Re: decrypt and trusting certs



On 10/04/2012 08:36:36 PM, Albrecht Dreß wrote:
[re-sending w/ smaller screen shots]

Dear Michael:

Am 04.10.12 08:47 schrieb(en) Michael Diener:
I did have to adjust the build options as the Debian package does not natively support S/MIME. The weird part is that I am able to decrypt a few messages. I can't really determine what works and what not. I don't think that it's a problem with the package on a build level as everything else works (encrypting messages works too).

Are you sure this is necessary?  Please check first with

	sudo apt-get install gpgsm gnupg2 dirmngr gnupg-agent

if you have the proper versions of the basic tools (and all dependencies) installed.

I checked again and yes, Balsa is not compiled with S/MIME support enabled on Debian wheezy. But that's no problem. Check out the source, change the flag and pack it again. It's true that it states on the command line that it supports S/MIME but when I try to read a mail with S/MIME signed or encrypted, Balsa tells me it can't read inline signed or encrypted mails because it was not compiled this way.
However, I did not have gnupg2 installed.


If all tools are there, can you please try to run Balsa from a terminal, and put gpgme (which is the "glue layer" between balsa and gpgsm, which in turn handles CMS/smime) into debugging mode:

	GPGME_DEBUG=5:gpgme-balsa.log balsa

Then look into gpgme-balsa.log, if it gives you more insight. If you want to debug the gpgsm operation itself, put a line reading

	log-file /home/my_home_dir/mygpgsm.log

into the file ~/.gnupg/gpgsm.conf, which will dump more information to this file.

Balsa will also print upon startup which crypto apps the gpgme library uses, like

---8<--------------------------------------------------------------------------------
** Message: init gpgme version 1.2.0
** Message: protocol OpenPGP: engine /usr/bin/gpg2 (home (null), version 2.0.17) ** Message: protocol CMS: engine /usr/bin/gpgsm (home (null), version 2.0.17) ** Message: protocol (null): engine /usr/bin/gpgconf (home (null), version 2.0.17) ** Message: protocol Assuan: engine /tmp/gpg-FalH4K/S.gpg-agent (home !GPG_AGENT, version 1.0)
** Message: gpg-agent found: /tmp/gpg-FalH4K/S.gpg-agent:2156:1
** Message: OpenPGP protocol supported
** Message: CMS (aka S/MIME) protocol supported
---8<--------------------------------------------------------------------------------


That worked rather well and my output looks like this:
** Message: init gpgme version 1.2.0
** Message: protocol OpenPGP: engine /usr/bin/gpg (home (null), version 1.4.12) ** Message: protocol CMS: engine /usr/bin/gpgsm (home (null), version 2.0.19) ** Message: protocol (null): engine /usr/bin/gpgconf (home (null), version 2.0.19) ** Message: protocol Assuan: engine /tmp/gpg-HGqMPl/S.gpg-agent (home !GPG_AGENT, version 1.0)
** Message: gpg-agent found: /tmp/gpg-HGqMPl/S.gpg-agent:5950:1
** Message: OpenPGP protocol supported
** Message: CMS (aka S/MIME) protocol supported
Status: Connected (1349419291)

There seems to be no error in the gpg me log. I see that balsa is using gpg and not gpg2, might this cause some errors?

The other thing I noticed is, that there are a lot of certificates which are valid, but I apparently don't trust them (VeriSign, etc.). It would be nice if there would be an easy way to trust all the authorities in /usr/share/ca-certificates (or something along that line).

This is done by gpgsm/dirmngr which in turn tells pinentry to verify the certificate, if you have 'allow-mark-trusted' in your gpg-agent.conf file. When I first saw your message, the two attached pinentry dialogues pop up. If you accept them, signatures signed through this (root) cert are *always* trusted (green).

Note that you should have the options

---8<--------------------------------------------------------------------------------
enable-crl-checks
enable-trusted-cert-crl-check
---8<--------------------------------------------------------------------------------

in your ~/.gnupg/gpgsm.conf, so certificates are checked against the CRL's (this is however annoying if you work offline, i.e. without a chance to check the crl's).

AFAIK Balsa is using the user's GPG infrastructure (yours!) which is normally managed by some separate program, e.g. Seahorse in GNOME DE (can see as "Passwords and Keys" in app menu). So just do what you want in e.g. Seahorse and Balsa should normally "see" that.

Do not use the Seahorse agent. That application is crap. It has issues dealing with s/mime certs. Just use gpg-agent and pinentry (in the flavour you like, typically pinentry-gtk2). Be sure to have a proper ~/.gnupg/gpg-agent.conf file, like

---8<--------------------------------------------------------------------------------
debug-level none
default-cache-ttl 10800
pinentry-program /usr/bin/pinentry-gtk-2
allow-mark-trusted
lc-ctype de_DE.UTF-8 # use the proper locale for your environment
lc-messages de_DE.UTF-8		# ditto
---8<--------------------------------------------------------------------------------


I added all these entries (I had disable-crl-checks in my config file) but it didn't change the behaviour. For example when I click on your mail no pop-ups are shown and when I try to validate the certificate (with the validate button) I get the following error on the console:

** Message: could not retrieve the key with fingerprint 9FFF6E9CD027FFD1: GPGME: End of file

Now when I go to the console and run gpgsm -k --with-validation I get a ton of error messages from dirmngr. A lot of them stating command LOOKUP failed: Not found. And a lot of my certificates are marked with Configuration Error or Not Trusted, however, I was never asked if I want to trust them or not (and yes, I do have allow-mark-trusted in my gpg-agent.conf).

I couldn't find out how Balsa is using my GPG infrastructure.

Have a look at the 'Ägypten' project page <http://www.gnupg.org/aegypten/tech.en.html>, and replace the yellow box reading 'mutt' by 'balsa'. This gives the full picture for S/MIME.

For PGP/GnuPG, just replace GpgSM by gpg2. Gpg2 basically has the same (blue) communication connections, with the exception of Dirmngr. As it builds on the "web of trust", is has a different trust model which builds completely on the local key store and key servers on the web.

Hope this helps,
Albrecht.

Atatched you can find the gpgme log. Since today (after isntalling gpg2) I can't seem to be able to sign mails anymore. You can see in the gpgme log that there is a "general error".

Thanks a lot for the help, Albrecht! I really appreciate that!

Kind regards,
Michael
gpgme_debug: level=5
gpgme_check_version_internal:  (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version:  (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_set_locale (ctx=0x0): enter: category=0, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_set_locale (ctx=0x0): enter: category=5, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_check_version_internal:  (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version:  (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_debug: level=5
gpgme_check_version_internal:  (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version:  (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_set_locale (ctx=0x0): enter: category=0, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_set_locale (ctx=0x0): enter: category=5, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_check_version_internal:  (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version:  (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_new (r_ctx=0x18031c8): enter
gpgme_new (r_ctx=0x18031c8): leave: ctx=0x14a05a0
gpgme_set_protocol (ctx=0x14a05a0): enter: protocol=1 (CMS)
gpgme_set_protocol (ctx=0x14a05a0): leave
engine-gpgsm:add_io_cb (gpgsm=0x14a0670): enter: fd 22, dir 1
_gpgme_add_io_cb (ctx=0x14a05a0): call: fd 22, dir=1 -> tag=0x146e990
engine-gpgsm:add_io_cb (gpgsm=0x14a0670): leave
gpgme:gpgsm_io_event (gpgsm=0x14a0670): call: event 0x7fb686ddad20, type 0, type_data (nil)
_gpgme_run_io_cb (item=0x13a0020): call: need to check
_gpgme_run_io_cb (item=0x13a0020): call: handler (0x14a0670, 22)
gpgme:status_handler (gpgsm=0x14a0670): call: fd 0x16: OK line - final status: ok
_gpgme_remove_io_cb (data=0x146e990): call: setting fd 0x16 (item=0x13a0020) done
gpgme:gpgsm_io_event (gpgsm=0x14a0670): call: event 0x7fb686ddad20, type 1, type_data 0x7fff018030ec
gpgme_release (ctx=0x14a05a0): call
gpgme_sig_notation_clear (ctx=0x14a05a0): call
gpgme_new (r_ctx=0x1802f28): enter
gpgme_new (r_ctx=0x1802f28): leave: ctx=0x14a6740
gpgme_set_protocol (ctx=0x14a6740): enter: protocol=1 (CMS)
gpgme_set_protocol (ctx=0x14a6740): leave
engine-gpgsm:add_io_cb (gpgsm=0x14a6a20): enter: fd 23, dir 1
_gpgme_add_io_cb (ctx=0x14a6740): call: fd 23, dir=1 -> tag=0x14af8c0
engine-gpgsm:add_io_cb (gpgsm=0x14a6a20): leave
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 0, type_data (nil)
_gpgme_run_io_cb (item=0x14af970): call: need to check
_gpgme_run_io_cb (item=0x14af970): call: handler (0x14a6a20, 23)
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = (nil), line = crs::2048:1:DC59E624B5A19023:20100326T082325:20140325T082325:013C::1.2.840.113549.1.9.1=#73797361646D696E406675747572656C61622E6368,CN=Signing Departement,O=futureLAB AG,L=Winterthur,ST=Zurich,C=CH::escESC:
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = fpr:::::::::D31040B0E195727A13748AA6DC59E624B5A19023:::EFDD8BD61DB16E7986B4BB37D0F24780B7D998BB:
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = uid:::::::::CN=mdiener futurelab ch,OU=Engineering,O=futureLAB AG,L=Winterthur,ST=Zurich,C=CH::
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = uid:::::::::<mdiener futurelab ch>::
gpgme:status_handler (gpgsm=0x14a6a20): call: fd 0x17: D line; final status: ok
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = (null)
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 2, type_data 0x14afd20
gpgme:status_handler (gpgsm=0x14a6a20): call: fd 0x17: OK line - final status: ok
_gpgme_remove_io_cb (data=0x14af8c0): call: setting fd 0x17 (item=0x14af970) done
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 1, type_data 0x7fff01802e1c
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 1, type_data 0x7fff01802e1c
gpgme_set_armor (ctx=0x14a6740): call: use_armor=0 (no)
gpgme_op_sign_start (ctx=0x14a6740): enter: plain=0x14b0070, sig=0x14b10c0, mode=1
gpgme_op_sign_start (ctx=0x14a6740): error: General error <GPGME>
gpgme_data_release (dh=0x14b0070): call
gpgme_data_release (dh=0x14b10c0): call
gpgme_release (ctx=0x14a6740): call
gpgme_sig_notation_clear (ctx=0x14a6740): call


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]