[-- Attachment #1: Type: text/plain, Size: 2141 bytes --] Hello, anyone here familiar with Gnus + S/MIME + gnupg? A few days back I decided to set up my environment to sign messages I send out, and to be able to verify signatures of messages I receive. Doing it with pgp was quite easy, and got it working in no time, but S/MIME is giving me a real headache, most probably because I'm misunderstanding something or because I lack some basic knowledge on how certificates are meant to be used. I imported my certificate with 'gpgsm --import <cert.p12>' and "gpgsm -K" shows that the certificate got imported correctly: ,---- | $ gpgsm -K | /home/angelv/.gnupg/pubring.kbx | ------------------------------- | ID: 0xFD3C585C | S/N: 07A6ED8580BD2114605C7B37AB7B8919 | (dec): 10171334757275596790721797340316535065 | Issuer: /CN=AC FNMT Usuarios/OU=Ceres/O=FNMT-RCM/C=ES | Subject: /CN=DE VICENTE GARRIDO ANGEL MANUEL - .... `---- My ~/.gnupg/gpgsm.con just contains: ,---- | disable-crl-checks `---- and with that, I can sign a file in the command line without problems: ,---- | $ gpgsm --sign test.txt >ciphertext | gpgsm: Note: non-critical certificate policy not allowed | gpgsm: Note: non-critical certificate policy not allowed | gpgsm: Note: non-critical certificate policy not allowed | gpgsm: CRLs not checked due to --disable-crl-checks option | gpgsm: DBG: adding certificates at level -2 | gpgsm: signature created `---- But when I try to sign a message from Gnus I always get a message saying "No sign key for <angel.de.vicente@iac.es>; skip it? (y or n)" What do I have to configure in Emacs/Gnus so that it will know that my e-mail address is linked to the same certificate used in the command line? By the way, I'm using the following: ,---- | ArchLinux | Emacs version: 28.2 (2022-09-12) | Gnus version: 5.13 | GnuPG version: 2.2.40 `---- Any pointers/help greatly appreciated -- Ángel de Vicente -- (GPG: 0x64D9FDAE7CD5E939) Research Software Engineer (Supercomputing and BigData) Instituto de Astrofísica de Canarias (https://www.iac.es/en) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 702 bytes --]
Hi there! On 2022-11-02, at 09:29, Angel de Vicente wrote: > Hello, > > anyone here familiar with Gnus + S/MIME + gnupg? Yes :) > [...] > But when I try to sign a message from Gnus I always get a message saying > "No sign key for <angel.de.vicente@iac.es>; skip it? (y or n)" I use this: (setq mml-secure-smime-sign-with-sender t) And more: https://gitlab.com/lechten/defaultencrypt > What do I have to configure in Emacs/Gnus so that it will know that my > e-mail address is linked to the same certificate used in the command > line? Your CA links your e-mail address to your public key, both of which are recorded inside the certificate. Gnus cannot do this. Your output did not show whether the certificate really contains the e-mail address that you used... Best wishes Jens
[-- Attachment #1: Type: text/plain, Size: 2085 bytes --] Hello, Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes: >> But when I try to sign a message from Gnus I always get a message saying >> "No sign key for <angel.de.vicente@iac.es>; skip it? (y or n)" > > I use this: > (setq mml-secure-smime-sign-with-sender t) I already had that, but it looks like the part it was missing was that the certificate I was using didn't have my e-mail address, so Gnus (via gpgsm) would not find the right certificate to use. Importing another certificate where the e-mail address was present solved that problem. > And more: https://gitlab.com/lechten/defaultencrypt That looks great, I'll have a look, becuase my SMIME setting is so far much worse than my PGP one (my goal was to be able just to sign messages, so I'll stop here for now, but later I want to make sure I also get working the encryption/decryption part). > Your CA links your e-mail address to your public key, both of which > are recorded inside the certificate. Gnus cannot do this. Your > output did not show whether the certificate really contains the > e-mail address that you used... The first certificate I was using didn't. When I used a second certificate with the mail address in it all was good. But here is a question. To send messages to this group I use another e-mail address (which is not present in any of the certificates). There is no way for me, then, to sign messages to this group with S-MIME? I was hoping to use "Smime Keys", which according to the documentation looks like the right way, but my attempts so far were not successful. ,---- | Show Value Smime Keys | Map mail addresses to a file containing Certificate (and private key). Hide | The file is assumed to be in PEM format. You can also associate additional | certificates to be sent with every message to each address. `---- Thanks, -- Ángel de Vicente -- (GPG: 0x64D9FDAE7CD5E939) Research Software Engineer (Supercomputing and BigData) Instituto de Astrofísica de Canarias (https://www.iac.es/en) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 702 bytes --]
On 2022-11-02, at 20:51, Angel de Vicente wrote: > [...] > But here is a question. To send messages to this group I use another > e-mail address (which is not present in any of the certificates). There > is no way for me, then, to sign messages to this group with S-MIME? There is. Before coming to that, please reconsider for what you ask: Alice sends a message to Bob, but the message is signed by Mallory. What is Bob supposed to do with this? IMO, the signature should really match the sender’s FROM address. Maybe you can ask your CA to include your other e-mail addresses as well? Or switch to GnuPG for your other e-mail addresses, where you are in control and not some CA (which Bob probably does neither know nor trust anyways)? See [1] for more information. Coming back to your question: You can customize mml-secure-smime-signers to include a list of IDs of signing keys. Best wishes Jens P.S. Google “protects” you from receiving my e-mails addressed to you directly as I spoof my FROM address here (SPF and DKIM both 550-5.7.26 do not pass). Thus, I remove your e-mail address in this reply. P.P.S. If you do not need direct replies, Gnus (Message, in fact) can set a Mail-Followup-To header [2]. [1] https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/ [2] https://www.gnu.org/software/emacs/manual/html_mono/message.html#Composing-a-correct-MFT-header-automagically
[-- Attachment #1: Type: text/plain, Size: 1708 bytes --] Hello, Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes: > There is. Before coming to that, please reconsider for what you > ask: Alice sends a message to Bob, but the message is signed by > Mallory. What is Bob supposed to do with this? Yes, I realized after I sent the message that this was going to be confusing. I managed to do it by setting 'mml-secure-smime-sign-with-sender' to nil, so that I could then choose the certificate, but Gmail (for example) complains about the mail address in the certificate not being the same as the "From" address, so probably not a good idea in general. > IMO, the signature should really match the sender’s FROM address. > Maybe you can ask your CA to include your other e-mail addresses as > well? Or switch to GnuPG for your other e-mail addresses, where you > are in control and not some CA (which Bob probably does neither know > nor trust anyways)? See [1] for more information. So, I was actually thinking of going for the second option: use SMIME when I send from the address in the certificate, and use PGP when sending from this gmail address. But now I need to figure out how to tell Gnus to do that. Right now I have the following, which makes sure that by default I will be always signing with SMIME. Do you know if there is an easy way to set these depending on the "From" address? ,---- | (add-hook 'gnus-message-setup-hook 'mml-secure-message-sign-smime) | (setq mml-secure-method "smime") `---- Cheers, -- Ángel de Vicente -- (GPG: 0x64D9FDAE7CD5E939) Research Software Engineer (Supercomputing and BigData) Instituto de Astrofísica de Canarias (https://www.iac.es/en) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 702 bytes --]
[-- Attachment #1: Type: text/plain, Size: 1078 bytes --] Hi again, regarding my problems with Gnus + SMIME + GnuPG, there is another thing that I don't seem to be able to solve: It is very weird, maybe a bug, because I have set epg-pinentry-mode to loopback, which is supposed to use the Emacs minibuffer to ask for the passphrase of private keys. This works perfect for PGP but it throws an error for SMIME "Signing failed (unknown reason)". [If I set epg-pinentry-mode to 'nil, then I am asked for the passphrase by gnome-keyring and all is good (but I need to use the mini-buffer, since I use this machine mostly remotely]. I chased the error down to the function "epg-sign-string" in epg.el, but my ELisp is very rusty and not making much progress in debugging the issue. I guess at some point epg.el is calling pinentry, but don't know how to efficiently debug this. Any pointers/advice much appreciated. Cheers, -- Ángel de Vicente -- (GPG: 0x64D9FDAE7CD5E939) Research Software Engineer (Supercomputing and BigData) Instituto de Astrofísica de Canarias (https://www.iac.es/en) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 702 bytes --]
Angel de Vicente <angel.vicente.garrido@gmail.com> writes: > It is very weird, maybe a bug, because I have set epg-pinentry-mode to > loopback, which is supposed to use the Emacs minibuffer to ask for the > passphrase of private keys. This works perfect for PGP but it throws > an error for SMIME "Signing failed (unknown reason)". [If I set > epg-pinentry-mode to 'nil, then I am asked for the passphrase by > gnome-keyring and all is good (but I need to use the mini-buffer, > since I use this machine mostly remotely]. > I chased the error down to the function "epg-sign-string" in epg.el, > but my ELisp is very rusty and not making much progress in debugging > the issue. I guess at some point epg.el is calling pinentry, but don't > know how to efficiently debug this. revert changes in epg.el and try it: In your emacs conf: (setq epg-pinentry-mode 'loopback) in ~/.gnupg/gpg.conf use-agent pinentry-mode loopback in ~/.gnupg/gpg-agent.conf allow-emacs-pinentry allow-loopback-pinentry
[-- Attachment #1: Type: text/plain, Size: 329 bytes --] Hello, GH <project@gnuhacker.org> writes: > revert changes in epg.el and try it: [...] thanks, but exactly the same problem -- Ángel de Vicente -- (GPG: 0x64D9FDAE7CD5E939) Research Software Engineer (Supercomputing and BigData) Instituto de Astrofísica de Canarias (https://www.iac.es/en) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 702 bytes --]
On 2022-11-03, at 07:21, Angel de Vicente wrote:
> So, I was actually thinking of going for the second option: use SMIME
> when I send from the address in the certificate, and use PGP when
> sending from this gmail address. But now I need to figure out how to
> tell Gnus to do that. Right now I have the following, which makes sure
> that by default I will be always signing with SMIME. Do you know if
> there is an easy way to set these depending on the "From" address?
>
> ,----
> | (add-hook 'gnus-message-setup-hook 'mml-secure-message-sign-smime)
> | (setq mml-secure-method "smime")
> `----
This might be possible with Posting Styles if your e-mails with
different senders are in different groups. See variable
gnus-posting-styles and the info page to which it points. To me,
the following part seems promising. Note that the body string could
be a function call that produces a secure tag.
((posting-from-work-p) ;; A user defined function
(signature-file "~/.work-signature")
(address "user@bar.foo")
(body "You are fired.\n\nSincerely, your boss.")
("X-Message-SMTP-Method" "smtp smtp.example.org 587")
(organization "Important Work, Inc"))
Best wishes
Jens
Jens Lechtenboerger wrote: > ((posting-from-work-p) ;; A user defined function > (signature-file "~/.work-signature") > (address "user@bar.foo") > (body "You are fired.\n\nSincerely, your boss.") > ("X-Message-SMTP-Method" "smtp smtp.example.org 587") > (organization "Important Work, Inc")) Sincerely, your boss :) -- underground experts united https://dataswamp.org/~incal
Hello, by setting epg-debug to t I found that most of the moves are OK, but that the error comes from not being able to get the passphrase: the " *gpg-error* buffer comes with: ,---- | gpgsm: Note: non-critical certificate policy not allowed | gpgsm: Note: non-critical certificate policy not allowed | gpgsm: Note: non-critical certificate policy not allowed | gpgsm: CRLs not checked due to --disable-crl-checks option | gpgsm: DBG: adding certificates at level -2 | gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE' | gpgsm: error creating signature: No passphrase given <GPG Agent> `---- while the gpg-agent.log tells me: ,---- | DBG: chan_9 -> OK Pleased to meet you, process 3382246 | DBG: chan_9 <- RESET | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION ttytype=dumb | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION display=:0.0 | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION xauthority=/home/angelv/.Xauthority | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION putenv=XDG_SESSION_TYPE=x11 | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION putenv=INSIDE_EMACS=28.2,epg | DBG: chan_9 -> OK | DBG: chan_9 <- GETINFO version | DBG: chan_9 -> D 2.2.40 | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION allow-pinentry-notify | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION pinentry-mode=loopback | DBG: chan_9 -> OK | DBG: chan_9 <- HAVEKEY FC155E4BAF3DA44364C84711DA0B7137EA89D084 | DBG: chan_9 -> OK | DBG: chan_9 <- ISTRUSTED D1EB23A46D17D68FD92564C2F1F1601764D8E349 | DBG: chan_9 -> S TRUSTLISTFLAG relax | DBG: chan_9 -> OK | DBG: chan_9 <- RESET | DBG: chan_9 -> OK | DBG: chan_9 <- SIGKEY FC155E4BAF3DA44364C84711DA0B7137EA89D084 | DBG: chan_9 -> OK | DBG: chan_9 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+secret+key+for+the+X.509+certificate:%0A%22/CN=Angel+M+de+Vicente/O=Instituto+de+Astrofisica+de+Canarias/STREET=Calle+Vía+Láctea,+s\x2fn/ST=Santa+Cruz+de+Tenerife/C=ES%22%0AS/N+00B4307E9B17A8814A2B5CAE68E09B520E,+ID+0x74A5504B,%0Acreated+2022-10-31,+expires+2024-10-30.%0A | DBG: chan_9 -> OK | DBG: chan_9 <- SETHASH 9 96D6D02821BA0498546EF7BD466B9712FD1C8126AD583F895CD8DDA26DD07B7BBFD74F8A5A6E3087C0893C7BBDD78CCB | DBG: chan_9 -> OK | DBG: chan_9 <- PKSIGN | DBG: agent_get_cache 'FC155E4BAF3DA44364C84711DA0B7137EA89D084'.0 (mode 2) ... | DBG: ... miss | DBG: agent_get_cache '6F4B59E5A9FBC6FB684CB55FDBB7CC30EEE197E3'.0 (mode 2) (stored cache key) ... | DBG: ... miss | DBG: chan_9 -> S INQUIRE_MAXLEN 255 | DBG: chan_9 -> [[Confidential data not shown]] | DBG: chan_9 <- [[Confidential data not shown]] | failed to unprotect the secret key: No passphrase given | failed to read the secret key | command 'PKSIGN' failed: No passphrase given | DBG: chan_9 -> ERR 67109041 No passphrase given <GPG Agent> | DBG: chan_9 <- [eof] `---- I have removed gnome-keyring and seahorse in my system (in case there was a conflict with them). Any ideas as to what might cause this? Cheers, -- Ángel de Vicente -- (GPG: 0x64D9FDAE7CD5E939) Research Software Engineer (Supercomputing and BigData) Instituto de Astrofísica de Canarias (https://www.iac.es/en)