Digital Signature invalid after reinstalling Thunderbird

I had to reinstall Thunderbird 52.9.1 after a failed attempt to upgrade.
I have S/Mime certs for most of my email addresses.
I attempt to sign all outgoing messages.
 
I am now getting an error saying the digital signature is not value as I do not trust the issue. See image.
 
Have I missed a step?
How do I "trust" the issuer?
 
The certs import into Thunderbird ok, and I can sent and receive emails
The S/Mime certs have to be re-acquired on an annual basis as they are free.
 
 
 

Edited by hamluis, 05 November 2023 - 10:31 PM.
Merged posts/topics - Hamluis.

What version of Windows is installed?  From what I see, 52.9 is a dated version.

Louis

Yes, it is getting a bit dated.

I've tried several times to upgrade but issues with add ons no longer supported that I depend upon kept getting in the way.

My primary need is to be able to send encrypted emails to people who I have certs for and unencrypted for those that don't. There is no easy way to do this in Thunderbird. It's either on or off.

GnuGPG/Enigmail/OpenPGP were a no go because of several bugs, so S/Mime with an addon that automates things was my only solution at the time.

There are other issues as well, but encryption is the main one.

Windows 21H2 19044.3570. Updating Windows is not an option at this time. I will never update downgrade to Windows 11.

I've updated my profile's system details.

Edited by TanyaC, 05 November 2023 - 10:43 PM.

Hi:

Perhaps the Thunderbird gurus here can help:

https://forums.mozillazine.org/viewforum.php?f=39&sid=361d8f4a44cb9389b255957a01ad19ad

P.S. I presume you are aware, but -- for others who might read this topic -- Windows 10 21H2 reached End of Servicing in June 2023. And Thunderbird 52.9.1 was released in 2018.  As such, both are severely outdated and insecure, putting your system at risk for malware/ransomware infection, data loss and/or identity theft.

Yes, I am aware of the fact that TB is out of date. I've tried to upgrade to 68, 78, 91, 102 and 115 and all have failed to address my needs.

I've also contemplated other clients but I cannot find anything suitable, and I will not use webmail (not that any of them offer what I need anyway)..

Windows upgrade is not a priority at this time. I have more important things to do, but thanks for the reminder.

The last time I had a virus was when I was running Anti-virus software.

thanks for the link.Well, that appears to be a no go. registered started writing a post and account was suddenly deactivated.

I've written to the admin, but they will say "You're using a VPN. All VPN users are untrustworthy...."

Disconnecting from the VPN is not allowed.
 

Edited by TanyaC, 06 November 2023 - 06:20 AM.

Hi, thanks for your reply.

I hadn't posted this here as most of these are not security issues.

I'm sorry, there are more than a few.

1. Encrypt emails to people for whom I have certs. Do not encrypt to people for whom I don't. This process should be automatic. I am getting on in years and getting forgetful. TB Has always been either on or off. There was an add on called Encrypt if possible, but it didn't work. Security settings from address book does.

1a. I often have to refer back to emails from years ago. I recently finished a case where emails going back as far as 2005 were needed. Hence the OP about the digital signatures on these emails being flagged as invalid due to the issuer not being trusted. It worked fine until I upgraded, and even though I restored from a backup, once I got back to 52 the problem was now present.

2. The UI is disgusting and I would like to make changes. However Mozilla have gone to great lengths to prevent this, forcing their view of the world on users. So I will probably end up having to just cope with it.

3. Manually sort folders in the order I want them. I have 12 email addresses. Some with encryption, some without, but all with digital signatures. Email must be kept forever (I have legal reasons for this). And the folders are very organized.

4. I start TB with Windows. I need it going all the time. I want it to start minimized in the system tray. When minimized or closed it goes back to the system tray. With 115 when I open it, it minimizes immediately and I have to open it a second time. Send or read and email then minimize it, then it will go back to the double minimize behavior again.

5. Change the color of the highlight for folders that have unread emails. As I said, I'm getting on in years and I can't see the black highlight very well, so I had a bold rust colored one which was visible to me. 115 breaks that code.

6. I work from home and am on call 24/7. I am required to be connected to a VPN, and an increasing number of businesses are blocking VPN users. Many of my emails get censored, particularly anything to recipients using Microsoft (live.com, outlook.com, hotmail.com), and gmail. Anything with attachments are blocked. In 52 I was getting bounce messages. In 115 I do not. The emails seem to be silently deleted. This may not be related to 115, it might be that Microsoft and Google have just decided to silently censor emails they don't think people should see. I maintain some PCs remotely and often have to send documentation and script updates to them. These seemed to get blocked silently when I was using 115. As I said, could be just a timing thing. I haven't sent any updates recently. I live hours away from my family, and I can't just drop off a thumb drive when I want to send them updates, and postage here is a joke - so email was convenient.

7. Mozilla made a change that everyone must use the dark mode. I cannot read anything when using dark mode. To use light mode you have to find a corresponding theme, and there are very few of them. I'm not good at css so I haven't been able to code my own theme. They think everyone is between the ages of 15-35. They forgot about old people and visually impaired. I am both. In 52 it didn't work that way. I think they made the change in v89. It's not just that it's visually unappealing, the change makes it so some UI elements are impossible for me to see when using a light theme, and totally invisible when using a dark theme.

I could do a partial upgrade, say to 78, but in 12 months I'll be in the same place I am now... outdated. Well, even to 78 would be outdated.

So I took a look at as many other desktop clients as I could find. I have very limited income so paid services are hard to cover, and with the rapidly rising cost of living even harder to cope with.

I do not rely upon cloud services to protect my emails, and I don't want them on remote servers any longer than they have to be. I want to control my own email, and keep it on my systems, which I trust and are backed up 4 times a day.

I've tried each new major release as they arrived to see if the encryption issue was resolved, but it was not. All Mozilla did was break addons and made it so they could not be updated, creating holes everywhere for functionality that could no longer be provided. They did the same with Firefox.

I wouldn't ask anyone here to address all of these needs. They are off topic, but you asked so I obliged

Edited by TanyaC, 07 November 2023 - 06:53 PM.

They are from Actalis.it.. They are S/Mime certs. They are free and last for 12 months.

https://shop.actalis.com/store/it-en/certificati-s-mime

And therein lies the problem.

Valid and current are two different things.

Each year I have to renew a dozen certs. They last for 1 year.

The current cert expires, but it should still be valid.

Emails sent/received used the cert that was current at that time.

What happened after my failed upgrade to 115 was that all emails using expired certs are now showing as invalid as the issuer is not trusted.

Prior to my upgrade attempt they were valid, even though expired.

My upgrade process was simple. Image My C:\ drive. Backup the mail and profile folders.

Attempt upgrade.. failed... Backup mail and profile folders from the upgrade and remove them.

Restore my C:\ drive from image and restore profile and mail folders

Thunderbird is then broken, requiring an install and reconfigure from scratch

I fear I may have missed a step. How do I "trust" an issuer?

When I said "valid but expired" I meant that the signature itself was valid, at least from an integrity perspective. I'm not explaining myself well. It's not like they were invalid certificates that failed to sign properly. They were valid and worked.

Perhaps I need to go back and learn English properly.

"Thunderbird is broken" refers to the state it was in after I restored from backups. Perhaps this will explain it.

I took images and folder backups. I installed 115 and did some tests. There were some issues. I could not resolve quickly so I decided to back out. I took a fresh back up and restored from my original backup. The system was exactly as it was before I started the upgrade.

However, when I ran Thunderbird Lightning was missing and could not be installed. I couldn't access addons or themes, My theme had vanished, all addons were removed and could only be installed from an XPI file. The layout was wrong and I couldn't fix it.

This is what I meant by "Thunderbird was broken".

I had to spend 6+ hours installing everything from scratch, except the theme which I still haven't figured out how to recover, and that was when the signatures started showing as invalid because issuer is not trusted.

I have all the past certs. They have been imported without issue. But it says the signature is invalid and the issuer is not trusted. I assume that means Actalis.

Ok, perhaps that's were I went wrong. I didn't import any senders certs. Where would I find them?

Nor did I import a new CA root (I assume "they offer" means Actalis?)

I am not having issues reading encrypted emails. They work fine. I'm just seeing "signature is not valid because issuer is untrusted", which I never saw before. Some of these certs are years old, and before I updated to 115 and then restored I've never seen this error.

Edited by TanyaC, 08 November 2023 - 05:47 AM.

No worries.

I can;t access Mozillazine as they block VPN users and I'm not allowed to disconnect from the VPN because of my work requirements.

I guess I'll just have to live with it.

The only issues outstanding after the clean install are;

Missing theme.

Digital signatures marked as invalid.

Everything else is now working fine.

My take away is: NEVER try to upgrade a production machine without having first installed the program to be upgraded on a test machine and tested for a few months to resolve issues. Basic stuff. I'm still kicking myself for just blindly trusting that things would work