<<< Date Index >>>     <<< Thread Index >>>

Re: What should go into 1.5.7?



Thanks for helping, Werner. However, I still have problems. Should I take this
to a gpg specific mailing list? gnupg-devel or gpa-dev?

On Mon, Feb 14, 2005 at 10:58:01AM +0100, Werner Koch wrote:
> On Fri, 11 Feb 2005 21:01:27 +0100, Christoph Ludwig said:
> >  * I have a mail with valid S/MIME signature in my INBOX. When I open mutt
> >    prints in the status line `S/MINE signature successfully verified.' But 
> > in
> >    the viewer I read:
> 
> >      [-- Begin signature information --]
> >      Error checking signature
> >      [-- End signature information --]
> 
> >    How can I find out where this spurious error message comes from?
> 
> There are several reason for such an error.  To get detailed error
> messages, you should enable logging. 
[...]
> My guess is that dirmngr has not been configured properly.  Use
> disable-crl-checks in gpgsm.conf to ignore dirmngr.

If I instruct gpgsm to ignore CRLs then I get senseful signature information,
all right. But I still have one Email where mutt shows me contradicting
information:

The signature information shows '*BAD* signature claimed to be from:
[...]'. IIUC the corresponding root CA has no validity dates whence gpgsm
rejects the certificate and - in consequence - the signature. (That behaviour
is ok IMHO but I'd prefer if the signature information would tell me the
reason of the rejection.) However, in mutt's status line I read 'S/MIME
signature successfully verified'. That's confusing!



I don't want to leave the CRL checks disabled whence I need to figure out the
problem with dirmngr. The only information I find in the log when verifying a
good signature corresponding to a non revoked cert is

  8 - 2005-02-14 14:46:54 dirmngr[10289]:    dauerhaft geladene Zertifikate: 0
  8 - 2005-02-14 14:46:54 dirmngr[10289]: zur Laufzeit geladene Zertifikate: 0
  8 - 2005-02-14 14:46:54 dirmngr[10289]: Es ist keine CRL für den Issuer mit 
der ID 9AAC079CF1956E926AE3E0D76647F317B856BCC2 vorhanden
  8 - 2005-02-14 14:46:54 dirmngr[10289]: LDAP Wrapper 10290 gestartet
  8 - 2005-02-14 14:46:54 dirmngr[10289]: crl_fetch über den DP fehlgeschlagen: 
No data

The certificates contain the CRL's distribution point whence dirmngr should be
able to contact the ldap server. Anyway, I tried to enter the distribution
point in dirmngr_ldapservers.conf but to no avail. I added `verbose' to
dirmngr.conf but the log did not change.

Must the distribution point in the certificate be given in any particular
format? (I am going to sign this message so anyone interested can have a look
at the URI.) Or how can I find out *why* the ldap lookup failed?


Finally, I got a new key / certificate pair. I imported that pair with 
`gpgsm --import'. Now I have two files in ~/.gnupg/private-keys-v1.d and in
mutt I can choose between the two certificates when signing a message. If I
sign messages with the old key then everything is fine. But if
I try to actually sign a message with the new key then I get an error that the
secret key file was not found. The log does not show anything... :-(

Regards

Christoph

-- 
http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/cludwig.html
LiDIA: http://www.informatik.tu-darmstadt.de/TI/LiDIA/Welcome.html

Attachment: smime.p7s
Description: S/MIME cryptographic signature