Thanks for helping, Werner. However, I still have problems. Should I take this to a gpg specific mailing list? gnupg-devel or gpa-dev? On Mon, Feb 14, 2005 at 10:58:01AM +0100, Werner Koch wrote: > On Fri, 11 Feb 2005 21:01:27 +0100, Christoph Ludwig said: > > * I have a mail with valid S/MIME signature in my INBOX. When I open mutt > > prints in the status line `S/MINE signature successfully verified.' But > > in > > the viewer I read: > > > [-- Begin signature information --] > > Error checking signature > > [-- End signature information --] > > > How can I find out where this spurious error message comes from? > > There are several reason for such an error. To get detailed error > messages, you should enable logging. [...] > My guess is that dirmngr has not been configured properly. Use > disable-crl-checks in gpgsm.conf to ignore dirmngr. If I instruct gpgsm to ignore CRLs then I get senseful signature information, all right. But I still have one Email where mutt shows me contradicting information: The signature information shows '*BAD* signature claimed to be from: [...]'. IIUC the corresponding root CA has no validity dates whence gpgsm rejects the certificate and - in consequence - the signature. (That behaviour is ok IMHO but I'd prefer if the signature information would tell me the reason of the rejection.) However, in mutt's status line I read 'S/MIME signature successfully verified'. That's confusing! I don't want to leave the CRL checks disabled whence I need to figure out the problem with dirmngr. The only information I find in the log when verifying a good signature corresponding to a non revoked cert is 8 - 2005-02-14 14:46:54 dirmngr[10289]: dauerhaft geladene Zertifikate: 0 8 - 2005-02-14 14:46:54 dirmngr[10289]: zur Laufzeit geladene Zertifikate: 0 8 - 2005-02-14 14:46:54 dirmngr[10289]: Es ist keine CRL für den Issuer mit der ID 9AAC079CF1956E926AE3E0D76647F317B856BCC2 vorhanden 8 - 2005-02-14 14:46:54 dirmngr[10289]: LDAP Wrapper 10290 gestartet 8 - 2005-02-14 14:46:54 dirmngr[10289]: crl_fetch über den DP fehlgeschlagen: No data The certificates contain the CRL's distribution point whence dirmngr should be able to contact the ldap server. Anyway, I tried to enter the distribution point in dirmngr_ldapservers.conf but to no avail. I added `verbose' to dirmngr.conf but the log did not change. Must the distribution point in the certificate be given in any particular format? (I am going to sign this message so anyone interested can have a look at the URI.) Or how can I find out *why* the ldap lookup failed? Finally, I got a new key / certificate pair. I imported that pair with `gpgsm --import'. Now I have two files in ~/.gnupg/private-keys-v1.d and in mutt I can choose between the two certificates when signing a message. If I sign messages with the old key then everything is fine. But if I try to actually sign a message with the new key then I get an error that the secret key file was not found. The log does not show anything... :-( Regards Christoph -- http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/cludwig.html LiDIA: http://www.informatik.tu-darmstadt.de/TI/LiDIA/Welcome.html
Attachment:
smime.p7s
Description: S/MIME cryptographic signature