Bug #15551: Generating a revocation certificate with Enigmail fails

Bug #15551

Generating a revocation certificate with Enigmail fails

Added by goupille 2018-04-22 17:25:27 . Updated 2018-09-05 16:24:08 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Tails_3.9

Start date:

2018-04-22

Due date:

% Done:

100%

Feature Branch:

feature/15091-thunderbird-60

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Email Client

Deliverable for:

Description

Open thunderbird, open Enigmail>Key Management, select you key pair and open Generate>Revocation Certificate, choose a place to save this certificate.
Enigmail pops up the following error message :

The revocation certificate could not be created.

There is an apparmor DENIED message, I guess related to that, in the logs :

amnesia audit[8253]: AVC apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name=<Some very long hexadecimal number> pid=8253 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Since it is not possible to generate a revocation certificate with Seahorse, there is no other options for the user than opening a terminal and starting

gpg --generate-revocation <user-id>

Subtasks

Related issues

Blocks Tails - ~~Feature #15334~~: Core work 2018Q3: Foundations Team	Resolved	2018-02-20
Blocked by Tails - ~~Feature #15091~~: Upgrade to Thunderbird 60	Resolved	2018-05-09

History

#1 Updated by goupille 2018-04-22 17:25:59

Subject changed from geneating a revocation certificate with enigmail fails to Generating a revocation certificate with Enigmail fails

#2 Updated by intrigeri 2018-05-28 16:52:41

Target version set to Tails_3.8
Affected tool set to Email Client

#3 Updated by intrigeri 2018-05-28 16:52:58

blocks ~~Feature #15139~~: Core work 2018Q2: Foundations Team added

#4 Updated by intrigeri 2018-06-16 08:14:45

Interestingly, on bugfix/15602-efail the Enigmail setup wizard is able to save a revokation certificate to the default location (~/testboum.org (0x815EBDF9A8A8A268DDDDA8D2AAEA1140B21F1077) rev.asc@) => I think this is lower priority than I initially thought (the main path we want users to take is already covered and there’s a command-line workaround).

But indeed, trying to do so after the fact fails as goupille reported:

apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name=2F686F6D652F616D6E657369612F7465737432207465737440626F756D2E6F7267202830784141454131313430423231463130373729207265762E617363 pid=7847 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I was not asked for the passphrase so I think gpg fails to connect to the agent. I’ve seen these long hex strings before but cannot remember what they’re about and how to fix it => I’ll need to ask help to my upstream AppArmor team-mates.

#5 Updated by intrigeri 2018-06-16 08:28:29

Target version changed from Tails_3.8 to Tails_3.9

intrigeri wrote:
> I’ve seen these long hex strings before but cannot remember what they’re about and how to fix it => I’ll need to ask help to my upstream AppArmor team-mates.

Done: https://gitlab.com/apparmor/apparmor-profiles/issues/1. I’ll come back to it during next cycle.

#6 Updated by intrigeri 2018-06-16 09:08:19

Status changed from Confirmed to In Progress
% Done changed from 0 to 20

Send a MR upstream that fixes this: https://gitlab.com/apparmor/apparmor-profiles/merge_requests/18. Relevant commit is https://gitlab.com/apparmor/apparmor-profiles/merge_requests/18/diffs?commit_id=b5a85063f3a2f087b1838855fbb779ac53381156. IMO it’s not worth spending time on importing this patch on our side, let’s just fix this upstream and let this flow into Tails by way of Debian and then our patched Thunderbird package.

#7 Updated by intrigeri 2018-06-27 07:56:42

% Done changed from 20 to 50
Type of work changed from Research to Wait

Merged upstream and imported into src:thunderbird’s Vcs-Git (debian/sid and debian/experimental branches) => we’ll get these changes once the Thunderbird package is updated in Debian and we rebuild our own package of top of it.

#8 Updated by intrigeri 2018-06-27 07:57:13

blocked by deleted (~~~~Feature #15139~~: Core work 2018Q2: Foundations Team~~)

#9 Updated by intrigeri 2018-06-27 07:57:25

blocks ~~Feature #15334~~: Core work 2018Q3: Foundations Team added

#10 Updated by intrigeri 2018-08-08 15:05:08

blocked by ~~Feature #15091~~: Upgrade to Thunderbird 60 added

#11 Updated by intrigeri 2018-08-10 14:15:21

% Done changed from 50 to 100
QA Check set to Pass
Feature Branch set to feature/15091-thunderbird-60
Type of work changed from Wait to Code

I confirm this is fixed on feature/15091-thunderbird-60.

#12 Updated by intrigeri 2018-08-15 19:20:58

Status changed from In Progress to Fix committed
Assignee deleted (~~intrigeri~~)

… at the same time as ~~Feature #15091~~.

#13 Updated by intrigeri 2018-09-05 16:24:08

Status changed from Fix committed to Resolved