-
-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to add S/MIME certificate? #3840
Comments
Sorry for the long wait. The message you cite with the "BAD signature" is the (raw) output from the backend program (either gpg or openssl). The message in the statusbar is by neomutt interpreting the return code of the program. It is generally recommended to use gpgme as backend ( To get gpgme working (which accesses the same database as gpgsm) you need to: b) import the root certificate (and possibly some intermediate certificates) to the certificate storage using gpgsm
Usually (but not always) an S/MIME signed/encrypt email comes with all non-root certificates which get automatically imported into the database once you read the e-mail. c) set up trust for the root certificate, please see section "setting up trust" in https://www.claws-mail.org/faq/index.php/S/MIME_howto (and maybe #3567) |
No worries. Thank you for the reply. FWIW I had a single contact who used S/MIME, and they no longer use it, so this problem is no longer relevant for me. I'm happy to help out for future users though.
I don't have any reference to
This seems to be the same command I mention in my OP, where I tried to import the PEM-encoded PKCS7 public key. This failed for me previously, but I think that was because I already had the certificate. I tried deleting the cert and re-importing, and this now seemed to work fine.
As per your first link, I ran FWIW in mutt, I can see down the bottom it says
However at the top of the message itself it says
|
If I have to guess, then your e-mail was tempered with (not necessarily maleficent). The output at the top of the message is the output of gpg not (neo)mutt. Could please verify that the email has a valid signature. I described the process using gpgsm and openssl in #3567 . (You can also use openssl alone but I don't know the command off the top of my head, so you have to search for it yourself.) |
Thanks again @rayfordshire. I can't seem to get your code working, but maybe this is informative? Following your linked instructions... In mutt
Then save the attachment Attempt to extract the body.
tried again with
Attempt to verify with gpgsm
Was that a typo in your instructions?
I guess that failed? Keep going anyway.
I also tried the above without |
I apologise for the late reply, busy time around here.
Opps, yes it was. From the looks of it, it seems like the chain of trust cannot be established.
The first certificate "your certificate" is the one you have or get from your contact. The last certificate "root CA" is usually bundled by the OS in From your quotes it seems like your contact made a self-signed certificate, i.e. they are the root CA and the chain collapsed to a single entry:
To instruct openssl that a certificate is a root certificate, you can use
where gpgsm seems to have an additional check/requirement for root certificates (i.e. self-signed certificates) but maybe adding "relax"[0] into
The
where After modifying [0] https://www.gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html |
Thanks so much @rayfordshire and I apologise for my late reply! I spent another hour or so troubleshooting this, but I still couldn't really get this to play well. Sorry, I'm just going to let this lapse since the contact no longer uses S/MIME. Hopefully some of these comments will be helpful for others. I really appreciate your help. |
I regularly receive emails from a colleague who signs with S/MIME. At the beginning of each email NeoMutt says
and at the bottom status bar it says
S/MIME signature successfully verified
. Hence, I think that S/MIME is working, but the signature/certificate is not in my database. I would like to add the signature to my database, so that NeoMutt consistently saysGOOD
signature. I'm a total novice to S/MIME, but I've spent about an hour trying to work this out.These emails always have a
smime.p7s
file attached. My understanding is that this is a DER-encoded PKCS7 public key, and I need to convert it to a PEM-encoded PKCS7 public key. Hence, I save the attachment, thenThis file looks okay,
N.B. the subject and issuer details are identical.
I then initialised the smime database using NeoMutt's smime_keys.
In
~/.mutt/muttrc
Run
/usr/lib/neomutt/smime_keys init
, which created~/.smime
.And then now I was stuck. I tried the following, which failed.
The following also failed
I also tried the following, which added nothing
FWIW I also found NeoMutt's smime.rc, but this didn't seem that relevant to my problem.
How can I get NeoMutt to verify these emails as
GOOD
?The text was updated successfully, but these errors were encountered: