Re: decrypt and trusting certs

[Michael Diener <mdiener futurelab ch>]

On 10/04/2012 08:36:36 PM, Albrecht Dreß wrote:
> [re-sending w/ smaller screen shots]
>
> Dear Michael:
>
> Am 04.10.12 08:47 schrieb(en) Michael Diener:
> > I did have to adjust the build options as the Debian package does  
> > not natively support S/MIME. The weird part is that I am able to  
> > decrypt a few messages. I can't really determine what works and what  
> > not. I don't think that it's a problem with the package on a build  
> > level as everything else works (encrypting messages works too).
>
> Are you sure this is necessary?  Please check first with
>
> 	sudo apt-get install gpgsm gnupg2 dirmngr gnupg-agent
>
> if you have the proper versions of the basic tools (and all  
> dependencies) installed.

I checked again and yes, Balsa is not compiled with S/MIME support  
enabled on Debian wheezy. But that's no problem. Check out the source,  
change the flag and pack it again. It's true that it states on the  
command line that it supports S/MIME but when I try to read a mail with  
S/MIME signed or encrypted, Balsa tells me it can't read inline signed  
or encrypted mails because it was not compiled this way.
However, I did not have gnupg2 installed.

> If all tools are there, can you please try to run Balsa from a  
> terminal, and put gpgme (which is the "glue layer" between balsa and  
> gpgsm, which in turn handles CMS/smime) into debugging mode:
>
> 	GPGME_DEBUG=5:gpgme-balsa.log balsa
>
> Then look into gpgme-balsa.log, if it gives you more insight.  If you  
> want to debug the gpgsm operation itself, put a line reading
>
> 	log-file /home/my_home_dir/mygpgsm.log
>
> into the file ~/.gnupg/gpgsm.conf, which will dump more information  
> to this file.
>
> Balsa will also print upon startup which crypto apps the gpgme  
> library uses, like
>
> ---8<--------------------------------------------------------------------------------
> ** Message: init gpgme version 1.2.0
> ** Message: protocol OpenPGP: engine /usr/bin/gpg2 (home (null),  
> version 2.0.17)
> ** Message: protocol CMS: engine /usr/bin/gpgsm (home (null), version  
> 2.0.17)
> ** Message: protocol (null): engine /usr/bin/gpgconf (home (null),  
> version 2.0.17)
> ** Message: protocol Assuan: engine /tmp/gpg-FalH4K/S.gpg-agent (home  
> !GPG_AGENT, version 1.0)
> ** Message: gpg-agent found: /tmp/gpg-FalH4K/S.gpg-agent:2156:1
> ** Message: OpenPGP protocol supported
> ** Message: CMS (aka S/MIME) protocol supported
> ---8<--------------------------------------------------------------------------------

That worked rather well and my output looks like this:
** Message: init gpgme version 1.2.0
** Message: protocol OpenPGP: engine /usr/bin/gpg (home (null), version  
1.4.12)
** Message: protocol CMS: engine /usr/bin/gpgsm (home (null), version  
2.0.19)
** Message: protocol (null): engine /usr/bin/gpgconf (home (null),  
version 2.0.19)
** Message: protocol Assuan: engine /tmp/gpg-HGqMPl/S.gpg-agent (home  
!GPG_AGENT, version 1.0)
** Message: gpg-agent found: /tmp/gpg-HGqMPl/S.gpg-agent:5950:1
** Message: OpenPGP protocol supported
** Message: CMS (aka S/MIME) protocol supported
Status: Connected (1349419291)

There seems to be no error in the gpg me log. I see that balsa is using  
gpg and not gpg2, might this cause some errors?

> > > > The other thing I noticed is, that there are a lot of certificates  
> > > > which are valid, but I apparently don't trust them (VeriSign,  
> > > > etc.). It would be nice if there would be an easy way to trust all  
> > > > the authorities in /usr/share/ca-certificates (or something along  
> > > > that line).
>
> This is done by gpgsm/dirmngr which in turn tells pinentry to verify  
> the certificate, if you have 'allow-mark-trusted' in your  
> gpg-agent.conf file.  When I first saw your message, the two attached  
> pinentry dialogues pop up.  If you accept them, signatures signed  
> through this (root) cert are *always* trusted (green).
>
> Note that you should have the options
>
> ---8<--------------------------------------------------------------------------------
> enable-crl-checks
> enable-trusted-cert-crl-check
> ---8<--------------------------------------------------------------------------------
>
> in your ~/.gnupg/gpgsm.conf, so certificates are checked against the  
> CRL's (this is however annoying if you work offline, i.e. without a  
> chance to check the crl's).
>
> > > AFAIK Balsa is using the user's GPG infrastructure (yours!) which  
> > > is normally managed by some separate program, e.g. Seahorse in  
> > > GNOME DE (can see as "Passwords and Keys" in app menu). So just do  
> > > what you want in e.g. Seahorse and Balsa should normally "see" that.
>
> Do not use the Seahorse agent.  That application is crap.  It has  
> issues dealing with s/mime certs.  Just use gpg-agent and pinentry  
> (in the flavour you like, typically pinentry-gtk2).  Be sure to have  
> a proper ~/.gnupg/gpg-agent.conf file, like
>
> ---8<--------------------------------------------------------------------------------
> debug-level none
> default-cache-ttl 10800
> pinentry-program /usr/bin/pinentry-gtk-2
> allow-mark-trusted
> lc-ctype de_DE.UTF-8		# use the proper locale for your  
> environment
> lc-messages de_DE.UTF-8		# ditto
> ---8<--------------------------------------------------------------------------------

I added all these entries (I had disable-crl-checks in my config file)  
but it didn't change the behaviour. For example when I click on your  
mail no pop-ups are shown and when I try to validate the certificate  
(with the validate button) I get the following error on the console:

** Message: could not retrieve the key with fingerprint  
9FFF6E9CD027FFD1: GPGME: End of file

Now when I go to the console and run gpgsm -k --with-validation I get a  
ton of error messages from dirmngr. A lot of them stating command  
LOOKUP failed: Not found. And a lot of my certificates are marked with  
Configuration Error or Not Trusted, however, I was never asked if I  
want to trust them or not (and yes, I do have allow-mark-trusted in my  
gpg-agent.conf).

> > I couldn't find out how Balsa is using my GPG infrastructure.
>
> Have a look at the 'Ägypten' project page  
> <http://www.gnupg.org/aegypten/tech.en.html>, and replace the yellow  
> box reading 'mutt' by 'balsa'.  This gives the full picture for  
> S/MIME.
>
> For PGP/GnuPG, just replace GpgSM by gpg2.  Gpg2 basically has the  
> same (blue) communication connections, with the exception of  
> Dirmngr.  As it builds on the "web of trust", is has a different  
> trust model which builds completely on the local key store and key  
> servers on the web.
>
> Hope this helps,
> Albrecht.

Atatched you can find the gpgme log. Since today (after isntalling  
gpg2) I can't seem to be able to sign mails anymore. You can see in the  
gpgme log that there is a "general error".

Thanks a lot for the help, Albrecht! I really appreciate that!

Kind regards,
Michael

gpgme_debug: level=5
gpgme_check_version_internal:  (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version:  (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_set_locale (ctx=0x0): enter: category=0, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_set_locale (ctx=0x0): enter: category=5, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_check_version_internal:  (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version:  (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_debug: level=5
gpgme_check_version_internal:  (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version:  (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_set_locale (ctx=0x0): enter: category=0, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_set_locale (ctx=0x0): enter: category=5, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_check_version_internal:  (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version:  (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_new (r_ctx=0x18031c8): enter
gpgme_new (r_ctx=0x18031c8): leave: ctx=0x14a05a0
gpgme_set_protocol (ctx=0x14a05a0): enter: protocol=1 (CMS)
gpgme_set_protocol (ctx=0x14a05a0): leave
engine-gpgsm:add_io_cb (gpgsm=0x14a0670): enter: fd 22, dir 1
_gpgme_add_io_cb (ctx=0x14a05a0): call: fd 22, dir=1 -> tag=0x146e990
engine-gpgsm:add_io_cb (gpgsm=0x14a0670): leave
gpgme:gpgsm_io_event (gpgsm=0x14a0670): call: event 0x7fb686ddad20, type 0, type_data (nil)
_gpgme_run_io_cb (item=0x13a0020): call: need to check
_gpgme_run_io_cb (item=0x13a0020): call: handler (0x14a0670, 22)
gpgme:status_handler (gpgsm=0x14a0670): call: fd 0x16: OK line - final status: ok
_gpgme_remove_io_cb (data=0x146e990): call: setting fd 0x16 (item=0x13a0020) done
gpgme:gpgsm_io_event (gpgsm=0x14a0670): call: event 0x7fb686ddad20, type 1, type_data 0x7fff018030ec
gpgme_release (ctx=0x14a05a0): call
gpgme_sig_notation_clear (ctx=0x14a05a0): call
gpgme_new (r_ctx=0x1802f28): enter
gpgme_new (r_ctx=0x1802f28): leave: ctx=0x14a6740
gpgme_set_protocol (ctx=0x14a6740): enter: protocol=1 (CMS)
gpgme_set_protocol (ctx=0x14a6740): leave
engine-gpgsm:add_io_cb (gpgsm=0x14a6a20): enter: fd 23, dir 1
_gpgme_add_io_cb (ctx=0x14a6740): call: fd 23, dir=1 -> tag=0x14af8c0
engine-gpgsm:add_io_cb (gpgsm=0x14a6a20): leave
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 0, type_data (nil)
_gpgme_run_io_cb (item=0x14af970): call: need to check
_gpgme_run_io_cb (item=0x14af970): call: handler (0x14a6a20, 23)
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = (nil), line = crs::2048:1:DC59E624B5A19023:20100326T082325:20140325T082325:013C::1.2.840.113549.1.9.1=#73797361646D696E406675747572656C61622E6368,CN=Signing Departement,O=futureLAB AG,L=Winterthur,ST=Zurich,C=CH::escESC:
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = fpr:::::::::D31040B0E195727A13748AA6DC59E624B5A19023:::EFDD8BD61DB16E7986B4BB37D0F24780B7D998BB:
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = uid:::::::::CN=mdiener futurelab ch,OU=Engineering,O=futureLAB AG,L=Winterthur,ST=Zurich,C=CH::
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = uid:::::::::<mdiener futurelab ch>::
gpgme:status_handler (gpgsm=0x14a6a20): call: fd 0x17: D line; final status: ok
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = (null)
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 2, type_data 0x14afd20
gpgme:status_handler (gpgsm=0x14a6a20): call: fd 0x17: OK line - final status: ok
_gpgme_remove_io_cb (data=0x14af8c0): call: setting fd 0x17 (item=0x14af970) done
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 1, type_data 0x7fff01802e1c
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 1, type_data 0x7fff01802e1c
gpgme_set_armor (ctx=0x14a6740): call: use_armor=0 (no)
gpgme_op_sign_start (ctx=0x14a6740): enter: plain=0x14b0070, sig=0x14b10c0, mode=1
gpgme_op_sign_start (ctx=0x14a6740): error: General error <GPGME>
gpgme_data_release (dh=0x14b0070): call
gpgme_data_release (dh=0x14b10c0): call
gpgme_release (ctx=0x14a6740): call
gpgme_sig_notation_clear (ctx=0x14a6740): call