Thunderbird 78 Deprecates Enigmail

Thanks to a mention by a Telegram user, Thunderbird is deprecating XUL addon framework and therefore Enigmail with it by v78 in favor of a built-in OpenGPG implementation.

This brings many questions like:

  • How does this implementation compare to the former security and usability wise?
  • How are keys imported?
  • How do we enable and customize the feature with the prefs file?
  • What is its relationship to the GPG backend?
  • How do other distros plan to go forward?



1 Like

Security? I guess less attack surface. Usability? Well, users will have to learn how to use Thunderbird without Enigmail and imaged learn the new said functionalities. As for the other questions I think they are answered in the blog post you provided. Except the last one.

1 Like

Take a look at this as well https://pep.software/thunderbird/.

Not great. Now that the torbirdy replacement issue was finally solved… (torbirdy deprecated - replacement required) Back to a bit of chaos. Not looking forward to.

These new keys probably needs a separate backup since Thunderbird introduces its own keystore. Perhaps for users of gpg command line it would be best to create the key outside of Thunderbird and then import into Thunderbird. That way one does not have two keys - gpg and Thunderbird. In theory.

Thunderbird will probably stop being compatible with Qubes Split GPG at least until/if someone fixes that, if possible.

Quote https://wiki.mozilla.org/Thunderbird:OpenPGP:2020

Thunderbird is unable to bundle GnuPG software, because of incompatible licenses (MPL version 2.0 vs. GPL version 3+).

Great, licensing is responsible for this mess.

Instead of relying on users to obtain and install external software like GnuPG or GPG4Win, we intend to identify and use an alternative, compatible library and distribute it as part of Thunderbird on all supported platforms.

Well, the issue wasn’t Linux distributions where GnuPG is usually installed by default.

Will require updated documentation.

If it wasn’t for the updated torbirdy implementation which we rely on for Whonix (torbirdy deprecated - replacement required), I’d consider swapping e-mail clients. In theory, for Kicksecure an e-mail client with functional gpg integration that can use system gpg could be considered.

I guess the same was torbirdy deprecated - replacement required is currently doing it using folder https://gitlab.com/whonix/anon-apps-config/-/tree/master/etc/thunderbird will still work.

Attack surface? Perhaps similar. I don’t see how locally installed gpg would cause any more attack surface than Thunderbird integrated gpg. Not even a theoretic argument can be made until someone compares the code bases.

Might be better for those who only use Thunderbird and don’t mind to have the keys on the same machine (VM) as the signing keys. (No qubes-split-gpg.) But I am sure this will also add confusion as it uses a keystore separate from gpg command line.


Either new, separate keys. That I suppose will always be easy.
And also they mention many times the ability to import existing keys.

As for locally installed, command line gpg. Not much. Key import from gpg format to Thunderbird own format. That’s the most. No other interaction with command line gpg.

It might be wise to wait and see any bugs being ironed out?

That is a good question. I doubt there is much choice for distributions. Unless someone forks Thunderbird, restores the old functionality, which is probably unlikely, I guess everyone has to switch client or go with these changes. A small hope is that support for locally installed gpg is added.

Let’s hope that this change at least doesn’t happen before the upgrade from Debian buster to Debian bullseye. Usually Debian stable doesn’t do major version upgrades in the stable release of Debian. But is firefox-esr package in Debian an exception? By extension, is the thunderbird package also an exception? I didn’t monitor firefox version from firefox-esr closely enough but I think there might be an exception. Which would then mean this change could hit us already during the Debian buster based Whonix 15 release series.

1 Like

For the record (because I’ve not seen this mentioned before–apologies if this has been posted elsewhere):
I just updated from Thunderbird 68.12.0 to 78.2.2 on a test system (stand-alone installation) since the latter version is made available through Mozilla’s own “release” update channel starting today. Somewhat unexpectedly, I found that it’s impossible to use (i.e. (re-)import) so-called “laptop keys” (aka disposable subkeys with an offline master key).
This effectively rules out production use for me–unless a GPG-compatible backend will be provided soon/by when the old 68.x version of Thunderbird will not receive security fixes anymore addressing newly discovered flaws, it’s time to switch to another application on the desktop, I guess…


I am not against moving to another client that is fully GPG compatible. Do you have any suggestions/ideas you’ve tested?

1 Like

Personally, I started to look at lists like https:​//​www​.​openpgp​.​org/software/ yesterday to get some ideas. I always kept Mutt around, but as it’s text-based (even though you can bind a key to open a graphical browser to display HTML emails), it might be a hard sell for many users.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]