CRL server error with gpgsm

Marvin Gülker m-guelker at phoenixmail.de
Sun Apr 29 22:27:42 CEST 2018 

Hi everyone,

I'm trying to set up S/MIME signing with mutt using gpgsm on Debian
Stable (Stretch). I've successfully imported the PKCS#12
certificate/private key bundle into gpgsm, but it won't let me sign
anything. It fails with an error message as shown below:

    $ gpgsm --output sign.bin --sign test.txt
    gpgsm: Note: non-critical certificate policy not allowed
    gpgsm: certificate #1EF41DD8EB16AE2D8B50B8E3/CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE
    gpgsm: checking the CRL failed: Server indicated a failure
    gpgsm: error creating signature: Server indicated a failure <Dirmngr>

The certificate is valid and not revoked. I can perfectly sign with
this certificate using gpgsm under Gentoo Linux using the exact same
command with the same certificate. When I expressly pass the
--disable-crl-checks option, it also works:

    $ gpgsm --output sign.bin --disable-crl-checks --sign test.txt
    gpgsm: Note: non-critical certificate policy not allowed
    gpgsm: Note: non-critical certificate policy not allowed
    gpgsm: Note: non-critical certificate policy not allowed
    gpgsm: CRLs not checked due to --disable-crl-checks option
    gpgsm: DBG: adding certificates at level -2
    gpgsm: signature created

The certificate chain is completely available as evidenced by $ gpgsm
--list-chain, so that shouldn't be the problem.

Any idea how I should approach this error? Is it a bug, as it doesn't
happen on Gentoo?

gpgsm version I use on the Debian system:

    $ gpgsm --version
    gpgsm (GnuPG) 2.1.18
    libgcrypt 1.7.6-beta
    libksba 1.3.5-unknown
    Copyright (C) 2017 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Home: /home/quintus/.gnupg
    Supported algorithms:
    Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
    Pubkey: RSA, ECC
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL

gpgsm version on the Gentoo system:

    $ gpgsm --version
    gpgsm (GnuPG) 2.2.4
    libgcrypt 1.8.1
    libksba 1.3.5
    Copyright (C) 2017 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Home: /home/quintus/.gnupg
    Unterstützte Verfahren:
    Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
    Pubkey: RSA, ECC
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL

Marvin

-- 
Blog: https://mg.guelker.eu
PGP/GPG ID: F1D8799FBCC8BC4F

More information about the Gnupg-users mailing list