According to the article mentioned above, the date of creation of the signature could play a role.I still cannot figure out if the message digest algo in the signature or the message digest algo in the mail itself is to blame. I have just sent myself a mail from a FreeBSD box, pgpdump says that the message uses MDC SHA1(20 bytes) but this message is displayed correctly in my Thunderbird and the signature shows as valid and green.
So check the dates. However, I couldn't find an explanation in all cases, for example in the case of the original post. I compared the Thunderbird debug console output (with openpgp.loglevel set to All and temp.openpgp.logDirectory set to /tmp/): no difference between the two emails. I tried setting mail.smime.accept_insecure_sha1_message_signatures to true, the error still occurs. I couldn't find anything in the strace output. I did everything I could to try to find a difference between the two emails with gpg, I never found anything that could explain the difference.Thunderbird versions 91.8.0 and 91.8.1 contained a change to reject signatures involving unsafe algorithms depending on when the signature was created. As a result, signatures using SHA-1 were rejected if they were created after mid January 2019.
[...]
To allow more time for the transition away from SHA-1, Thunderbird version 91.9.0 has been changed to be less strict than 91.8.0. In 91.9.0, SHA-1 signatures will work again on properties of OpenPGP keys and for signatures on key revocations. Therefore, affected users will be able to use their key with Thunderbird until SHA-1 is fully deprecated in a future version.
However, other unsafe algorithms like MD5 will continue be rejected. And SHA-1 will also continue to be rejected for signatures of email messages created after mid January 2019.
You can try asking on Mozilla's Bugzilla if you are still interested. If you do, please let us know, thanks.
Statistics: Posted by fabien — 2024-06-29 11:00
