>>>>> In >>>>> David Engster wrote: > I also remember trying to use EPG and gnutls, but it didn't work at > that time. If someone succesfully uses S/MIME with those, I'd love to > see an example setup. Well, S/MIME may have several different formats (see RFC2633 3.8). As of now Gnus' gpgsm backend does not handle all of them. In summary: * sign using multipart/signed - supported * verify using multipart/signed - supported * verify using application/x-pkcs7-mime - not supported * encrypt using application/pkcs7-mime - supported * decrypt using application/pkcs7-mime - not supported Other combinations of operations and formats such as: * sign using application/pkcs7-mime * decrypt using application/octet-stream are not even supported by the OpenSSL backend. By the way, for those who are interested in playing around gpgsm, I wrote a short instruction to setup gpgsm with CAcert's client certificates. After the setup, you can use it from Gnus with: (setq mml-smime-use 'epg) 0. Install gpgsm, dirmngr, etc. I'm using the following packages from Debian: ii dirmngr 1.0.2-1 server for managing certificate revocation ii gnupg-agent 2.0.9-3 GNU privacy guard - password agent ii gpgsm 2.0.9-3 GNU privacy guard - S/MIME version ii iceweasel 3.0.1-1 lightweight web browser based on Mozilla 1. Create your client certificate with Firefox. 1.1. Go to http://www.cacert.org and create an account. 1.2. Login with the account and make your client certificate. 1.3. Once the certificate is installed into the browser, you can export it with: Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Your Certificates -> Backup We will call the file `cacert.p12' hereafter. 2. Setup gpgsm to use your certificate. 2.1. Start gpg-agent if it is not running. $ eval `gpg-agent --daemon --sh` 2.2. Import the certificate into the gpgsm's keyring. $ gpgsm --import cacert.p12 $ gpgsm --list-keys 2.3. Import CRL for the root certificate. $ gpgsm --dump-keys cacert | grep crlDP crlDP: https://www.cacert.org/revoke.crl $ wget -O ~/revoke.crl https://www.cacert.org/revoke.crl $ gpgsm --call-dirmngr loadcrl ~/revoke.crl 2.4. Mark the CA certificate as trusted. Add the following line to ~/.gnupg/trustlist.txt. 135CEC36F49CB8E93B1AB270CD80884676CE8F33 S The first column is the fingerprint of the root certificate (see the output of `gpgsm --list-keys'). 2.5. Try to create a digital signature with gpgsm. $ echo test test test > test.txt $ gpgsm -u 0xE4438BB4 --output test.txt.sig --sign test.txt 0xE4438BB4 is the keygrip of your certificate (see the output of `gpgsm --list-keys'). $ gpgsm --output - --verify test.txt.sig test test test gpgsm: Signature made 2008-09-17 06:23:52 using certificate ID 0xE4438BB4 gpgsm: Good signature from "/CN=CAcert WoT User/EMail=ueno@unixuser.org" gpgsm: aka "ueno@unixuser.org" Regards, -- Daiki Ueno