diff --git a/pkgs/applications/networking/mailreaders/thunderbird/default.nix b/pkgs/applications/networking/mailreaders/thunderbird/default.nix
index ac8eb2f811b..8a2c891c16b 100644
--- a/pkgs/applications/networking/mailreaders/thunderbird/default.nix
+++ b/pkgs/applications/networking/mailreaders/thunderbird/default.nix
@@ -15,6 +15,8 @@
 , glib
 , gnugrep
 , gnused
+, gnupg
+, gpgme
 , icu
 , jemalloc
 , lib
@@ -288,6 +290,15 @@ stdenv.mkDerivation rec {
     rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl
   '';
 
+  # Note on GPG support:
+  # Thunderbird's native GPG support does not yet support smartcards.
+  # The official upstream recommendation is to configure fall back to gnupg
+  # using the Thunderbird config `mail.openpgp.allow_external_gnupg`
+  # and GPG keys set up; instructions with pictures at:
+  # https://anweshadas.in/how-to-use-yubikey-or-any-gpg-smartcard-in-thunderbird-78/
+  # For that to work out of the box, it requires `gnupg` on PATH and
+  # `gpgme` in `LD_LIBRARY_PATH`; we do this below.
+
   preFixup = ''
     # Needed to find Mozilla runtime
     gappsWrapperArgs+=(
@@ -297,6 +308,8 @@ stdenv.mkDerivation rec {
       --set SNAP_NAME "thunderbird"
       --set MOZ_LEGACY_PROFILES 1
       --set MOZ_ALLOW_DOWNGRADE 1
+      --prefix PATH : "${lib.getBin gnupg}/bin"
+      --prefix LD_LIBRARY_PATH : "${lib.getLib gpgme}/lib"
     )
   '';