161908 – Certificate Chooser shows only one X.509 per email

Bug 161908 - Certificate Chooser shows only one X.509 per email

Summary: Certificate Chooser shows only one X.509 per email

Status:	UNCONFIRMED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	LibreOffice (show other bugs)
Version: (earliest affected)	4.0.6.2 release
Hardware:	All All

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	Digital-Signatures
	Show dependency tree / graph

Reported:	2024-07-05 10:46 UTC by Moritz Duge (Collabora) (a.k.a. kolAflash)
Modified:	2025-11-24 16:58 UTC (History)
CC List:	1 user (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Duge (Collabora) (a.k.a. kolAflash) 2024-07-05 10:46:49 UTC

If the Mozilla profile (Thunderbird/Firefox/Seamonkey) has more than one X.509 certificate for the same email address, the Certificate Chooser shows only one X.509 for that email

It's unclear which certificate is being shown. Maybe the one imported into Thunderbird first.

Deleting old X.509 certificates from Mozilla isn't a viable option. Outdated X.509 certificates must be kept in Thunderbird to be able to read old encrypted mails.


Moved this problem into this new bug from bug 158839 comment 1, because it's actually not GPG related.

Fixing this is a little impeded by bug 161872:
regression: ODF X.509 signing doesn't work since libxmlsec 1.2.37 -> 1.3.1 (edit) 

Impedes development of bug 113192:
[Digital-Signatures][OpenPGP] There's too few indication of which key is which in the Certificate Chooser

Comment 1 Timur 2025-03-25 11:30:54 UTC

I did not confirm this in Select Certificate dialog which used Thunderbird with two cetificates from the same issuer, one expired and one valid.

Comment 2 Buovjaga 2025-11-23 17:19:20 UTC

(In reply to Timur from comment #1)
> I did not confirm this in Select Certificate dialog which used Thunderbird
> with two cetificates from the same issuer, one expired and one valid.

Moritz: per this comment, do you still see the issue?

Comment 3 Moritz Duge (Collabora) (a.k.a. kolAflash) 2025-11-24 13:30:23 UTC

Yes, it's still broken.

tested: PDF signing and ODF signing
build: 2025-11-17, 26.2.0.0.alpha0+
https://git.libreoffice.org/core/+/31f7e5adee4dc599987d169493bd260f84554203
OS: Debian-13
freshly created Mozilla profile by: Thunderbird 1:140.5.0esr-1~deb13u1

If someone likes to work on this, send me an email and I can share my screen to demonstrate the issue.


Unfortunately there's another bug interfering. After selecting another Mozilla profile for certificates via
  Tools => Options => Security => Certificate
LibreOffice should ask for a restart. But it only does so if at least one document was opened (and optionally closed) before.
Without a restart, even without a document opened, LibreOffice will continue to use the previously selected Mozilla profile until restart.

Comment 4 Buovjaga 2025-11-24 13:33:27 UTC

Can you try with bibisect repos, if this is a bibisectable regression?

Comment 5 Moritz Duge (Collabora) (a.k.a. kolAflash) 2025-11-24 16:45:39 UTC

The bug showing only one X.509 certificate per email address exists at least since LibreOffice-4.0.6.2. I didn't test older versions.

The restart dialog (when not opening a document) is missing since:
https://git.libreoffice.org/core/+/b1d0d0cf866ac7235cd23ff862a8f2e9085148d8%5E%21/
[API CHANGE] Move NSS profile handling into NSS service


Hint:
Old LibreOffice versions like 4.0 seem to have an additional bug, showing only the most recently created Thunderbird profile. And I used Thunderbird-17.0.11esr to create the Mozilla profile.
https://archive.mozilla.org/pub/thunderbird/releases/17.0.11esr/linux-x86_64/en-US/