Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify signature for S/Mime? #3567

Open
Tokariew opened this issue Nov 23, 2022 · 6 comments
Open

Verify signature for S/Mime? #3567

Tokariew opened this issue Nov 23, 2022 · 6 comments
Labels
type:question Question

Comments

@Tokariew
Copy link 

set crypt_use_gpgme=yes
set crypt_autosign = yes
set crypt_verify_sig = yes

I added following lines to mine muttrc file
I can sign using mine pgp key, and verify others signatures, but when trying to verify email signed with S/Mime neomutt give me
Invoking S/MIME and after some time S/MIME signature could NOT be verified

What i'm missing to verify S/Mime signatures with gpgme?

I installed neomutt from Fedora COPR
@Tokariew Tokariew added the type:question Question label Nov 23, 2022
@marvinwankersteen
Copy link

I have noticed the same thing and have not yet found a solution.

Tried also set smime_ca_location = "/etc/ssl/certs/ca-certificates.crt".

NeoMutt 20211029
Copyright (C) 1996-2020 Michael R. Elkins and others.
NeoMutt comes with ABSOLUTELY NO WARRANTY; for details type 'neomutt -vv'.
NeoMutt is free software, and you are welcome to redistribute it
under certain conditions; type 'neomutt -vv' for details.

System: Linux 5.15.0-86-generic (x86_64)
ncurses: ncurses 6.3.20211021 (compiled with 6.3.20211021)
libidn: 1.38 (compiled with 1.38)
GPGME: 1.14.0-unknown
GnuTLS: 3.7.2
libnotmuch: 5.5.0
storage: tokyocabinet

Configure options: --build=x86_64-linux-gnu --prefix=/usr {--includedir=${prefix}/include} {--mandir=${prefix}/share/man} {--infodir=${prefix}/share/info} --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules {--libdir=${prefix}/lib/x86_64-linux-gnu} --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --mandir=/usr/share/man --libexecdir=/usr/libexec --with-mailpath=/var/mail --gpgme --lua --notmuch --with-ui --gnutls --gss --idn --mixmaster --sasl --tokyocabinet --sqlite --autocrypt

Compilation CFLAGS: -g -O2 -ffile-prefix-map=/build/neomutt-Y7QiPm/neomutt-20211029+dfsg1=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -std=c99 -D_ALL_SOURCE=1 -D_GNU_SOURCE=1 -D__EXTENSIONS__ -I/usr/include -I/usr/include/lua5.4 -DNCURSES_WIDECHAR -isystem /usr/include/mit-krb5

Default options:
  +attach_headers_color +compose_to_sender +compress +cond_date +debug 
  +encrypt_to_self +forgotten_attachments +forwref +ifdef +imap +index_color 
  +initials +limit_current_thread +multiple_fcc +nested_if +new_mail +nntp +pop 
  +progress +quasi_delete +regcomp +reply_with_xorig +sensible_browser +sidebar 
  +skip_quoted +smtp +status_color +timeout +tls_sni +trash 

Compile options:
  +autocrypt +fcntl -flock -fmemopen +futimens +getaddrinfo +gnutls +gpgme +gss 
  +hcache -homespool +idn +inotify -locales_hack +lua +mixmaster +nls +notmuch 
  -openssl +pgp +regex +sasl +smime +sqlite +sun_attachment 

MAILPATH="/var/mail"
MIXMASTER="mixmaster"
PKGDATADIR="/usr/share/neomutt"
SENDMAIL="/usr/sbin/sendmail"
SYSCONFDIR="/etc"

To learn more about NeoMutt, visit: https://neomutt.org
If you find a bug in NeoMutt, please raise an issue at:
    https://github.com/neomutt/neomutt/issues
or send an email to: <neomutt-devel@neomutt.org>

@marvinwankersteen
Copy link

marvinwankersteen commented Nov 18, 2023
edited

Found a solution which works:

set crypt_use_gpgme             = no
set smime_ca_location           = "/etc/ssl/certs/ca-certificates.crt"
set smime_verify_command        = "openssl smime -verify -inform DER -in %s %C -content %f"
set smime_verify_opaque_command = "openssl smime -verify -inform DER -in %s %C"

@jindraj
Copy link
Member

jindraj commented Nov 18, 2023

@marvinwankersteen: How about importing the certificates authorities into gpgsm database and keep using gpgme instead of legacy smime_*?

gpgsm --import /etc/ssl/certs/ca-certificates.crt

@marvinwankersteen
Copy link

marvinwankersteen commented Nov 18, 2023
edited

Thanks for the hint. I didn't know that you have to import the CAs into gpgsm beforehand. I'm new to neomutt.

The import worked, but the verification is still not possible. Same error.

@rayfordshire
Copy link
Contributor

rayfordshire commented Nov 19, 2023
edited

Yeah, the usage of gpgsm is poorly documented...

If I have to make a guess, I would assume you/gpg does not trust the root certificate. After importing the root certificate in gpgsm you must assign a trust to it (by default it is untrusted, which lets the verification fail). This can be done in different ways, please see section "setting up trust" in https://www.claws-mail.org/faq/index.php/S/MIME_howto on the two ways to do that (automatically via gpg-agent or by editing trustlist.txt)

To rule out that it is a problem with gpgsm itself you can do the following steps to verify an email "by hand" with gpgsm command line:

Verify E-Mail using gpgsm (and openssl)

How to verify a signature of an e-mail using gpgsm on the console
gpgsm cannot handle a MIME mail, thus we must split the e-mail into the signature and the payload/body.

Save the full MIME-Message/E-Mail via neomutt:

<pipe-command>cat > /tmp/signed-mail.eml

Signature

Signature can be saved using neomutt's <save-entry> in the attachment menu most likely the filename smime.p7s.

Alternatively, we can use openssl

openssl cms -cmsout -in signed-mail.eml | sed 1,4d > smime.p7s.base64
openssl cms -cmsout -in signed-mail.eml | sed 1,4d | base64 -d > smime.p7s

The sed deletes the MIME-header.

Payload/Body

The body is a bit trickier as neomutt

a) seems to convert CRLF to LF on *nix, which tampers with the mail.
b) strips the header of the payload MIME part.

To extract the body, we utilise openssl:

openssl cms -verify -in signed-mail.eml > openssl-body

Verifying with gpgsm

gpgsm -n --verify smime.p7s openssl-body
gpgsm -n --verify --assume-base64 smime.p7s.base64 openssl-body

(-n is --dry-run and can be omitted once satisfied)

Appendix

An entry for ~/.gnupg/trustlist.txt looks like:

AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA S

where AA... is the Hash of the root certificate in question and the colons can (I think) be omitted.
Note You must reload gpg-agent after editing trustlist.txt in order for the changes to take effect.

gpgconf --reload gpg-agent

@rayfordshire rayfordshire mentioned this issue Nov 19, 2023
Closed
@marvinwankersteen
Copy link

marvinwankersteen commented Nov 19, 2023
edited

@rayfordshire: Thank you very much for the instructions and explanation. I have not found this in detail anywhere, not even in the documentation. This should be included, especially for beginners.

Since I basically "have to" trust all CAs, which are all in /etc/ssl/certs/ca-certificates.crt, I have added them all in ~/.gnupg/trustlist.txt.

$ gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' >> ~/.gnupg/trustlist.txt

The S/MIME-signed mails can then be verified, even without these settings.

I found another hint for debugging gpgsm:

$ cat ~/.gnupg/gpgsm.conf 
log-file /tmp/gpgsm.log
debug 1024
verbose

Perhaps this will help some of you with troubleshooting if this doesn't work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:question Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jindraj @Tokariew @marvinwankersteen @rayfordshire