gpgsm --verify

Stefan Claas stefan.claas at
Tue May 1 10:55:52 CEST 2018

Am 23.04.18 um 08:50 schrieb Stefan Claas:
> Am 23.04.18 um 08:36 schrieb Werner Koch:
>> On Sun, 22 Apr 2018 20:26, stefan.claas at said:
>>> i was wondering when receiving an S/MIME
>>> message created with Thunderbird, how do
>>> i properly verify the message with gpgsm?
>> You need to de-compose the S/MIME message to get the CMS objects.
>> Despit ethe name, gpgsm does not known about S/MIME (or MIME at all) and
>> thus can't parse it.  That is actually the same as with PGP/MIME which
>> can't be handled directly by gpg [1].
>> In gnupg/tools/ you can find a basic MIME parser but it is not well
>> documented and only used for manual testing.
> Thank you very much for the information!
> I will check out the MIME parser.

Just for the record...

I was not able to successfully compile the parser and did
therefore the following:

I saved in Thunderbird my original message from this thread.
Edited out the additional headers the list server has added,
so that the saved message looks like this:


Sender: "Gnupg-users" <gnupg-users-bounces at>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; 
micalg=sha-256; boundary="------------ms070707040603000709040508"

This is a cryptographically signed message in MIME format.

Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Language: de-DE

Hi all,

i was wondering when receiving an S/MIME
message created with Thunderbird, how do
i properly verify the message with gpgsm?

As an example i sign now this message
and would appreciate any tips!

P.S. when i do a verify on a Thunderbird
S/MIME message i always get:

gpgsm: enabled debug flags: ipc
gpgsm: ksba_cms_parse failed: Dateiende
secmem usage: 0/16384 bytes in 0 blocks

Best regards

Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature




and for de-composing the message i used openssl, so that i had the
content ready to be verified by gpgsm. IMHO not the smartest way,
i assume, but for me as a Mac dummie it works.

openssl cms -verify -in original.eml > message.txt && \
openssl cms -cmsout -in original.eml | \
sed "1,4d" | base64 -d > file.sig && \
gpgsm --verify file.sig message.txt


More information about the Gnupg-users mailing list