gpgsm and Kmail and X509 certificates
Graeme Nichols
gnichols at tpg.com.au
Thu Sep 20 02:49:36 CEST 2007
Hello Werner,
Werner Koch wrote:
> On Wed, 19 Sep 2007 07:56, gnichols at tpg.com.au said:
>
>> When configuring Kmail I click on Settings --> Configure Kmail then
>> Security and I am presented with 5 tabs, two of which are Crypto
>> Backends and S/MIME Validation. What do I put into these fields? The
>> Crypto Backends --> Configure fields and the S/MIME Validation fields?
>
> The defaults should be fine for now.
OK. Good.
>
>> trouble... I cannot enter my certificates into these fields. If I click
>> on 'change' I get an error 'An error occurred while fetching the keys
>> from the backend: General Error' and 'No backends found for listing
>> keys. Check your installation.'
>
> On the command line enter
>
> gpgsm -K
Output is:
[graeme at barney ~]$ gpgsm -K
/home/graeme/.gnupg/pubring.kbx
-------------------------------
gpgsm: DBG: connection to agent established
secmem usage: 0/16384 bytes in 0 blocks
[graeme at barney ~]$
>
> this should show you your own certificates
It didn't as you can see.
>
> gpgsm -k
Output follows:
[graeme at barney ~]$ gpgsm -k
/home/graeme/.gnupg/pubring.kbx
-------------------------------
Serial number: 00
Issuer: /CN=CA Cert Signing
Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support at cacert.org
Subject: /CN=CA Cert Signing
Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support at cacert.org
validity: 2003-03-30 12:29:49 through 2033-03-29 12:29:49
key type: 4096 bit RSA
chain length: unlimited
fingerprint: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
Serial number: 32D18D
Issuer: /CN=6R-Ca
1:PN/NameDistinguisher=1/O=Regulierungsbeh?orde f?ur Telekommunikation
und Post/C=DE
Subject: /CN=6R-Ca
1:PN/NameDistinguisher=1/O=Regulierungsbeh?orde f?ur Telekommunikation
und Post/C=DE
validity: 2001-02-01 09:52:17 through 2005-06-01 09:52:17
key type: 1024 bit RSA
key usage: certSign crlSign
fingerprint: EA:8D:99:DD:36:AA:2D:07:1A:3C:7B:69:00:9E:51:B9:4A:2E:E7:60
Serial number: 2A
Issuer: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE
Subject: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE
validity: 2005-08-03 15:30:36 through 2007-12-31 15:09:23
key type: 1024 bit RSA
key usage: certSign
policies: 1.3.36.8.1.1:N:
chain length: unlimited
fingerprint: 31:C9:D2:E6:31:4D:0B:CC:2C:1A:45:00:A6:6B:97:98:27:18:8E:CD
Serial number: 02
Issuer: /CN=9R-CA 1:PN/O=Regulierungsbeh?rde f?r
Telekommunikation und Post/C=DE
Subject: /CN=9R-CA 1:PN/O=Regulierungsbeh?rde f?r
Telekommunikation und Post/C=DE
validity: 2004-11-25 14:59:11 through 2007-12-31 14:56:59
key type: 1024 bit RSA
key usage: certSign
policies: 1.3.36.8.1.1:N:
chain length: unlimited
fingerprint: 75:9A:4A:CE:7C:DA:7E:89:1B:B2:72:4B:E3:76:EA:47:3A:96:97:24
Serial number: 2D
Issuer: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE
Subject: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE
validity: 2005-08-03 18:09:49 through 2007-12-31 18:04:28
key type: 1024 bit RSA
key usage: certSign
policies: 1.3.36.8.1.1:N:
chain length: unlimited
fingerprint: A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D
Serial number: 01
Issuer: /CN=8R-CA 1:PN/O=Regulierungsbeh?rde f?r
Telekommunikation und Post/C=DE
Subject: /CN=8R-CA 1:PN/O=Regulierungsbeh?rde f?r
Telekommunikation und Post/C=DE
validity: 2004-11-25 14:10:37 through 2007-12-31 14:04:03
key type: 1024 bit RSA
key usage: certSign
policies: 1.3.36.8.1.1:N:
chain length: unlimited
fingerprint: 42:6A:F6:78:30:E9:CE:24:5B:EF:41:A2:C1:A8:51:DA:C5:0A:6D:F5
Serial number: 00C48C8D
Issuer: /CN=7R-CA
1:PN/NameDistinguisher=1/O=Regulierungsbeh?orde f?ur Telekommunikation
und Post/C=DE
Subject: /CN=7R-CA
1:PN/NameDistinguisher=1/O=Regulierungsbeh?orde f?ur Telekommunikation
und Post/C=DE
validity: 2001-10-15 11:15:15 through 2006-02-15 11:15:15
key type: 1024 bit RSA
key usage: certSign crlSign
fingerprint: DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B
Serial number: 00B95F
Issuer: /CN=D-TRUST Qualified Root CA 1 2006:PN/O=D-Trust GmbH/C=DE
Subject: /CN=D-TRUST Qualified Root CA 1 2006:PN/O=D-Trust GmbH/C=DE
aka: info at d-trust.net
aka: (uri http://www.d-trust.net)
validity: 2006-04-27 12:40:54 through 2011-04-27 12:40:54
key type: 2048 bit RSA
key usage: certSign crlSign
policies: 1.3.6.1.4.1.4788.2.30.1:N:
chain length: unlimited
fingerprint: E0:BF:1B:91:91:6B:88:E4:F1:15:92:22:CE:37:23:96:B1:4A:2E:5C
Serial number: 00B960
Issuer: /CN=D-TRUST Qualified Root CA 2 2006:PN/O=D-Trust GmbH/C=DE
Subject: /CN=D-TRUST Qualified Root CA 2 2006:PN/O=D-Trust GmbH/C=DE
aka: info at d-trust.net
aka: (uri http://www.d-trust.net)
validity: 2006-04-27 12:40:54 through 2011-04-27 12:40:54
key type: 2048 bit RSA
key usage: certSign crlSign
policies: 1.3.6.1.4.1.4788.2.30.1:N:
chain length: unlimited
fingerprint: 98:2A:75:67:0F:F8:28:4A:94:E0:9D:23:D8:E7:62:C8:BD:A4:54:04
Serial number: 00DF749F80AA51F0EDC0CB1FC183E97EE2
Issuer: /CN=S-TRUST Qualified Root CA 2006-001:PN/O=Deutscher
Sparkassen Verlag GmbH/L=Stuttgart/ST=Baden-Wuerttemberg (BW)/C=DE
Subject: /CN=S-TRUST Qualified Root CA 2006-001:PN/O=Deutscher
Sparkassen Verlag GmbH/L=Stuttgart/ST=Baden-Wuerttemberg (BW)/C=DE
validity: 2006-01-01 00:00:00 through 2010-12-30 23:59:59
key type: 2048 bit RSA
key usage: certSign crlSign
chain length: 1
fingerprint: 7D:DC:76:1C:FD:AF:4C:E0:3A:B5:3A:DD:C9:FA:13:35:19:A3:DE:C9
Serial number: 03FCBA
Issuer: /CN=CA Cert Signing
Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support at cacert.org
Subject: /CN=CAcert WoT User/EMail=gnichols at tpg.com.au
aka: gnichols at tpg.com.au
validity: 2007-09-02 03:15:25 through 2008-02-29 03:15:25
key type: 2048 bit RSA
ext key usage: emailProtection (suggested), clientAuth (suggested),
1.3.6.1.4.1.311.10.3.4 (suggested), serverGatedCrypto.ms (suggested),
serverGatedCrypto.ns (suggested)
fingerprint: 2D:0D:02:D5:2E:0F:D9:C7:31:48:C8:A2:63:13:6F:AD:C7:21:27:34
secmem usage: 0/16384 bytes in 0 blocks
[graeme at barney ~]$
>
> shows all certificates. Are there any error messages?
No. My certificate is the last one. All the others were already there.
>
>> have successfully imported my X509 certificate into gpgsm and it is
>> listed when executing gpgsm --list-keys.
>
> -k is an alias for --list-keys. However you need to use -K (or
> --list-secret-keys)
>
>> Another error I get if I try and send a signed email from Kmail is:
>> 'Signing failed. Bad passphrase' I don't really understand this one as
>> it used to work before I upgraded to F7 from F6.
>
> Is the gpg-agent running and a pinentry installed? Check on the command
> line with
>
> gpgsm --passwd <your-user-id>
Output follows:
[graeme at barney ~]$ gpgsm --passwd gnichols at tpg.com.au
gpgsm: DBG: connection to agent established
gpgsm: error changing passphrase: No such file or directory
secmem usage: 0/16384 bytes in 0 blocks
[graeme at barney ~]$
Looks like gpg-agent is running but no pinentry. Is that correct?
Pinentry-0.7.2-14.fc7 is installed. I have looked through the pinentry
--help output but I don't really know what it is I have to do/set/enter
or whatever. I'm pretty ignorant in this area. I have looked at the
website http://www.gnupg.org/aegypten/ but I am still confused.
What should I do now?
--
----------------------------------------------------------------------
Kind regards,
Graeme.
----------------------------------------------------------------------
Download my GnuPG public key from:-
http://www.users.tpg.com.au/gnichols/graemenichols.pub
----------------------------------------------------------------------
A would-be disciple came to Nasrudin's hut on the mountain-side.
Knowing that every action of such an enlightened one is significant, the
seeker watched the teacher closely. "Why do you blow on your hands?"
"To warm myself in the cold." Later, Nasrudin poured bowls of hot soup
for himself and the newcomer, and blew on his own. "Why are you doing
that, Master?" "To cool the soup." Unable to trust a man who uses the
same process to arrive at two different results -- hot and cold -- the
disciple departed.
More information about the Gnupg-users
mailing list