Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Digital Signatures are maked as not valid in TB 115.1.0 (64-bit) Windows

  • 7 replies
  • 3 have this problem
  • 1 view
  • Last reply by christ1

more options

In TB 115.1.0 (64-bit) on Windows digital signature are maked as not valid for an unknown reason. This happens at least with emails send from Outlook clients. In TB 102.14.0 (64-bit) on Windows this digital signatures were shown as valid. However, digitsal signatures of emails send from other clients (e.g. Thunderbird, Nine from 9folders) are shown as valid.

In TB 115.1.0 (64-bit) on Windows digital signature are maked as not valid for an unknown reason. This happens at least with emails send from Outlook clients. In TB 102.14.0 (64-bit) on Windows this digital signatures were shown as valid. However, digitsal signatures of emails send from other clients (e.g. Thunderbird, Nine from 9folders) are shown as valid.
Attached screenshots

Chosen solution

Slightly more updated info at https://blog.thunderbird.net/2023/10/thunderbird-115-and-signatures-using-the-obsolete-sha-1-algorithm/

Basically can still accept SHA-1 signatures if you have to by setting mail.smime.accept_insecure_sha1_message_signatures to true in the Config Editor.

Would be nice if we could still see the signer's certificate as we can with all other signature errors (e.g. changed content by an intermediate server, sender address mismatch, etc) but that would be a bug report.

Read this answer in context 👍 0

All Replies (8)

more options

I have to wonder if it is the email that is not valid as per the discussion here https://thunderbird.topicbox.com/groups/e2ee/T73970314d54cdfdb-Me264daf5de25d4c964ff3462

more options

The send and received emails are exactly the same (despite the additional headers" Received: from ...). My issues is with validating the signature of receiving emails.

more options

It looks like you're having an issue with digital signatures not being recognized as valid in Thunderbird 115.1.0 on Windows, especially with emails sent from Outlook clients. It's great that you've noticed this change from Thunderbird 102.14.0. This could be due to changes in how digital signatures are handled in the newer version. To troubleshoot, try checking Thunderbird's security settings and ensure that any required certificates are installed and up-to-date. Remember, digital signature verification involves a complex process, so a little digging might be needed to pinpoint the issue.

more options

The certificates are installed and up-to-date and the security settings are the same on both versions. In the meantime I tried with an encrypted message which I sent to myself. Decrypting worked, but the error message for the signature now says that "The messge was signed using an encryption strength that this version of your software does not support."

I use an RSA key with key size 2048, signature algorithm SHA-256 with RSA Encryption Version 3.

more options

Is there anything related in the Error Console (CTRL-Shift-J)?

more options

The error console shows only some warnings about ignored declarations like "mso-style-type" etc.

I did some further testing with the hash algorithms in Outlook and I saw that the signatures of emails using SHA-256, SHA-384 and SHA-512 for singing are validated by Thunderbird 115.1.0.

The problem exists only for signatures when Outlook uses the SHA-1 for signing, which unfortunately seems to be the default.

more options
The problem exists only for signatures when Outlook uses the SHA-1 for signing, ...

See https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

... which unfortunately seems to be the default.

I don't know whether SHA-1 signatures are the default for Outlook, but it's certainly configurable. Having said that, I do find Outlooks S/MIME handling very weird to say the least. And it often does not find a recipients certificate for encryption, even though it's clearly there.

more options

Chosen Solution

Slightly more updated info at https://blog.thunderbird.net/2023/10/thunderbird-115-and-signatures-using-the-obsolete-sha-1-algorithm/

Basically can still accept SHA-1 signatures if you have to by setting mail.smime.accept_insecure_sha1_message_signatures to true in the Config Editor.

Would be nice if we could still see the signer's certificate as we can with all other signature errors (e.g. changed content by an intermediate server, sender address mismatch, etc) but that would be a bug report.

Modified by velosol