Thunderbird's new OpenPGP integration fails to recognise private keys that had the sign subkey removed

I have just upgraded from Thunderbird 68 with Enigmail to Thunderbird 78, with its native OpenPGP features. However, the migration from Enigmail didn't succeed and it fails to associate the keys in my keyring to my e-mail accounts.

When I first upgraded, Enigmail popped up a tab with a "Migrate" button on it. At first it didn't work -- it kept complaining that Thunderbird's OpenPGP infrastructure wasn't initialised -- but turning it off-and-on again got me passed that.

When I successfully started the migration, it started asking me for passwords to keys. Fair enough, I assume it was just trying to validate them. However, then it started asking me the password to a revoked key. I'm pretty sure I got the password right -- although it was revoked in 2016, so I can't be sure -- but it just kept going round in a loop. Ultimately, I cancelled this and Enigmail completed, with the warning that this key couldn't be imported. That's fine; like I say, it's revoked.

Now, in Account Settings > Account > End-To-End Encryption, it fails to associate my key with my accounts. I assume it does this based on the key identity matching the account's e-mail address. My main key has many identities associated with it (one for my personal e-mail, one for work, etc.), is this what is causing the association to fail? (Incidentally, my keys do correctly appear in Thunderbird's OpenPGP key manager.)

Seeing that this doesn't work, I try exporting my keys with gnupg and importing them into Thunderbird. It correctly recognises the keys when I do the import, but then it starts asking for the password to that revoked key again! I don't know what that key has to do with my new keys, apart from it has the same identity.

If I don't do anything -- i.e., assume it will work magically -- when I try to send a signed or encrypted e-mail, it complains that it cannot find the secret key for my identity's key. So, it did work magically, in the sense that it correctly determined the signing/encryption key it should be using -- and not the revoked one -- but for some reason it fails to find the secret key. What's going on!?

Is Thunderbird shelling out to gnupg under the hood, or does it contain its own implementation and its own keyring? If the latter, that could explain it, but if it does work that way, I'm not happy about the "forking" of keyrings. That would mean I have to maintain another set.


It took some time to have GnuPG support in Thunderbird again (using the third option "use external key via GnuPG" via peer-to-peer encryption settings of a mail account). In our case we have private keys without the signing key, just like you, to run an encrypted mailinglist, where only the list admin has the signing key, so no ordinary list member can mess with the key by revoking it etc.

We still haven't encryption up-and-running again with all Thunderbird users of the mailing list, but we learned two things:

  1. On GNU/Linux we had to to replace pinentry-qt with pinentry-gtk-2 in order to work again.
  2. On Windows installations Thunderbird actually crashed when trying to decrypt messages with keys where the sign key was removed until we switched gpgme logging on with debug level 7 (using the command setx GPGME_DEBUG 7;C:\ProgramData\Temp\gpgme.log in a cmd shell).

Hope this helps others with encryption-only OpenPGP keys. We still have trouble on OSX and hope we can fix it soon. Otherwise we need to think about alternatives, e.g. setting up a Matrix server.