gpgsm unable to extract signers from a valid (?) signature

Albrecht Dreß albrecht.dress at posteo.de
Tue Oct 1 19:40:13 CEST 2024 

Hi all,

I stumbled over a S/MIME signed message where gpgsm seems to be unable to extract the signers and to verify the signature.  Using the attached signature blob and a dummy “message” part, gpgsm says just

<snip>
$ gpgsm --debug-level basic --verify SIG.bin dummy.txt
gpgsm: enabled debug flags: ipc
gpgsm: enabled compatibility flags:
gpgsm: detached signature
secmem usage: 0/16384 bytes in 0 blocks
</snip>

instead of printing the signer's data (date, key id).  Higher debug levels don't provide more insight (to me, at least).  The command does import the certificates into the key ring, though (try “gpgsm --list-chain 0x3F239410”).  The effect is not reproducible with other RSA+SHA256 signatures.

OTOH, certtool *does* print the signature info

<snip>
$ certtool --p7-verify --inder --load-data dummy.txt < SIG.bin
Loaded system trust (141 CAs available)
eContent Type: 1.2.840.113549.1.7.1
Signers:
         Signer's issuer DN: CN=SwissSign RSA SMIME NCP ICA 2022 - 1,O=SwissSign AG,C=CH
         Signer's serial: 02dc760c692bf5e017f7dcdd4857ff674b7aa436
         Signing time: Fri Sep 27 15:44:21 UTC 2024
         Signature Algorithm: RSA-SHA256

         Signature status: verification failed: Public key signature verification has failed.
</snip>

and Thunderbird is also able to verify the massage and to display the signature info.

I use gpgsm coming with Debian Bookworm

<snip>
$ gpgsm --version
gpgsm (GnuPG) 2.2.40
libgcrypt 1.10.1
libksba 1.6.3
</snip>

Is this a mis-configuration of my system, or a limitation of a gpgsm (maybe a too old version)?

Thanks in advance,
Albrecht.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SIG.bin
Type: application/octet-stream
Size: 9837 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20241001/5d5617f5/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20241001/5d5617f5/attachment-0001.sig>

More information about the Gnupg-users mailing list