Generate GPG/PGP keys with a passcode!
Keep the private key SAFE AWAY FROM THE INTERNET!
Only use trusted software with your private key!

Public key, as the name implies, can be publicly see-able (like when you look at an SSL certificate from a website, you can’t do anything with it, it only identifies the site / user)