[Users] Note on secret key selection when configuring claws-mail with GPGSM

Hagen Riedel hagen_riedel at gmx.de
Fri Apr 1 13:15:33 CEST 2016


I am using Claws Mail Version 3.11.1 with Debian GNU/Linux 8. My S/MIME
certificate is provided by German DFN Public Key Infrastructure.

As gpgsm contains two secret keys (there is an expired one) I have to
select a default secret key to be used to sign or encrypt mails. The
expired certificate is not automatically excluded with the default
option "Use default GnuPG key" for PGP/Core Plugin found at Claws Mail
Account preferences Plugins > GPG > Sign key (without an default-key
specification at .gnupg/gpgsm.conf). A message "cannot sign,
certificate expired (101)" is displayed (see screenshots attached). When
I select the option "Select key by your email address" an error dialog
"Signature failed. Secret key specification is ambiguous" appears.

So I ran `gpgsm --list-secret-keys` and copied the line ID (see 'HOW TO
SPECIFY A USER ID' at gpgsm manpage) to the field "User or key ID" at
Account preferences mentioned above. This resulted in the message
"Secret key not found (End of file)". `gpgsm --list-secret-keys` shows
for my DFN-PKI mail certificate "ID: 0xFFFFFFFFXXXXXX92". Meanwhile I
suppose this information is erroneous. However, initially I was in
doubt how to specify the certificate at claws-mail frontend.

There is no restart required for Claws Mail to apply changes to this
plugin setting but you cannot edit accounts when composing windows are
open. So I would recommend to use the selection "Use default GnuPG key"
and experiment with the gpgsm option '--default-key'. The behaviour is
the same and changes to default config file ~/.gnupg/gpgsm.conf come
into effect immediatly. Hash character can be used to comment lines.
Manpages introduces gpgsm.conf like this:
> It may contain any valid long option; the leading two dashes may not
> be entered and the option may not be abbreviated.

Testing revealed (I applied some masking by X character):

# Fingerprint is OK.
#default-key XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:X:EE:92

# Long key ID showed upon `gpgsm --list-secret-keys --with-colons`
# is OK.
#default-key 10BEC068XXXXXX92

# 8 trailing characters of long key ID
# is OK (with or without leading '0x').
# This is probably what `gpgsm --list-secret-keys` should correctly
# display.
#default-key 0xXXXXXX92
#default-key XXXXXX92

# ID listed with `gpgsm --list-secret-keys` yields an error
# ERROR S/MIME: Cannot sign, General error (1)
#default-key FFFFFFFFXXXXXX92
#default-key 0xFFFFFFFFXXXXXX92

Specifying user ID by exact match on serial number and issuer's DN did
not succeed. Please note, that the use of key Ids is just a shortcut,
for all automated processing the fingerprint should be used.

I hope this guide can help users to debug similar errors in
configuration.

Regards,
Hagen


user at host:~$ claws-mail --version
Claws Mail version 3.11.1
user at host:~$ dpkg-query --show claws-mail claws-mail-smime-plugin
claws-mail-pgpmime claws-mail	3.11.1-3+deb8u1
claws-mail-pgpmime	3.11.1-3+deb8u1
claws-mail-smime-plugin	3.11.1-3+deb8u1
user at host:~$ uname -a
Linux host 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u2
(2016-01-02) x86_64 GNU/Linux



-- 
hagen_riedel at gmx.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2016-04-01_Certificate-expired.png
Type: image/png
Size: 13427 bytes
Desc: not available
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20160401/149097b8/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2016-04-01_Secret-key-not-found.png
Type: image/png
Size: 15266 bytes
Desc: not available
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20160401/149097b8/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2016-04-01_Specify-key-manually.png
Type: image/png
Size: 45936 bytes
Desc: not available
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20160401/149097b8/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2016-04-01_Secret-key-specification-is-ambiguous.png
Type: image/png
Size: 15641 bytes
Desc: not available
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20160401/149097b8/attachment-0003.png>


More information about the Users mailing list