Announcements and discussions for Gnus, the GNU Emacs Usenet newsreader
 help / color / mirror / Atom feed
* Signing a message with S/MIME in Gnus?
@ 2022-11-02  9:29 Angel de Vicente
  2022-11-02 19:09 ` Jens Lechtenboerger
  0 siblings, 1 reply; 11+ messages in thread
From: Angel de Vicente @ 2022-11-02  9:29 UTC (permalink / raw)
  To: info-gnus-english

[-- Attachment #1: Type: text/plain, Size: 2141 bytes --]

Hello,

anyone here familiar with Gnus + S/MIME + gnupg?

A few days back I decided to set up my environment to sign messages I
send out, and to be able to verify signatures of messages I receive.

Doing it with pgp was quite easy, and got it working in no time, but
S/MIME is giving me a real headache, most probably because I'm
misunderstanding something or because I lack some basic knowledge on how
certificates are meant to be used.

I imported my certificate with 'gpgsm --import <cert.p12>' and "gpgsm
-K" shows that the certificate got imported correctly:

,----
| $ gpgsm -K
| /home/angelv/.gnupg/pubring.kbx
| -------------------------------
|            ID: 0xFD3C585C
|           S/N: 07A6ED8580BD2114605C7B37AB7B8919
|         (dec): 10171334757275596790721797340316535065
|        Issuer: /CN=AC FNMT Usuarios/OU=Ceres/O=FNMT-RCM/C=ES
|       Subject: /CN=DE VICENTE GARRIDO ANGEL MANUEL - ....
`----

My ~/.gnupg/gpgsm.con just contains:

,----
| disable-crl-checks
`----

and with that, I can sign a file in the command line without problems:

,----
| $ gpgsm --sign test.txt >ciphertext
| gpgsm: Note: non-critical certificate policy not allowed
| gpgsm: Note: non-critical certificate policy not allowed
| gpgsm: Note: non-critical certificate policy not allowed
| gpgsm: CRLs not checked due to --disable-crl-checks option
| gpgsm: DBG: adding certificates at level -2
| gpgsm: signature created
`----

But when I try to sign a message from Gnus I always get a message saying
"No sign key for <angel.de.vicente@iac.es>; skip it? (y or n)"

What do I have to configure in Emacs/Gnus so that it will know that my
e-mail address is linked to the same certificate used in the command
line?

By the way, I'm using the following:

,----
| ArchLinux
| Emacs version: 28.2  (2022-09-12)
| Gnus  version: 5.13
| GnuPG version: 2.2.40
`----

Any pointers/help greatly appreciated
-- 
Ángel de Vicente                 -- (GPG: 0x64D9FDAE7CD5E939)
 Research Software Engineer (Supercomputing and BigData)
 Instituto de Astrofísica de Canarias (https://www.iac.es/en)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 702 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-02  9:29 Signing a message with S/MIME in Gnus? Angel de Vicente
@ 2022-11-02 19:09 ` Jens Lechtenboerger
  2022-11-02 20:51   ` Angel de Vicente
  0 siblings, 1 reply; 11+ messages in thread
From: Jens Lechtenboerger @ 2022-11-02 19:09 UTC (permalink / raw)
  To: Angel de Vicente; +Cc: info-gnus-english

Hi there!

On 2022-11-02, at 09:29, Angel de Vicente wrote:

> Hello,
>
> anyone here familiar with Gnus + S/MIME + gnupg?

Yes :)

> [...]
> But when I try to sign a message from Gnus I always get a message saying
> "No sign key for <angel.de.vicente@iac.es>; skip it? (y or n)"

I use this:
(setq mml-secure-smime-sign-with-sender t)

And more: https://gitlab.com/lechten/defaultencrypt

> What do I have to configure in Emacs/Gnus so that it will know that my
> e-mail address is linked to the same certificate used in the command
> line?

Your CA links your e-mail address to your public key, both of which
are recorded inside the certificate.  Gnus cannot do this.  Your
output did not show whether the certificate really contains the
e-mail address that you used...

Best wishes
Jens


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-02 19:09 ` Jens Lechtenboerger
@ 2022-11-02 20:51   ` Angel de Vicente
  2022-11-03  7:09     ` Jens Lechtenboerger
  0 siblings, 1 reply; 11+ messages in thread
From: Angel de Vicente @ 2022-11-02 20:51 UTC (permalink / raw)
  To: info-gnus-english

[-- Attachment #1: Type: text/plain, Size: 2085 bytes --]

Hello,

Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:

>> But when I try to sign a message from Gnus I always get a message saying
>> "No sign key for <angel.de.vicente@iac.es>; skip it? (y or n)"
>
> I use this:
> (setq mml-secure-smime-sign-with-sender t)

I already had that, but it looks like the part it was missing was that
the certificate I was using didn't have my e-mail address, so Gnus (via
gpgsm) would not find the right certificate to use. Importing another
certificate where the e-mail address was present solved that problem.


> And more: https://gitlab.com/lechten/defaultencrypt

That looks great, I'll have a look, becuase my SMIME setting is so far
much worse than my PGP one (my goal was to be able just to sign
messages, so I'll stop here for now, but later I want to make sure I
also get working the encryption/decryption part).

> Your CA links your e-mail address to your public key, both of which
> are recorded inside the certificate.  Gnus cannot do this.  Your
> output did not show whether the certificate really contains the
> e-mail address that you used...

The first certificate I was using didn't. When I used a second
certificate with the mail address in it all was good.

But here is a question. To send messages to this group I use another
e-mail address (which is not present in any of the certificates). There
is no way for me, then, to sign messages to this group with S-MIME?

I was hoping to use "Smime Keys", which according to the documentation
looks like the right way, but my attempts so far were not successful.

,----
| Show Value Smime Keys 
|    Map mail addresses to a file containing Certificate (and private key). Hide
|    The file is assumed to be in PEM format.  You can also associate additional
|    certificates to be sent with every message to each address.
`----

Thanks,
-- 
Ángel de Vicente                 -- (GPG: 0x64D9FDAE7CD5E939)
 Research Software Engineer (Supercomputing and BigData)
 Instituto de Astrofísica de Canarias (https://www.iac.es/en)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 702 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-02 20:51   ` Angel de Vicente
@ 2022-11-03  7:09     ` Jens Lechtenboerger
  2022-11-03  7:21       ` Angel de Vicente
  0 siblings, 1 reply; 11+ messages in thread
From: Jens Lechtenboerger @ 2022-11-03  7:09 UTC (permalink / raw)
  To: info-gnus-english

On 2022-11-02, at 20:51, Angel de Vicente wrote:

> [...]
> But here is a question. To send messages to this group I use another
> e-mail address (which is not present in any of the certificates). There
> is no way for me, then, to sign messages to this group with S-MIME?

There is.  Before coming to that, please reconsider for what you
ask: Alice sends a message to Bob, but the message is signed by
Mallory.  What is Bob supposed to do with this?

IMO, the signature should really match the sender’s FROM address.
Maybe you can ask your CA to include your other e-mail addresses as
well?  Or switch to GnuPG for your other e-mail addresses, where you
are in control and not some CA (which Bob probably does neither know
nor trust anyways)?  See [1] for more information.

Coming back to your question: You can customize
mml-secure-smime-signers to include a list of IDs of signing keys.

Best wishes
Jens

P.S. Google “protects” you from receiving my e-mails addressed to
you directly as I spoof my FROM address here (SPF and DKIM both
550-5.7.26 do not pass).  Thus, I remove your e-mail address in this
reply.

P.P.S. If you do not need direct replies, Gnus (Message, in fact)
can set a Mail-Followup-To header [2].

[1] https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/
[2] https://www.gnu.org/software/emacs/manual/html_mono/message.html#Composing-a-correct-MFT-header-automagically


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-03  7:09     ` Jens Lechtenboerger
@ 2022-11-03  7:21       ` Angel de Vicente
  2022-11-03 15:28         ` Angel de Vicente
  2022-11-03 18:55         ` Jens Lechtenboerger
  0 siblings, 2 replies; 11+ messages in thread
From: Angel de Vicente @ 2022-11-03  7:21 UTC (permalink / raw)
  To: info-gnus-english

[-- Attachment #1: Type: text/plain, Size: 1708 bytes --]


Hello,

Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:

> There is.  Before coming to that, please reconsider for what you
> ask: Alice sends a message to Bob, but the message is signed by
> Mallory.  What is Bob supposed to do with this?

Yes, I realized after I sent the message that this was going to be
confusing. I managed to do it by setting
'mml-secure-smime-sign-with-sender' to nil, so that I could then choose
the certificate, but Gmail (for example) complains about the mail
address in the certificate not being the same as the "From" address, so
probably not a good idea in general.

> IMO, the signature should really match the sender’s FROM address.
> Maybe you can ask your CA to include your other e-mail addresses as
> well?  Or switch to GnuPG for your other e-mail addresses, where you
> are in control and not some CA (which Bob probably does neither know
> nor trust anyways)?  See [1] for more information.

So, I was actually thinking of going for the second option: use SMIME
when I send from the address in the certificate, and use PGP when
sending from this gmail address. But now I need to figure out how to
tell Gnus to do that. Right now I have the following, which makes sure
that by default I will be always signing with SMIME. Do you know if
there is an easy way to set these depending on the "From" address?

,----
| (add-hook 'gnus-message-setup-hook 'mml-secure-message-sign-smime)
| (setq mml-secure-method "smime")
`----

Cheers,
-- 
Ángel de Vicente                 -- (GPG: 0x64D9FDAE7CD5E939)
 Research Software Engineer (Supercomputing and BigData)
 Instituto de Astrofísica de Canarias (https://www.iac.es/en)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 702 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-03  7:21       ` Angel de Vicente
@ 2022-11-03 15:28         ` Angel de Vicente
  2022-11-03 17:52           ` GH
  2022-11-04 18:11           ` Angel de Vicente
  2022-11-03 18:55         ` Jens Lechtenboerger
  1 sibling, 2 replies; 11+ messages in thread
From: Angel de Vicente @ 2022-11-03 15:28 UTC (permalink / raw)
  To: info-gnus-english

[-- Attachment #1: Type: text/plain, Size: 1078 bytes --]

Hi again,

regarding my problems with Gnus + SMIME + GnuPG, there is another thing
that I don't seem to be able to solve:

It is very weird, maybe a bug, because I have set epg-pinentry-mode to
loopback, which is supposed to use the Emacs minibuffer to ask for the
passphrase of private keys. This works perfect for PGP but it throws an
error for SMIME "Signing failed (unknown reason)". [If I set
epg-pinentry-mode to 'nil, then I am asked for the passphrase by
gnome-keyring and all is good (but I need to use the mini-buffer, since
I use this machine mostly remotely].

I chased the error down to the function "epg-sign-string" in epg.el, but
my ELisp is very rusty and not making much progress in debugging the
issue. I guess at some point epg.el is calling pinentry, but don't know
how to efficiently debug this.

Any pointers/advice much appreciated.

Cheers,
-- 
Ángel de Vicente                 -- (GPG: 0x64D9FDAE7CD5E939)
 Research Software Engineer (Supercomputing and BigData)
 Instituto de Astrofísica de Canarias (https://www.iac.es/en)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 702 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-03 15:28         ` Angel de Vicente
@ 2022-11-03 17:52           ` GH
  2022-11-03 18:32             ` Angel de Vicente
  2022-11-04 18:11           ` Angel de Vicente
  1 sibling, 1 reply; 11+ messages in thread
From: GH @ 2022-11-03 17:52 UTC (permalink / raw)
  To: Angel de Vicente; +Cc: info-gnus-english

Angel de Vicente <angel.vicente.garrido@gmail.com> writes:

> It is very weird, maybe a bug, because I have set epg-pinentry-mode to
> loopback, which is supposed to use the Emacs minibuffer to ask for the
> passphrase of private keys. This works perfect for PGP but it throws
> an error for SMIME "Signing failed (unknown reason)". [If I set
> epg-pinentry-mode to 'nil, then I am asked for the passphrase by
> gnome-keyring and all is good (but I need to use the mini-buffer,
> since I use this machine mostly remotely].

> I chased the error down to the function "epg-sign-string" in epg.el,
> but my ELisp is very rusty and not making much progress in debugging
> the issue. I guess at some point epg.el is calling pinentry, but don't
> know how to efficiently debug this.

revert changes in epg.el and try it:

In your emacs conf:

(setq epg-pinentry-mode 'loopback)


in ~/.gnupg/gpg.conf

use-agent
pinentry-mode loopback


in ~/.gnupg/gpg-agent.conf

allow-emacs-pinentry
allow-loopback-pinentry


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-03 17:52           ` GH
@ 2022-11-03 18:32             ` Angel de Vicente
  0 siblings, 0 replies; 11+ messages in thread
From: Angel de Vicente @ 2022-11-03 18:32 UTC (permalink / raw)
  To: info-gnus-english

[-- Attachment #1: Type: text/plain, Size: 329 bytes --]

Hello,

GH <project@gnuhacker.org> writes:
> revert changes in epg.el and try it:

[...]

thanks, but exactly the same problem 

-- 
Ángel de Vicente                 -- (GPG: 0x64D9FDAE7CD5E939)
 Research Software Engineer (Supercomputing and BigData)
 Instituto de Astrofísica de Canarias (https://www.iac.es/en)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 702 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-03  7:21       ` Angel de Vicente
  2022-11-03 15:28         ` Angel de Vicente
@ 2022-11-03 18:55         ` Jens Lechtenboerger
  2022-11-03 19:25           ` Emanuel Berg
  1 sibling, 1 reply; 11+ messages in thread
From: Jens Lechtenboerger @ 2022-11-03 18:55 UTC (permalink / raw)
  To: Angel de Vicente; +Cc: info-gnus-english

On 2022-11-03, at 07:21, Angel de Vicente wrote:

> So, I was actually thinking of going for the second option: use SMIME
> when I send from the address in the certificate, and use PGP when
> sending from this gmail address. But now I need to figure out how to
> tell Gnus to do that. Right now I have the following, which makes sure
> that by default I will be always signing with SMIME. Do you know if
> there is an easy way to set these depending on the "From" address?
>
> ,----
> | (add-hook 'gnus-message-setup-hook 'mml-secure-message-sign-smime)
> | (setq mml-secure-method "smime")
> `----

This might be possible with Posting Styles if your e-mails with
different senders are in different groups.  See variable
gnus-posting-styles and the info page to which it points.  To me,
the following part seems promising.  Note that the body string could
be a function call that produces a secure tag.
 
             ((posting-from-work-p) ;; A user defined function
              (signature-file "~/.work-signature")
              (address "user@bar.foo")
              (body "You are fired.\n\nSincerely, your boss.")
              ("X-Message-SMTP-Method" "smtp smtp.example.org 587")
              (organization "Important Work, Inc"))

Best wishes
Jens


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-03 18:55         ` Jens Lechtenboerger
@ 2022-11-03 19:25           ` Emanuel Berg
  0 siblings, 0 replies; 11+ messages in thread
From: Emanuel Berg @ 2022-11-03 19:25 UTC (permalink / raw)
  To: info-gnus-english

Jens Lechtenboerger wrote:

> ((posting-from-work-p) ;; A user defined function
>  (signature-file "~/.work-signature")
>  (address "user@bar.foo")
>  (body "You are fired.\n\nSincerely, your boss.")
>  ("X-Message-SMTP-Method" "smtp smtp.example.org 587")
>  (organization "Important Work, Inc"))

Sincerely, your boss :)

-- 
underground experts united
https://dataswamp.org/~incal



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Signing a message with S/MIME in Gnus?
  2022-11-03 15:28         ` Angel de Vicente
  2022-11-03 17:52           ` GH
@ 2022-11-04 18:11           ` Angel de Vicente
  1 sibling, 0 replies; 11+ messages in thread
From: Angel de Vicente @ 2022-11-04 18:11 UTC (permalink / raw)
  To: info-gnus-english

Hello,

by setting epg-debug to t I found that most of the moves are OK, but
that the error comes from not being able to get the passphrase:

the " *gpg-error* buffer comes with:
,----
| gpgsm: Note: non-critical certificate policy not allowed
| gpgsm: Note: non-critical certificate policy not allowed
| gpgsm: Note: non-critical certificate policy not allowed
| gpgsm: CRLs not checked due to --disable-crl-checks option
| gpgsm: DBG: adding certificates at level -2
| gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE'
| gpgsm: error creating signature: No passphrase given <GPG Agent>
`----

while the gpg-agent.log tells me:
,----
| DBG: chan_9 -> OK Pleased to meet you, process 3382246
| DBG: chan_9 <- RESET
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION ttytype=dumb
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION display=:0.0
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION xauthority=/home/angelv/.Xauthority
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION putenv=XDG_SESSION_TYPE=x11
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION putenv=INSIDE_EMACS=28.2,epg
| DBG: chan_9 -> OK
| DBG: chan_9 <- GETINFO version
| DBG: chan_9 -> D 2.2.40
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION allow-pinentry-notify
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION pinentry-mode=loopback
| DBG: chan_9 -> OK
| DBG: chan_9 <- HAVEKEY FC155E4BAF3DA44364C84711DA0B7137EA89D084
| DBG: chan_9 -> OK
| DBG: chan_9 <- ISTRUSTED D1EB23A46D17D68FD92564C2F1F1601764D8E349
| DBG: chan_9 -> S TRUSTLISTFLAG relax
| DBG: chan_9 -> OK
| DBG: chan_9 <- RESET
| DBG: chan_9 -> OK
| DBG: chan_9 <- SIGKEY FC155E4BAF3DA44364C84711DA0B7137EA89D084
| DBG: chan_9 -> OK
| DBG: chan_9 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+secret+key+for+the+X.509+certificate:%0A%22/CN=Angel+M+de+Vicente/O=Instituto+de+Astrofisica+de+Canarias/STREET=Calle+Vía+Láctea,+s\x2fn/ST=Santa+Cruz+de+Tenerife/C=ES%22%0AS/N+00B4307E9B17A8814A2B5CAE68E09B520E,+ID+0x74A5504B,%0Acreated+2022-10-31,+expires+2024-10-30.%0A
| DBG: chan_9 -> OK
| DBG: chan_9 <- SETHASH 9 96D6D02821BA0498546EF7BD466B9712FD1C8126AD583F895CD8DDA26DD07B7BBFD74F8A5A6E3087C0893C7BBDD78CCB
| DBG: chan_9 -> OK
| DBG: chan_9 <- PKSIGN
| DBG: agent_get_cache 'FC155E4BAF3DA44364C84711DA0B7137EA89D084'.0 (mode 2) ...
| DBG: ... miss
| DBG: agent_get_cache '6F4B59E5A9FBC6FB684CB55FDBB7CC30EEE197E3'.0 (mode 2) (stored cache key) ...
| DBG: ... miss
| DBG: chan_9 -> S INQUIRE_MAXLEN 255
| DBG: chan_9 -> [[Confidential data not shown]]
| DBG: chan_9 <- [[Confidential data not shown]]
| failed to unprotect the secret key: No passphrase given
| failed to read the secret key
| command 'PKSIGN' failed: No passphrase given
| DBG: chan_9 -> ERR 67109041 No passphrase given <GPG Agent>
| DBG: chan_9 <- [eof]
`----

I have removed gnome-keyring and seahorse in my system (in case there
was a conflict with them). 

Any ideas as to what might cause this?

Cheers,
-- 
Ángel de Vicente                 -- (GPG: 0x64D9FDAE7CD5E939)
 Research Software Engineer (Supercomputing and BigData)
 Instituto de Astrofísica de Canarias (https://www.iac.es/en)



^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2022-11-04 18:12 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-02  9:29 Signing a message with S/MIME in Gnus? Angel de Vicente
2022-11-02 19:09 ` Jens Lechtenboerger
2022-11-02 20:51   ` Angel de Vicente
2022-11-03  7:09     ` Jens Lechtenboerger
2022-11-03  7:21       ` Angel de Vicente
2022-11-03 15:28         ` Angel de Vicente
2022-11-03 17:52           ` GH
2022-11-03 18:32             ` Angel de Vicente
2022-11-04 18:11           ` Angel de Vicente
2022-11-03 18:55         ` Jens Lechtenboerger
2022-11-03 19:25           ` Emanuel Berg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).