Another one of the many tasks involved in getting my Surface set up as my main mobile workstation is getting signed and encrypted email working correctly. I already have a Nitrokey Pro which I have configured to work as my SSH key but I need to get Thunderbird talking to it to handle my email. The key is already set up and is visible with gpg --card-status so I know that the OS can see it. Now the Nitrokey instructions suggests using Enigmail but that extension was only supported up to Thunderbird 68 while my Fedora 33 install has version 78.8.1 available.

On one hand this is great because Thunderbird now ships with code to enable encrypted email but on the other that library does not yet support the use of external private key sources like a smartcard or my Nitrokey. Following along with the instructions provided by Thunderbird we first need to go into the config page and toggle the mail.openpgp.allow_external_gnupg flag to allow the use of an external GPG application.

Enabling external GNUPG in Thunderbird

What this enables in the End-to-End Encryption tab of Thunderbird’s account settings is the ability to specify a GPG key ID that the external application will use for signing. Below you’ll see the third radio button selected to start this configuration.

Adding GPG Key to Thunderbird

The form it presents asks for the last 16 characters of the key’s fingerprint without any spaces or leading 0x which act as the long key ID value. I got mine by using gpg --card-status and looking at the printed ID of my signing key. With that added I tried sending a signed email and got a complaint that the specified key was not in my keyring. After consulting some more documentation I was able to extract my public key and sync it to my local keyring with the following:

gpg --card-edit
> fetch

Everything looked great until I ran gpg --list-keys and saw that my key had expired last year when I hadn’t needed to send any encrypted email.

An Aside - Fixing Expired and Untrusted Keys

As this article explains, setting a public key to not be expired is fairly simple as long as you know how to do it. Just use the command below to un-expire any keys you still need to be valid.

gpg --edit-key
> expire

Similarly, since this was a new machine I needed to make sure that my personal keys were trusted by the system. Again, a fairly simple command gets the job done. I chose ultimate trust, although I will admit I’m not entirely certain the exact meaning. It’s my personal key, the only copy of which exists on a hardware module I am in possession of, with a PIN only I know. As things go that is about as trusted as I think I can get.

gpg --edit-key
> trust

Finishing Up

Now even with that Thunderbird still wasn’t happy with my key and insisted it didn’t know what I was talking about. Reviewing their documentation again I found that you also need to export the public key and import it into Thunderbird via the OpenPGP Key Manager interface on that End-to-End Encryption configuration page. First step was obviously to export my public key into a format that Thunderbird would accept.

gpg --armor --export keyID > pubkey.asc

The keyID is the same as the one we used when we added the key earlier in the external GnuPG configuration window. That imported nicely as you can see below and I was finally able to send and receive signed and encrypted emails!

Public key imported into Thunderbird

Compared to my previous usage of ClawsMail, Thunderbird was a little more involved to get set up properly but seems to be working quite nicely now. Hopefully in newer versions they’ll improve their internal PGP handling library to better support smartcards making the additional setup redundant.