Migrate from Enigmail to Thunderbird 78's built-in OpenPGP support

Parent Task: #17148 (closed)

The next Thunderbird ESR after v68 will have its own OpenPGP support and Enigmail will go away.

Cost/benefit

See https://tails.boum.org/blueprint/user_survey/ (#17821 (closed)).

Upstream resources and timeline

• end-user doc:
  • https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption
  • https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
• reporting bugs: https://bugzilla.mozilla.org/enter_bug.cgi?product=Mailnews%20Core&component=Security:%20OpenPGP
• https://wiki.mozilla.org/Thunderbird:OpenPGP
• Migration from Enigmail says that Enigmail for Thunderbird 78 will exist, for 1 single purpose: importing existing keys from the GnuPG keyring into the new Thunderbird one.
• https://wiki.mozilla.org/Thunderbird:OpenPGP:2020
• https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/
• upstream Thunderbird meta/tracker bug: https://bugzilla.mozilla.org/show_bug.cgi?id=22687
• lots of questions & answers on https://thunderbird.topicbox.com/groups/e2ee

The first upstream stable release with this new feature and the Enigmail migrator should be 78.0, which is planned to be released on 2020-06-30. But:

• The new OpenPGP in version 78 is experimental and is disabled by default
• Native OpenPGP is enabled by default in 78.2.1: https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/, https://hg.mozilla.org/releases/comm-esr78/pushloghtml?fromchange=THUNDERBIRD_78_2_0_RELEASE&tochange=c206e51ae18c5a7efac16916bb3a9c74f83db829&full=1

Upgrade notes

• There is an optional way to use GnuPG — and thus the GnuPG keyring — for secret key operations: mail.openpgp.allow_external_gnupg. It's meant for smartcard users but can actually be used for private keys stored in the GnuPG keyring. This could be good for the first iteration, especially if Enigmail 2.2.x is not available yet in Debian. It might even be that we want to stick with this compatibility mode until we figure out what to do about the master password issue (see below).
• In the default case, when mail.openpgp.allow_external_gnupg is disabled, one needs Enigmail 2.2.x to import GnuPG keys and previous Enigmail settings into Thunderbird. We should check if there's a plan to get it into Debian.
• The workflow of sending encrypted email has changed a lot. The default is weaker than what we had with Enigmail: no encryption unless asked per-message; the alternative is nicer when sending mainly encrypted email, but makes it a bit painful to send cleartext ones (which I suppose is both a good and a bad thing). We should probably, somehow, suggest users to enable the "require encryption" model, or do it by default once post-migration. It's a per-account setting.
• "protected headers" are enabled by default, even when they were disabled in Enigmail (to be verified). I could disable them by setting temp.openpgp.protectedHeaders to 0.
• All trust built in GnuPG in other people's public keys is lost and must be configured from scratch on a key-by-key basis, the first time a public key is used.

Drawbacks of using Thunderbird's OpenPGP implementation and keyring for secret keys operation

• When importing from the GnuPG keyring, the user is asked their passphrase, and then they private key is stored in Thunderbird's key store (key4.db), that is:
  • If they have set a Thunderbird master password, the key will be encrypted on disk, and typing the master password will be required on first use.
  • Else, if no Thunderbird master password is set, then the key will be stored in cleartext on disk, and usable without typing any passphrase.
• Offline master key is not supported yet. But presumably the sort of users who do that can enable mail.openpgp.allow_external_gnupg themselves.

Related issues

• Blocks #16477 (closed)

Originally created by @intrigeri on #17147 (Redmine)