Ubuntu
kdepim package

Kmail silently rejects S/MIME Certificate

Bug #584027 reported by Ben M.
24
This bug affects 5 people
Affects Status Importance Assigned to Milestone
kdepim (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: kdepim

Scenario:
Adding an S/MIME cert to an identity. Clicking "modify", select a certificate.

What I expect to happen:
The certificate can be used or is being declined due a specific reason.

What happens instead:
When trying to add an S/MIME Certificate to KMail, it just rejects my certificate when clicking on it. See the screenshot: a red cross appears next to the certificate information. No other information why I cannot use this certificate is given.

I enabled debugging in crypto modules and started kmail with --nofork, but kmail doesn't give me any clue why my certificate is being rejected.

Additional information:
* S/MIME module is loaded
* Kleopatra is up and running
* Certificate is valid, complete trust chain imported. Issuer: CACert.org
* None of these does work: 2048 bit, 1024 bit, Single Mail adress, multiple aliases on certificate
* gpgsm knows my private and public certificate
* E-Mail address matches mine.
* CN matches my name.

Even if I do sth wrong, I expect kmail to be more user friendly by giving more feedback ("you cannot use this certificate, because <reason(s)>").

Regards,
Ben

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: kmail 4:4.4.2-0ubuntu5
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Sat May 22 00:00:00 2010
ProcEnviron:
 LANGUAGE=
 PATH=(custom, user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: kdepim

Revision history for this message
Ben M. (bmhm) wrote :
Revision history for this message
Yuv (yuv) wrote :

I'm experiencing the exact same problem with a http://www.startssl.com/ certificate and with self signed certificates. I wonder if I am missing something obvious or if it is really a bug.

I've found advice on the web reported to be successful. It said to add the following line to ~/.gnupg/gpg-agent.conf:
allow-mark-trusted

that line gets added when I go into Kleopatra's menu Settings => Configure => GnuPG System => GPG Agent
and check the "Allow clients to mark keys as trusted" checkbox.

But it did not work for me. Maybe it works for you?

Revision history for this message
Yuv (yuv) wrote :

Correction to my prior message. The above worked for me. I just realized it when turning on the system this morning. I was ask (probably by Kleopatra?) if I want to ultimately trust the StartSSL Certification Authority (with a horribly user-unfriendly dialog, but never mind) and after that I could use the StartSSL certificate to sign.

My self-signed certificate is not working yet, but now I am pretty sure that the problem is on my end, not a bug.

I don't want to be rude to you, so I don't set the bug report to "invalid", but you should try the above solution on your end and if it solves it close the bug report. I did set its status to "incomplete".

Is there a way to put the above information in an FAQ? the web is so full of confusing information.

Also, is there a way to echo "allow-mark-trusted" >> ~/.gnupg/gpg-agent.conf into every account on the system? or is there a reason why it is not so?

Changed in kdepim (Ubuntu):
status: New → Incomplete
Revision history for this message
FriedChicken (domlyons) wrote :

I guess the user should have the right to mark a certificate as valid by default (as discribed in the 2. posting).

Set to confirmed to let the bug not be marked as invalid.

Changed in kdepim (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Dave Steffenn (dgsteffen) wrote :

I've got the same problem -- tried the above steps, still no luck. Can anyone shed some light on what Kmail's problem with the certificate actually is? Thanks

Revision history for this message
Nicola Chiapolini (nicola-chiapolini) wrote :

I had the same problem with my self-sgined certificate. Fix for me was:

*) activate allow-trust as above:
configure kleopatra to trust you as a signing autority
  Settings > Configure Cleopatra > GnuPG System > GPG Agent > [x] Allow clients to mark keys as "trusted"
restart
On restart you will be asked which keys you want to trust. Trust your self, maybe trust others
(this will create a file ~/.gnupg/trustlist.txt storing your choices, you can adjust them there later, if you want.)

*) problem specific to self-sgined certificates (I guess):
tell dirmngr to stop looking for a CRL for you
  vim ~/.gnupg/trustlist.txt
append 'relax' at the end of the line containing the fingerprint for your key
(see man-page for gpgsm, option '--disable-trusted-cert-crl-check')
restart gpg-agent
  gpgconf --reload gpg-agent
(no sudo), or restart the system

After this selecting keys in kmail works as expected.

PS: To get some clue about what is going on, you can use the GPG Log viewer:
start log-viewer in kleopatra
(e.g. when kmail fails to select the key you want and shows red crosses without any helpfull feedback)
  Tools > GnuPG Log Viewer

Revision history for this message
Rohan Garg (rohangarg) wrote :

Hi there!

Thanks for reporting this bug! Your bug seems to be a problem with the KDE program itself, and not with our KDE packages. While we appreciate your issue, it would be better if it was tracked at https://bugs.kde.org, so that the KDE developers can deal with this speedily and have direct communication with you as the reporter for more effective debugging.

Thanks!

Changed in kdepim (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.