Re: decrypt and trusting certs
- From: Michael Diener <mdiener futurelab ch>
- To: Albrecht Dreß <albrecht dress arcor de>
- Cc: balsa-list gnome org
- Subject: Re: decrypt and trusting certs
- Date: Fri, 05 Oct 2012 08:56:11 +0200
On 10/04/2012 08:36:36 PM, Albrecht Dreß wrote:
[re-sending w/ smaller screen shots]
Dear Michael:
Am 04.10.12 08:47 schrieb(en) Michael Diener:
I did have to adjust the build options as the Debian package does
not natively support S/MIME. The weird part is that I am able to
decrypt a few messages. I can't really determine what works and what
not. I don't think that it's a problem with the package on a build
level as everything else works (encrypting messages works too).
Are you sure this is necessary? Please check first with
sudo apt-get install gpgsm gnupg2 dirmngr gnupg-agent
if you have the proper versions of the basic tools (and all
dependencies) installed.
I checked again and yes, Balsa is not compiled with S/MIME support
enabled on Debian wheezy. But that's no problem. Check out the source,
change the flag and pack it again. It's true that it states on the
command line that it supports S/MIME but when I try to read a mail with
S/MIME signed or encrypted, Balsa tells me it can't read inline signed
or encrypted mails because it was not compiled this way.
However, I did not have gnupg2 installed.
If all tools are there, can you please try to run Balsa from a
terminal, and put gpgme (which is the "glue layer" between balsa and
gpgsm, which in turn handles CMS/smime) into debugging mode:
GPGME_DEBUG=5:gpgme-balsa.log balsa
Then look into gpgme-balsa.log, if it gives you more insight. If you
want to debug the gpgsm operation itself, put a line reading
log-file /home/my_home_dir/mygpgsm.log
into the file ~/.gnupg/gpgsm.conf, which will dump more information
to this file.
Balsa will also print upon startup which crypto apps the gpgme
library uses, like
---8<--------------------------------------------------------------------------------
** Message: init gpgme version 1.2.0
** Message: protocol OpenPGP: engine /usr/bin/gpg2 (home (null),
version 2.0.17)
** Message: protocol CMS: engine /usr/bin/gpgsm (home (null), version
2.0.17)
** Message: protocol (null): engine /usr/bin/gpgconf (home (null),
version 2.0.17)
** Message: protocol Assuan: engine /tmp/gpg-FalH4K/S.gpg-agent (home
!GPG_AGENT, version 1.0)
** Message: gpg-agent found: /tmp/gpg-FalH4K/S.gpg-agent:2156:1
** Message: OpenPGP protocol supported
** Message: CMS (aka S/MIME) protocol supported
---8<--------------------------------------------------------------------------------
That worked rather well and my output looks like this:
** Message: init gpgme version 1.2.0
** Message: protocol OpenPGP: engine /usr/bin/gpg (home (null), version
1.4.12)
** Message: protocol CMS: engine /usr/bin/gpgsm (home (null), version
2.0.19)
** Message: protocol (null): engine /usr/bin/gpgconf (home (null),
version 2.0.19)
** Message: protocol Assuan: engine /tmp/gpg-HGqMPl/S.gpg-agent (home
!GPG_AGENT, version 1.0)
** Message: gpg-agent found: /tmp/gpg-HGqMPl/S.gpg-agent:5950:1
** Message: OpenPGP protocol supported
** Message: CMS (aka S/MIME) protocol supported
Status: Connected (1349419291)
There seems to be no error in the gpg me log. I see that balsa is using
gpg and not gpg2, might this cause some errors?
The other thing I noticed is, that there are a lot of certificates
which are valid, but I apparently don't trust them (VeriSign,
etc.). It would be nice if there would be an easy way to trust all
the authorities in /usr/share/ca-certificates (or something along
that line).
This is done by gpgsm/dirmngr which in turn tells pinentry to verify
the certificate, if you have 'allow-mark-trusted' in your
gpg-agent.conf file. When I first saw your message, the two attached
pinentry dialogues pop up. If you accept them, signatures signed
through this (root) cert are *always* trusted (green).
Note that you should have the options
---8<--------------------------------------------------------------------------------
enable-crl-checks
enable-trusted-cert-crl-check
---8<--------------------------------------------------------------------------------
in your ~/.gnupg/gpgsm.conf, so certificates are checked against the
CRL's (this is however annoying if you work offline, i.e. without a
chance to check the crl's).
AFAIK Balsa is using the user's GPG infrastructure (yours!) which
is normally managed by some separate program, e.g. Seahorse in
GNOME DE (can see as "Passwords and Keys" in app menu). So just do
what you want in e.g. Seahorse and Balsa should normally "see" that.
Do not use the Seahorse agent. That application is crap. It has
issues dealing with s/mime certs. Just use gpg-agent and pinentry
(in the flavour you like, typically pinentry-gtk2). Be sure to have
a proper ~/.gnupg/gpg-agent.conf file, like
---8<--------------------------------------------------------------------------------
debug-level none
default-cache-ttl 10800
pinentry-program /usr/bin/pinentry-gtk-2
allow-mark-trusted
lc-ctype de_DE.UTF-8 # use the proper locale for your
environment
lc-messages de_DE.UTF-8 # ditto
---8<--------------------------------------------------------------------------------
I added all these entries (I had disable-crl-checks in my config file)
but it didn't change the behaviour. For example when I click on your
mail no pop-ups are shown and when I try to validate the certificate
(with the validate button) I get the following error on the console:
** Message: could not retrieve the key with fingerprint
9FFF6E9CD027FFD1: GPGME: End of file
Now when I go to the console and run gpgsm -k --with-validation I get a
ton of error messages from dirmngr. A lot of them stating command
LOOKUP failed: Not found. And a lot of my certificates are marked with
Configuration Error or Not Trusted, however, I was never asked if I
want to trust them or not (and yes, I do have allow-mark-trusted in my
gpg-agent.conf).
I couldn't find out how Balsa is using my GPG infrastructure.
Have a look at the 'Ägypten' project page
<http://www.gnupg.org/aegypten/tech.en.html>, and replace the yellow
box reading 'mutt' by 'balsa'. This gives the full picture for
S/MIME.
For PGP/GnuPG, just replace GpgSM by gpg2. Gpg2 basically has the
same (blue) communication connections, with the exception of
Dirmngr. As it builds on the "web of trust", is has a different
trust model which builds completely on the local key store and key
servers on the web.
Hope this helps,
Albrecht.
Atatched you can find the gpgme log. Since today (after isntalling
gpg2) I can't seem to be able to sign mails anymore. You can see in the
gpgme log that there is a "general error".
Thanks a lot for the help, Albrecht! I really appreciate that!
Kind regards,
Michael
gpgme_debug: level=5
gpgme_check_version_internal: (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version: (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_set_locale (ctx=0x0): enter: category=0, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_set_locale (ctx=0x0): enter: category=5, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_check_version_internal: (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version: (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_debug: level=5
gpgme_check_version_internal: (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version: (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_set_locale (ctx=0x0): enter: category=0, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_set_locale (ctx=0x0): enter: category=5, value=en_US.UTF-8
gpgme_set_locale (ctx=0x0): leave
gpgme_check_version_internal: (0=0x0): call: req_version=(null), offset_sig_validity=60
gpgme_check_version: (0=0x0): call: req_version=(null), VERSION=1.2.0
gpgme_new (r_ctx=0x18031c8): enter
gpgme_new (r_ctx=0x18031c8): leave: ctx=0x14a05a0
gpgme_set_protocol (ctx=0x14a05a0): enter: protocol=1 (CMS)
gpgme_set_protocol (ctx=0x14a05a0): leave
engine-gpgsm:add_io_cb (gpgsm=0x14a0670): enter: fd 22, dir 1
_gpgme_add_io_cb (ctx=0x14a05a0): call: fd 22, dir=1 -> tag=0x146e990
engine-gpgsm:add_io_cb (gpgsm=0x14a0670): leave
gpgme:gpgsm_io_event (gpgsm=0x14a0670): call: event 0x7fb686ddad20, type 0, type_data (nil)
_gpgme_run_io_cb (item=0x13a0020): call: need to check
_gpgme_run_io_cb (item=0x13a0020): call: handler (0x14a0670, 22)
gpgme:status_handler (gpgsm=0x14a0670): call: fd 0x16: OK line - final status: ok
_gpgme_remove_io_cb (data=0x146e990): call: setting fd 0x16 (item=0x13a0020) done
gpgme:gpgsm_io_event (gpgsm=0x14a0670): call: event 0x7fb686ddad20, type 1, type_data 0x7fff018030ec
gpgme_release (ctx=0x14a05a0): call
gpgme_sig_notation_clear (ctx=0x14a05a0): call
gpgme_new (r_ctx=0x1802f28): enter
gpgme_new (r_ctx=0x1802f28): leave: ctx=0x14a6740
gpgme_set_protocol (ctx=0x14a6740): enter: protocol=1 (CMS)
gpgme_set_protocol (ctx=0x14a6740): leave
engine-gpgsm:add_io_cb (gpgsm=0x14a6a20): enter: fd 23, dir 1
_gpgme_add_io_cb (ctx=0x14a6740): call: fd 23, dir=1 -> tag=0x14af8c0
engine-gpgsm:add_io_cb (gpgsm=0x14a6a20): leave
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 0, type_data (nil)
_gpgme_run_io_cb (item=0x14af970): call: need to check
_gpgme_run_io_cb (item=0x14af970): call: handler (0x14a6a20, 23)
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = (nil), line = crs::2048:1:DC59E624B5A19023:20100326T082325:20140325T082325:013C::1.2.840.113549.1.9.1=#73797361646D696E406675747572656C61622E6368,CN=Signing Departement,O=futureLAB AG,L=Winterthur,ST=Zurich,C=CH::escESC:
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = fpr:::::::::D31040B0E195727A13748AA6DC59E624B5A19023:::EFDD8BD61DB16E7986B4BB37D0F24780B7D998BB:
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = uid:::::::::CN=mdiener futurelab ch,OU=Engineering,O=futureLAB AG,L=Winterthur,ST=Zurich,C=CH::
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = uid:::::::::<mdiener futurelab ch>::
gpgme:status_handler (gpgsm=0x14a6a20): call: fd 0x17: D line; final status: ok
gpgme:keylist_colon_handler (ctx=0x14a6740): call: key = 0x14afd20, line = (null)
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 2, type_data 0x14afd20
gpgme:status_handler (gpgsm=0x14a6a20): call: fd 0x17: OK line - final status: ok
_gpgme_remove_io_cb (data=0x14af8c0): call: setting fd 0x17 (item=0x14af970) done
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 1, type_data 0x7fff01802e1c
gpgme:gpgsm_io_event (gpgsm=0x14a6a20): call: event 0x7fb686ddad20, type 1, type_data 0x7fff01802e1c
gpgme_set_armor (ctx=0x14a6740): call: use_armor=0 (no)
gpgme_op_sign_start (ctx=0x14a6740): enter: plain=0x14b0070, sig=0x14b10c0, mode=1
gpgme_op_sign_start (ctx=0x14a6740): error: General error <GPGME>
gpgme_data_release (dh=0x14b0070): call
gpgme_data_release (dh=0x14b10c0): call
gpgme_release (ctx=0x14a6740): call
gpgme_sig_notation_clear (ctx=0x14a6740): call
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]