You are here

[Closed] systen gpg instead of portable one

10 posts / 0 new
Last post
Simeon
Simeon's picture
Offline
Last seen: 10 years 1 month ago
DeveloperTranslator
Joined: 2006-09-25 15:15
[Closed] systen gpg instead of portable one

Someone mentioned this on IRC and I thought I'd put it here in the tracker:

OpenPGP PGP/GPG v1.4.15rev2 is accessing system's gpg (inside c:\program files\ instead of c:\portable folder), observing such, when i change some configuration inside OpenPGP's preference , advanced gpg commandline.

Havent tested it myself though.

John T. Haller
John T. Haller's picture
Offline
Last seen: 4 hours 8 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
GPG for Thunderbird/SeaMonkey

We only support GPG as an add-on for Thunderbird and SeaMonkey with Enigmail. We do not make a standalone version available and it can not be run directly. When GPG is run directly, it is non-portable.

Sometimes, the impossible can become possible, if you're awesome!

Simeon
Simeon's picture
Offline
Last seen: 10 years 1 month ago
DeveloperTranslator
Joined: 2006-09-25 15:15
Ah

That explains it.

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

Bry8Star
Offline
Last seen: 11 years 1 month ago
Joined: 2010-03-17 04:47
Portable Thunderbird Accesing Host Computer's GPG !

i reported that, i should add more info so this serious bug is fixed, or, cause of problem can be accurately identified and fixed.

I'm using command such as below inside the text box "Additional parameters for GnuPG" inside Thunderbird > OpenPGP > Preferences > Advanced :

--throw-keyids --no-emit-version --no-comments --display-charset utf-8 --keyserver-options no-auto-key-retrieve,no-try-dns-srv,http-proxy=http://127.0.0.1:8118 --keyserver hkp://sks.mit.edu,hkp://pool.sks-keyservers.net,hkp://2eghzlv2wwcq7u7y.onion,hkp://pgp.surfnet.nl,hkps://zimmermann.mayfirst.org,hkp://subkeys.pgp.net

I once removed the command parameter --throw-keyids to sent an emial, and after sending email, added the parameter back.

When removed and when added, both time my-side security software warned me that, suddenly the GPGCONF.EXE which is part of GnuPG (for local system and) outside of Thunderbid-Portable folder, is getting executed ! from this location c:\program files\gnu\gnupg\gpgconf.exe, executed by the THUNDERBIRD.EXE from this location C:\PortableApps\ThunderbirdPortable\App\Thunderbird\

(Above shouldn't be happening, Portable Thunderbird should not access that system's any other software)

And immediately after that, that GPGCONF.EXE executed the GPG-AGENT.EXE from this location c:\program files\gnu\gnupg\gpg-agent.exe

When i decrypt or encrypt email then i can see in my-side Security Software has logged such events, that, the correct GPG.EXE is used by the Portable Thunderbird, from this/below location:
c:\PortableApps\thunderbirdportable\app\gpg\gpg.exe

I obtained Portable GPG from this page:
https://portableapps.com/support/thunderbird_portable#encryption

In Portable Thunderbird > OpenPGP > Preferences > Basic > Files and Directories, i can see such info:
GnuPG was found in C:\PortableApps\ThunderbirdPortable\App\gpg\gpg.exe

If it has found GPG in correct folder, then why is it accessing wrong folders & files ? !

I have manually browsed + selected the same GPG.EXE executable inside PortableApps folder, for test, in the override textbox (in above mentioned preference settings area), but same events were observed again, (that, any preference change is invoking that computer's local GnuPG/GPG, which is not suppose to be invoked by the Portable Thunderbird !

Why Portable Thunderbird accessing Non Portable GPG/GnuPG software components ?

I first obtained Enigmail addon from Mozilla Thunderbird addon search results, in Portable Thunderbird. Then immediately after the next restart, updated it with the Enigmail xpi file released by the actual Enigmail author's site ( https://www.enigmail.net/home/ ).

Pls fix this problem. Is it Enigmail or Portable-GPG, causing Portable Thunderbird to access NON portable GPG ?

This is a VERY serious LEAK for Portable Thunderbird, its leaving usage records in host computer and using host computer's GPG software.

Thanks in advance,
-- Bright Star.

EDITED:

It seems enigmail.js inside this C:\PortableApps\ThunderbirdPortable\Data\profile\extensions\{UUID/GUID}\components\ folder, have configuration related to accessing Windows registry AND other folder locations.

If Enigmail could be restricted to use files & folders ONLY inside PortableApps\ThunderbirdPortable folder, where it is installed, then that will be very helpful.

OR, if a NEW xpi addon file for Enigmail is released with PortableApps related patch or configuration, then it should work and stay inside PortableApps\ThunderbirdPortable only.

Now trying to understand which settings can be modified manually to force the Portable Thunderbird, not to access any GnuPG/GPG/PGP related files outside of PortableApps folder.

If someone already knows and can post few settings to change, for forcing it to use files & folders only from inside PortableApp's installed folder, then that would be very helpful for all Portable Thunderbird users, who uses Enigmail addon for "encrypted" and+or "signed" emails.

Thanks in advance,
-- Bright Star.

John T. Haller
John T. Haller's picture
Offline
Last seen: 4 hours 8 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Enigmail and GPG

In their standard configuration, Enigmail with Thunderbird Portable will only access GPG within the ThunderbirdPortable directory. If you start adding in specialized command line options, though, all bets may be off. We have only tested and only support the standard/default configuration. For anything else, you'd need to ask the Enigmail team.

Sometimes, the impossible can become possible, if you're awesome!

Bry8Star
Offline
Last seen: 11 years 1 month ago
Joined: 2010-03-17 04:47
Portable Thunderbird Failing To Restrict Enigmail Activity.

Hi John,

(1) So i installed a NEW Thunderbird Portable v24.0.1 inside C:\PortableApps\TEST\ folder.

(2) Added my email into new Portable Thunderbird, as IMAP account. Configured it to use TLS encryption supported protocol & port for both IMAP and SMTP.

(3) Installed GPG-Portable edition 1.4.15rev_2 into above+same ThunderbirdPortable folder.

(4) Loaded the current last Enigmail 1.6 sm+tb.xpi addon from file, into Thunderbird Portable.

(5) Obtained my gpgkey from a keyserver. (I have seen warning from my-side Security-Software that NTOSKRNL has accessed GPG.EXE file (which is installed inside ThunderbirPortable\Apps\gpg\ folder). GPG.EXE has then executed GPGKEYS_HKP.EXE, and GPGKEYS_HKP.EXE used DNS-Server to resolve keyserver's domain-name).

(6-a) Went into OpenPGP/Enigmail Preferences window --> i can see its showing a "message", that, it has found GnuPG here C:\PortableApps\TEST\ThunderbirdPortable\App\gpg\gpg.exe and the "Override With" option is pre-selected and showing same location and file, shown in "message"/info-line.

(6-b) I unselected the option "Override With", and pressed "OK" button .. right-away THUNDERBIRD.EXE is executing GPGCONF.EXE from C:\Program Files\Gnu\GnuPG\gpgconf.exe ! And then GPGCONF.EXE executing GPG-AGENT.EXE ! ... more chains of events after that related to GnuPG. OR when i clicked on "Display Expert Settings" button and then pressed "OK" button, then same events happened again !

So i think, it (step: 6-b) is a PROOF that even by-default Enigmail is forcing Portable THUNDERBIRD to access files outside of PortableApps folder, (and probably Windows Registry as well). And, Portable Thunderbird cannot block such outside access !

Outside GnuPG is intended for using with system's Mozilla Thunderbird inside C:\Program Files\, that GnuPG is not for Portable Thunderbird.

In enigmail.js (inside addon's sub-folder), there are separate functions for finding GPG AGENT, i'm suspecting those functions are able to bypass Portable Thunderbird's container.

Please find+apply a fix for it.

Thanks in advance,
-- Bright Star.

ottosykora
Offline
Last seen: 1 day 23 hours ago
Joined: 2007-10-11 17:48
why??

>(6-b) I unselected the option "Override With", and pressed "OK" button .. right-away

Otto Sykora
Basel, Switzerland

Bry8Star
Offline
Last seen: 11 years 1 month ago
Joined: 2010-03-17 04:47
section after OR in 6-b means...

Let me paste it again:

(6-b) I unselected the option "Override With",
and pressed "OK" button .. right-away THUNDERBIRD.EXE
is executing GPGCONF.EXE from
C:\Program Files\Gnu\GnuPG\gpgconf.exe !
And then GPGCONF.EXE executing GPG-AGENT.EXE !
... more chains of events after that
related to GnuPG.
OR when i clicked on "Display Expert Settings"
button and then pressed "OK" button, then same
events happened again !

i hope you have seen the portion that starts after the word "OR". It means, when i did not unselect "Override With" option, and alternatively, i only clicked on the "Display Expert Settings" button and immediately after that i clicked on "OK" button (WITHOUT changing any GPG related settings), even then Portable Thunderbird accessing GnuPG software ! installed outside of "ThunderbirdPortable" folder, for a different software !

I want PortableThunderbird to use the GPG installed inside its sub-folder, i don't want it to access the GPG files which are outside, ... that is the purpose of all these posting.

If you are willing to look at GPG Manual you will see, for example, its suggesting to use the --throw-keyids gpg parameter to make GPG more secured. By default its not secure enough.

John T. Haller
John T. Haller's picture
Offline
Last seen: 4 hours 8 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Enigmail Bug

In that case, it looks like Enigmail can only use the installed GPG for advanced settings and will ignore the specified custom path. You should report this to the Enigmail team.

In the meantime, you can only use the standard settings for GPG and have it be portable.

Sometimes, the impossible can become possible, if you're awesome!

ottosykora
Offline
Last seen: 1 day 23 hours ago
Joined: 2007-10-11 17:48
I see

> i only clicked on the "Display Expert Settings" button and immediately after that i clicked on "OK" button (WITHOUT changing any GPG related settings), even then Portable Thunderbird accessing GnuPG software ! installed outside of "ThunderbirdPortable" folder, for a different software !

Otto Sykora
Basel, Switzerland

Log in or register to post comments