Difference between revisions of "S/MIME howto"

From Claws Mail FAQ
Jump to: navigation, search
m (Reverted edit of Innateemissary9, changed back to last version by Claws)
Line 1: Line 1:
daenisches bettenlager Surgery for Weight Loss - Dispelling The Fallacies
+
==Claws Mail & S/MIME plugin howto==
 
+
This howto describes configuring S/MIME for Claws Mail which uses GnuPG. It is
Fat reduction surgery has existed for years and seems to remain an option of last resort for some people. This method may actually be perfect for the highly obese who require drastic measures. Undoubtedly, sometimes it can be difficult to judge when there are conflicting reports concerning this kind of surgery. Just like with other somewhat unconventional procedures, you will find good and bad reports about patient successes. The internet is amazing for taking a report about almost anything and transforming it into a totally different story. Needless to say, any details you find must be cross-checked with respected sources. You should likewise speak with your physician and any specialists including past patients who have gotten this procedure.
+
based on Gentoo Linux but should be working fine on every other distribution if
 +
adjusting it accordingly.
 +
<br />
  
There are generally risks associated with any kind of surgery, and that applies to the most minor procedures. Despite having a high degree of confidence, sometimes distressing events happen with surgery. You also needs to check out the specific surgeon who will be carrying out the surgery. It pretty much does not need to be stated that doctors are human, and it is normal to find some who are more, and less, skilled. You will feel more assured about everything if you're using a surgeon with a good reputation and has experience. Avoiding this surgery may be more unsafe for those who are highly obese.
+
As of 16th November 2009 Thawte discontinued their free S/MIME certificates. As
 +
some things of this howto were also somewhat out of date and many things were
 +
based on Thawte, it's time for an update. A big difference to the previous howto
 +
is enabling the use of certificate revocation lists (CRL) which didn't work
 +
properly with Thawte before. I won't use OCSP support because of privacy issues,
 +
see man dirmngr.
  
dänisches bettenhaus Some people may naturally believe they will be thin forever after weight loss surgery. Consider that the only thing different after the surgical treatment is what has been altered in the physical body. What the patient experiences, in terms of weight, in the months and years after surgery is up to the patient. The patient will must choose healthy eating practices and pay attention to food and calories. So all the identical emotional demands will be with the patient following this surgery. What this approach does is return the individual to a point where they will take better care of themselves. So nothing is guaranteed for the person who elects this particular approach.
+
===Requirements===
 +
# recent Claws Mail version, recommended: latest available version (v3.7.3 at the time of writing this), because many fixes for S/MIME have been incorporated lately
 +
# most recent S/MIME plugin/package, or "smime" USE flag on Gentoo
 +
# S/MIME certificate (e.g. you can get free (personal use) certificates from Comodo at http://www.instantssl.com)
 +
# pinentry, gnupg, gpgme, dirmngr (for CRL support), ca-certificates (and openssl) in recent versions
 +
# gpg-agent
 +
<br />
 +
It is important to note that gpgme >=1.1.8 ''does not work for me'' and always
 +
results in an error message hence I have it masked here and use v1.1.6.
 +
See bug 2059: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2059
 +
<br />
 +
I've tested this howto with the following package versions:
 +
<br />
 +
# emerge -p pinentry gnupg gpgme ca-certificates dirmngr claws-mail
 +
    [ebuild  R  ] app-crypt/pinentry-0.7.6  USE="gtk ncurses qt3 qt4 -caps -static" 464 kB
 +
    [ebuild  R  ] app-misc/ca-certificates-20090709  151 kB
 +
    [ebuild  R  ] app-crypt/dirmngr-1.0.3  USE="nls" 544 kB
 +
    [ebuild  R  ] app-crypt/gnupg-2.0.13  USE="bzip2 ldap nls smartcard -adns -caps -doc -openct -pcsc-lite (-selinux) -static" 3,855 kB
 +
    [ebuild  R  ] app-crypt/gpgme-1.1.6  USE="-pth" 1,061 kB
 +
    [ebuild  R  ] mail-client/claws-mail-3.7.3  USE="bogofilter crypt dbus dillo gnome gnutls imap ipv6 kde ldap nntp session smime spamassassin ssl xface -doc -pda -spell -startup-notification" 0 kB
  
Something you may have read is that appetite seems to be absent following weight loss surgery. That is not precisely true even though the hunger feeling is not immediately experienced after the surgery. The situation is such that the views about hunger will continue to be in the person's mind. But what is felt are the old habits that remain a normal part of the thinking processes. So there's a period of change that everybody goes through after surgery. The patient will take in smaller portions of food on account of the surgery, and that acknowledgement may take some time. Actually it may be perhaps a year or more before the real hunger sensations return to normal.
+
===Configuring & running the GPG agent===
 +
Claws Mail depends on a running gpg-agent for using any S/MIME feature. Furthermore
 +
it is used to cache the passphrase. A gpg-agent will need a pinentry
 +
application to ask for the pin.
  
kiefernmöbel Is Caffeine Useful?
+
<br />
 
+
Configuration file: "$HOME/.gnupg/gpg-agent.conf" (adjust the paths accordingly)
Everywhere you turn, consumers are quitting caffeine. While some people have a real allergy to the stuff, the majority are doing it because of peer pressure. There are articles all over the place about how bad caffeine is for people. "Time to give up caffeine" is what newly pregnant women take note of, usually right after they've announced their pregnancy. As soon as a human being chooses to "get healthy" he or she is typically told "give up caffeine" first thing. Giving up caffeine will be the first sign that an individual is trying to get healthy. But the fact remains that caffeine can offer some benefits for your health as well. Yes it can! Here are a number of the major great things about caffeine.
+
<br />
 +
pinentry-program /usr/bin/pinentry-qt
 +
default-cache-ttl 86400  # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your needs
 +
max-cache-ttl 86400
 +
disable-scdaemon
 +
write-env-file ~/.gnupg/.gpg-agent-info
 +
allow-mark-trusted
 +
keep-display
 +
display :0.0
 +
debug-level basic
 +
<br />
  
A research study executed by Harvard University proved that men who consume about four cups of caffeinated coffee each day are a lot less likely to be stricken by Parkinson's disease. Its likely that this comes about because caffeine helps your brain's dopamine molecules stay energetic. They believe it's also possible that, on account of caffeine's blocking of adenosine receptors, the brain become less likely to develop amyloid-beta. That's the same material that is thought to cause Alzheimer's disease. There aren't studies that can say definitively whether or not caffeine can make you smarter (that we are able to find anyway) but it is nice to find out that it may be able to reduce your risk of contracting Alzheimer's or Parkinson's diseases.
+
Running gpg-agent is quite trivial:
  
daenisches bettenlager Most science says that caffeine raises the body’s blood pressure. This means that it might put you at a bigger risk for diseases of the heart as well as heart failure. There are reports, nevertheless, that say the alternative holds true. Brooklyn College commissioned a study that proved men who ingested a few cups of coffee each day would be less likely to develop heart issues. The basic concept is that, if you aren't already suffering from hypertension, caffeine won't make the problem worse. If you do undoubtedly are afflicted by issues with your heart, though, you should avoid taking in caffeine.
+
eval `gpg-agent --daemon`
  
There usually are many people who think caffeine will help you with your exercise routines. Muscle contraction is definitely reliant upon your body's release of calcium. Adenosine might help regulate that task. Adenosine receptors are obstructed by caffeine. While that likely seems erroneous, the simple truth is that if your brain's adenosine receptors are blocked electrical impulses get set off in your brain. Those urges result in bursts of calcium release throughout the body. Because muscle tissue will need calcium for working out, the extra calcium that gets released can help make your workout more effective.  
+
As you see, it eval's the command, that means, gpg-agent returns an environment
 +
variable and exports it, something like `GPG_AGENT_INFO=xxx; export
 +
GPG_AGENT_INFO`. This means, that you will have to run claws-mail from the same
 +
session, because it will need this environment variable in order to access the
 +
agent. Check gpg-agent(1) for more details on the usual startup customs.
  
kiefernmöbel nrw Of course, for caffeine to work and be useful it should only be consumed in moderation. Just because caffeine may help you reduce the risk of disease and be slightly healthier, that doesn't mean that you should go overboard with it. The significant truth is that ingesting too much caffeine is actually quite bad for you. If you consume it in moderation, however, it may possibly help make an individual healthier. Who wouldn't want to avoid heart disease? Don't you want to reduce your risk of Parkinson's disease? Who doesn’t wish their particular work out plans to be more effective? Caffeine can help with all of that—as long as you don’t over do it.
+
====KDE Users====
 +
KDE has a way to run scripts and thus export environment variables at startup
 +
time. Every application running in this session will get access to these variables. All
 +
you have to do is create a file under the directory ~/.kde/env/ (if it doesn't
 +
exist, then create it). I named it gpgagent.sh, the content of this shell script
 +
is quite trivial (don't forget to chmod +x):
  
[http://www.terra-moebel.de/massivholz-moebel/massiv-2/ betten] Impressive Effects of Green Tea for Your Total Well-Being
+
#!/bin/sh
 
+
eval `gpg-agent --daemon`
For over two thousand years, green tea has been regarded in China and other Asian nations. A great deal of study spanning many years has been carried out concerning potential benefits for heart disease and also cancer.  But that is just the beginning as it appears green tea may be beneficial for blood sugar control, weight control, maintaining appropriate cholesterol plus many others. You should recognize that the healthy benefits of green tea are best accomplished with regular consumption over a period of time. Added important factors of course concern a person's total lifestyle.
+
  
Green tea does comprise powerful antioxidants termed polyphenols and catechins. Antioxidants work in the body by fighting the free radicals which cause so much damage to the cells. There is little doubt that polyphenols plus catechins play a substantial role in the health giving  properties found in green tea. The development of free radicals occurs every day, and that is why consuming green tea on a consistent time frame is so essential.
+
Also create the directory ~/.kde/shutdown/ and place another shell script in it
 +
(e.g. again gpgagent.sh) with the following contents:
 +
#!/bin/sh
 +
# the second field of the GPG_AGENT_INFO variable is the
 +
# process ID of the gpg-agent active in the current session
 +
# so we'll just kill that, rather than all of them :)
 +
[ -n "${GPG_AGENT_INFO}" ] && kill `echo "${GPG_AGENT_INFO}" | cut -d ':' -f 2`
  
The capabilities of green tea are made far better due to the processing technique which is not similar as other teas. The best variety of green tea undergoes very little processing as compared to other varieties. The leaves of green tea aren't fermented such as those of Oolong and black teas. Rather the green tea leaves are first permitted to wither, and then they are steamed. What happens as a result is all the helpful components turn out to be more potent.
 
  
holzmöbel It is accurate that fat loss ability is included in green tea when used in proper amounts.  Caffeine can be effectively called a fat burner, and green tea has mild amounts of it but you'll find other properties involved, as well. So it is the presence of factors unrelated to caffeine that make green tea be a more powerful fat burner. Of course the caffeine will raise the metabolism, but green tea is able to do this for several reasons. What is more significant for most is that green tea can be successful for helping to get slimmer.
+
====Optional====
 +
You can also use keychain, ~/.xsession startup, or any other method to start
 +
gpg-agent. Choose what you like, here are somes howtos:
 +
<br />
 +
http://www.funtoo.org/en/security/keychain/intro/<br />
 +
http://www.gentoo-wiki.info/HOWTO_KMail_gpg-agent_kde#Setting_up_gpg-agent_with_keychain<br />
 +
http://www.claws-mail.org/faq/index.php/Plugins#How_do_I_configure_gpg-agent_and_the_PGP_plugin.3F <br />
 +
man gpg-agent, section DESCRIPTION
  
[http://deburna-media.com Marketing]
+
 
[http://deburna.com Unternehmensberatung Marketing]
+
===Importing S/MIME certificates into gpgsm===
[http://music.deburna.com online music label]
+
Regardless whether you have obtained your S/MIME certificate in Mozilla Firefox
[http://reinlaender.com reinlaender and simons]
+
or another browser, you have to export/backup it to a PKCS12 (.p12) file
[http://djfranksimons.com digital music producer]
+
somewhere on your disk. I'm using the filename "certbundle.p12" for this howto,
[http://reinlaenderandsimons.com digital music dj]
+
you can call it as you wish (e.g. $emailaddress_$certdate.p12)
[http://netmoda.com Pantolon]
+
 
[http://www.idm.ms fanartikel]
+
Current versions of GnuPG support importing PKCS12 files directly, there's no
[http://gm-moebelindustri.com möbel]
+
need to use openssl anymore, as described in the previous howto. (If it doesn't
[http://die-kindermoebel.com kinderzimmermöbel]
+
work for you, you can still view the old howto through the history and use
[http://www.terra-moebel.de/ möbel shop]
+
openssl to extract and convert the keys). Gpg-agent has to be properly setup and
[http://www.terra-moebel.de/kleiderschraenke/ quelle]
+
running by now.
[http://www.terra-moebel.de/kinderzimmer/ kinderzimmer ideen]
+
<br />
[http://www.terra-moebel.de/massivholz-moebel/ hülsta]
+
$ gpgsm --import certbundle.p12
[http://www.terra-moebel.de/kinderzimmer/kinderbetten/ ebay kleinanzeigen]
+
<br />
[http://moebelfinder.net/ möbel bestellen]
+
You will be asked to enter your passphrase for the backup file in the pinentry
[http://www.idm.ms/Fanshop/ fanshop hoffenheim]
+
popup and you then have choose another passphrase for importing it to gpgsm.
[http://imagepacmerchandising.com merchandising grosshandel]
+
This passphrase will be the one you have to enter everytime you want to decrypt
Further benefits found in green tea consist of properties that help to counteract tooth decay. Green tea will enhance your defense system and produce all around healthy support to make it more powerful. A healthy and robust immunity process is obviously desirable because it will minimize infections. Yet another excellent result of drinking this tea is going to be a more stable and balanced level for blood pressure.  One other substance recognized in green tea relaxes the bronchial tube muscles, and that is beneficial for asthmatics. So what that can do is allow the asthmatic to breathe with less hard work and difficulty.
+
or sign emails (of course there's the possibility to cache the passphrase).
 +
 
 +
Now one has to add the issuer certificates (CA + intermediate CA) into gpgsm if
 +
they are not already there. The following command will add more than 100 CA certificates
 +
from the ca-certificates package, but you could also only add the specific CA's
 +
for your certificate if you want.
 +
<br />
 +
$ gpgsm --import /usr/share/ca-certificates/mozilla/*
 +
 
 +
Check if your key has been added:<br />
 +
$ gpgsm --list-secret-keys
 +
 
 +
 
 +
===Configuring GnuPG S/MIME===
 +
You'll now have to properly configure GnuPG for S/MIME. As opposed to the
 +
previous howto, we'll also be using certificate revocation list (CRL) support with dirmngr to
 +
be able to detect revoked certificates within the mail client. (It didn't work
 +
before because Thawte has some messed up CRL which GnuPG couldn't handle
 +
properly - but because Thawte doesn't provide S/MIME anymore, we're fine now :)
 +
We only have to import the large Thawte CRL once as all of their certificates
 +
have been revoked.
 +
<br />
 +
 
 +
This is my "$HOME/.gnupg/gpgsm.conf":<br />
 +
disable-policy-checks
 +
auto-issuer-key-retrieve
 +
include-certs -1  # this will include all certificates in the chain up to the root
 +
debug-level basic
 +
<br />
 +
You will also probably want to enter the following entry to gpgsm.conf ( use
 +
the fingerprint output from the command "gpgsm --list-secret-keys")
 +
default-key  fingerprint_of_your_key
 +
 
 +
<br />
 +
My "$HOME/.gnupg/dirmngr.conf" file only contains the following line, everything
 +
is set to default. Dirmngr will be used for CRL support internally by GnuPG. It
 +
is also possible to setup a system-wide dirmngr daemon which is not part of this
 +
howto (see man page).
 +
debug-level basic
 +
<br />
 +
If you encounter any problems with CRL support you can use the old
 +
configuration files from the history in this wiki which disables it. Be aware
 +
that by having imported all CA's dirmngr might encounter a CRL where it can't
 +
fetch it properly and hangs (sometimes happens to me when starting kleopatra).
 +
 
 +
====Importing Thawte CRL and testing CRL support====
 +
As of 16th November 2009 all Thawte S/MIME certificates have been revoked. As
 +
dirmngr doesn't automatically work with the Thawte CRL, one has to import them
 +
manually once. A working gpg-agent setup is again needed, then perform the
 +
following steps:
 +
# download the Thawte CRL
 +
wget http://crl.thawte.com/ThawtePersonalFreemailCA.crl
 +
wget http://crl.thawte.com/ThawtePersonalFreemailIssuingCA.crl
 +
 +
# import to dirmngr
 +
gpgsm --call-dirmngr loadcrl ThawtePersonalFreemailCA.crl
 +
gpgsm --call-dirmngr loadcrl ThawtePersonalFreemailIssuingCA.crl
 +
<br />
 +
If you have old Thawte certificates that are still valid according to their
 +
expiry date or other revoked certificates you can verify that dirmngr works with
 +
the following command:
 +
gpgsm --list-keys --with-validation <keyid|name|fingerprint>
 +
<br />
 +
The output will be like this:
 +
  [...]
 +
  validity: 2009-03-24 08:26:26 through 2010-03-24 08:26:26
 +
  key type: 2048 bit RSA
 +
  fingerprint: xxxx
 +
  [certificate has been revoked]
 +
  [validation model used: shell]
 +
  [certificate is bad: Certificate revoked]
 +
 
 +
See "[certificate is bad: Certificate revoked]" message instead of
 +
"[certificate is good]".
 +
 
 +
====Setting up the trust====
 +
We used the option "allow-mark-trusted" in gpg-agent.conf which allows the
 +
client to mark keys as trusted, i.e. put them in the file
 +
$HOME/.gnupg/trustlist.txt (see man gpg-agent). Hence you should be asked
 +
automatically to trust another key or CA, e.g. it mainly happens for me when I
 +
click on an email in Claws Mail where the CA is missing from trustlist.txt or
 +
when I start the tool "kleopatra" where I'm asked to trust the CAs.
 +
<br />
 +
 
 +
If it doesn't work for you automatically you have to create the file (if it
 +
doesn't exist) "$HOME/.gnupg/trustlist.txt" to add your CA (e.g. Comodo, Thawte)
 +
to the trusted key list. This makes it possible to verify/sign/.../ with your
 +
personal certificate. I also added my own certificate to the trustlist.
 +
<br />
 +
 
 +
Usually one adds the SHA1 fingerprints to the file (not the serial number, and
 +
it doesn't matter whether with or without the colon). With
 +
the following command (borrowed and adjusted from this German howto
 +
http://www.kire.ch/blog/2009/05/07/claws-mail-und-smime-verschlusselung-mit-cacert-zertifikat/)
 +
you can add all your CA's and keys at once (of course you have to trust all the CA's of
 +
the ca-certificate package - if you don't then you have to manually dump the
 +
certificate chain and add the fingerprints accordingly):
 +
<br />
 +
gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' >> ~/.gnupg/trustlist.txt
 +
(the command will append, not overwrite the old file)
 +
<br />
 +
Note that when manually changing trustlist.txt or gpg-agent.conf, you need to give
 +
gpg-agent a SIGHUP.
 +
<br />
 +
 
 +
===Setting up Claws Mail itself===
 +
There's not much you have to configure in Claws Mail. Go to the menu "Configuration - Edit Accounts | choose your account | - Edit - Account - Privacy - Default privacy system" => S-MIME
 +
<br />
 +
Set the options to your need, e.g. I've set all but the last (Save sent encrypted as clear text).
 +
<br />
 +
As we have configured gpgsm to use a "default key" you can set "Use default GnuPG key" in the Account preferences Plugins/GPG menu.
 +
 
 +
===Working with Claws Mail S/MIME and problems/bugs===
 +
* If you receive the error message "The signature can't be checked - Unknown IPC Command" and you're using "seahorse-agent" try to switch to the gpg-agent of the GnuPG package.
 +
 
 +
* If you encounter the error message "Couldn't decrypt: No CMS object" then it is likely that your gpgme version is incompatible with Claws Mail. In my tests only v1.1.6 worked, everything newer (1.1.8 and 1.2.0) doesn't work for me! This doesn't necessarily mean that it doesn't work for you. See http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2059
 +
 
 +
* Error message "Cannot sign: General error" usually means that there's something wrong with the gpg-agent (e.g. not running or wrong environment)
 +
 
 +
* If you're an old Thawte user trying to use their offer for a free VeriSign S/MIME certificate with Claws Mail, you're out of luck because GnuPG doesn't support the ancient MD2 algorithm being used by VeriSign for their CA. I've tried getting it to work but never succeeded (except by using Thunderbird), here's a statement from the developer of GnuPG/libgcrypt: http://lists.gnupg.org/pipermail/gpa-dev/2003-October/001482.html
 +
 
 +
* I'm only aware of one problem in Claws Mail, where you'll get "Bad signature" warnings, when you forward (via CM) a signed+encrypted email with an attachment and sign+encrypt the email itself again too.
 +
 
 +
* Error message: Couldn't decrypt: "unsupported algorithm" - this happens when you receive an email which got encrypted with the RC2 algorithm (e.g. some Outlook and some Thunderbird MUAs). I'm currently not aware of a solution on your side, as the underlying libgcrypt doesn't handle it for patent reasons. (see https://intevation.de/roundup/aegypten/issue11 and http://forums.mozillazine.org/viewtopic.php?p=2858116 ) You can ask your email partner to reconfigure their clients though (I know that it works for recent Outlook versions on >=Windows Vista to force certain algorithms).

Revision as of 07:53, 23 October 2012

Contents

Claws Mail & S/MIME plugin howto

This howto describes configuring S/MIME for Claws Mail which uses GnuPG. It is based on Gentoo Linux but should be working fine on every other distribution if adjusting it accordingly.

As of 16th November 2009 Thawte discontinued their free S/MIME certificates. As some things of this howto were also somewhat out of date and many things were based on Thawte, it's time for an update. A big difference to the previous howto is enabling the use of certificate revocation lists (CRL) which didn't work properly with Thawte before. I won't use OCSP support because of privacy issues, see man dirmngr.

Requirements

  1. recent Claws Mail version, recommended: latest available version (v3.7.3 at the time of writing this), because many fixes for S/MIME have been incorporated lately
  2. most recent S/MIME plugin/package, or "smime" USE flag on Gentoo
  3. S/MIME certificate (e.g. you can get free (personal use) certificates from Comodo at http://www.instantssl.com)
  4. pinentry, gnupg, gpgme, dirmngr (for CRL support), ca-certificates (and openssl) in recent versions
  5. gpg-agent


It is important to note that gpgme >=1.1.8 does not work for me and always results in an error message hence I have it masked here and use v1.1.6. See bug 2059: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2059
I've tested this howto with the following package versions:

# emerge -p pinentry gnupg gpgme ca-certificates dirmngr claws-mail
   [ebuild   R   ] app-crypt/pinentry-0.7.6  USE="gtk ncurses qt3 qt4 -caps -static" 464 kB
   [ebuild   R   ] app-misc/ca-certificates-20090709  151 kB
   [ebuild   R   ] app-crypt/dirmngr-1.0.3  USE="nls" 544 kB
   [ebuild   R   ] app-crypt/gnupg-2.0.13  USE="bzip2 ldap nls smartcard -adns -caps -doc -openct -pcsc-lite (-selinux) -static" 3,855 kB
   [ebuild   R   ] app-crypt/gpgme-1.1.6  USE="-pth" 1,061 kB
   [ebuild   R   ] mail-client/claws-mail-3.7.3  USE="bogofilter crypt dbus dillo gnome gnutls imap ipv6 kde ldap nntp session smime spamassassin ssl xface -doc -pda -spell -startup-notification" 0 kB

Configuring & running the GPG agent

Claws Mail depends on a running gpg-agent for using any S/MIME feature. Furthermore it is used to cache the passphrase. A gpg-agent will need a pinentry application to ask for the pin.


Configuration file: "$HOME/.gnupg/gpg-agent.conf" (adjust the paths accordingly)

pinentry-program /usr/bin/pinentry-qt
default-cache-ttl 86400   # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your needs
max-cache-ttl 86400
disable-scdaemon
write-env-file ~/.gnupg/.gpg-agent-info
allow-mark-trusted
keep-display
display :0.0
debug-level basic


Running gpg-agent is quite trivial:

eval `gpg-agent --daemon`

As you see, it eval's the command, that means, gpg-agent returns an environment variable and exports it, something like `GPG_AGENT_INFO=xxx; export GPG_AGENT_INFO`. This means, that you will have to run claws-mail from the same session, because it will need this environment variable in order to access the agent. Check gpg-agent(1) for more details on the usual startup customs.

KDE Users

KDE has a way to run scripts and thus export environment variables at startup time. Every application running in this session will get access to these variables. All you have to do is create a file under the directory ~/.kde/env/ (if it doesn't exist, then create it). I named it gpgagent.sh, the content of this shell script is quite trivial (don't forget to chmod +x):

#!/bin/sh
eval `gpg-agent --daemon`

Also create the directory ~/.kde/shutdown/ and place another shell script in it (e.g. again gpgagent.sh) with the following contents:

#!/bin/sh
# the second field of the GPG_AGENT_INFO variable is the
# process ID of the gpg-agent active in the current session
# so we'll just kill that, rather than all of them :)
[ -n "${GPG_AGENT_INFO}" ] && kill `echo "${GPG_AGENT_INFO}" | cut -d ':' -f 2`


Optional

You can also use keychain, ~/.xsession startup, or any other method to start gpg-agent. Choose what you like, here are somes howtos:
http://www.funtoo.org/en/security/keychain/intro/
http://www.gentoo-wiki.info/HOWTO_KMail_gpg-agent_kde#Setting_up_gpg-agent_with_keychain
http://www.claws-mail.org/faq/index.php/Plugins#How_do_I_configure_gpg-agent_and_the_PGP_plugin.3F
man gpg-agent, section DESCRIPTION


Importing S/MIME certificates into gpgsm

Regardless whether you have obtained your S/MIME certificate in Mozilla Firefox or another browser, you have to export/backup it to a PKCS12 (.p12) file somewhere on your disk. I'm using the filename "certbundle.p12" for this howto, you can call it as you wish (e.g. $emailaddress_$certdate.p12)

Current versions of GnuPG support importing PKCS12 files directly, there's no need to use openssl anymore, as described in the previous howto. (If it doesn't work for you, you can still view the old howto through the history and use openssl to extract and convert the keys). Gpg-agent has to be properly setup and running by now.

$ gpgsm --import certbundle.p12


You will be asked to enter your passphrase for the backup file in the pinentry popup and you then have choose another passphrase for importing it to gpgsm. This passphrase will be the one you have to enter everytime you want to decrypt or sign emails (of course there's the possibility to cache the passphrase).

Now one has to add the issuer certificates (CA + intermediate CA) into gpgsm if they are not already there. The following command will add more than 100 CA certificates from the ca-certificates package, but you could also only add the specific CA's for your certificate if you want.

$ gpgsm --import /usr/share/ca-certificates/mozilla/*

Check if your key has been added:

$ gpgsm --list-secret-keys


Configuring GnuPG S/MIME

You'll now have to properly configure GnuPG for S/MIME. As opposed to the previous howto, we'll also be using certificate revocation list (CRL) support with dirmngr to be able to detect revoked certificates within the mail client. (It didn't work before because Thawte has some messed up CRL which GnuPG couldn't handle properly - but because Thawte doesn't provide S/MIME anymore, we're fine now :) We only have to import the large Thawte CRL once as all of their certificates have been revoked.

This is my "$HOME/.gnupg/gpgsm.conf":

disable-policy-checks
auto-issuer-key-retrieve
include-certs -1  # this will include all certificates in the chain up to the root
debug-level basic


You will also probably want to enter the following entry to gpgsm.conf ( use the fingerprint output from the command "gpgsm --list-secret-keys")

default-key  fingerprint_of_your_key


My "$HOME/.gnupg/dirmngr.conf" file only contains the following line, everything is set to default. Dirmngr will be used for CRL support internally by GnuPG. It is also possible to setup a system-wide dirmngr daemon which is not part of this howto (see man page).

debug-level basic


If you encounter any problems with CRL support you can use the old configuration files from the history in this wiki which disables it. Be aware that by having imported all CA's dirmngr might encounter a CRL where it can't fetch it properly and hangs (sometimes happens to me when starting kleopatra).

Importing Thawte CRL and testing CRL support

As of 16th November 2009 all Thawte S/MIME certificates have been revoked. As dirmngr doesn't automatically work with the Thawte CRL, one has to import them manually once. A working gpg-agent setup is again needed, then perform the following steps:

# download the Thawte CRL
wget http://crl.thawte.com/ThawtePersonalFreemailCA.crl
wget http://crl.thawte.com/ThawtePersonalFreemailIssuingCA.crl

# import to dirmngr
gpgsm --call-dirmngr loadcrl ThawtePersonalFreemailCA.crl
gpgsm --call-dirmngr loadcrl ThawtePersonalFreemailIssuingCA.crl


If you have old Thawte certificates that are still valid according to their expiry date or other revoked certificates you can verify that dirmngr works with the following command:

gpgsm --list-keys --with-validation <keyid|name|fingerprint>


The output will be like this:

 [...]
 validity: 2009-03-24 08:26:26 through 2010-03-24 08:26:26
 key type: 2048 bit RSA
 fingerprint: xxxx
 [certificate has been revoked]
 [validation model used: shell]
 [certificate is bad: Certificate revoked]

See "[certificate is bad: Certificate revoked]" message instead of "[certificate is good]".

Setting up the trust

We used the option "allow-mark-trusted" in gpg-agent.conf which allows the client to mark keys as trusted, i.e. put them in the file $HOME/.gnupg/trustlist.txt (see man gpg-agent). Hence you should be asked automatically to trust another key or CA, e.g. it mainly happens for me when I click on an email in Claws Mail where the CA is missing from trustlist.txt or when I start the tool "kleopatra" where I'm asked to trust the CAs.

If it doesn't work for you automatically you have to create the file (if it doesn't exist) "$HOME/.gnupg/trustlist.txt" to add your CA (e.g. Comodo, Thawte) to the trusted key list. This makes it possible to verify/sign/.../ with your personal certificate. I also added my own certificate to the trustlist.

Usually one adds the SHA1 fingerprints to the file (not the serial number, and it doesn't matter whether with or without the colon). With the following command (borrowed and adjusted from this German howto http://www.kire.ch/blog/2009/05/07/claws-mail-und-smime-verschlusselung-mit-cacert-zertifikat/) you can add all your CA's and keys at once (of course you have to trust all the CA's of the ca-certificate package - if you don't then you have to manually dump the certificate chain and add the fingerprints accordingly):

gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' >> ~/.gnupg/trustlist.txt
(the command will append, not overwrite the old file)


Note that when manually changing trustlist.txt or gpg-agent.conf, you need to give gpg-agent a SIGHUP.

Setting up Claws Mail itself

There's not much you have to configure in Claws Mail. Go to the menu "Configuration - Edit Accounts | choose your account | - Edit - Account - Privacy - Default privacy system" => S-MIME
Set the options to your need, e.g. I've set all but the last (Save sent encrypted as clear text).
As we have configured gpgsm to use a "default key" you can set "Use default GnuPG key" in the Account preferences Plugins/GPG menu.

Working with Claws Mail S/MIME and problems/bugs

  • If you receive the error message "The signature can't be checked - Unknown IPC Command" and you're using "seahorse-agent" try to switch to the gpg-agent of the GnuPG package.
  • If you encounter the error message "Couldn't decrypt: No CMS object" then it is likely that your gpgme version is incompatible with Claws Mail. In my tests only v1.1.6 worked, everything newer (1.1.8 and 1.2.0) doesn't work for me! This doesn't necessarily mean that it doesn't work for you. See http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2059
  • Error message "Cannot sign: General error" usually means that there's something wrong with the gpg-agent (e.g. not running or wrong environment)
  • If you're an old Thawte user trying to use their offer for a free VeriSign S/MIME certificate with Claws Mail, you're out of luck because GnuPG doesn't support the ancient MD2 algorithm being used by VeriSign for their CA. I've tried getting it to work but never succeeded (except by using Thunderbird), here's a statement from the developer of GnuPG/libgcrypt: http://lists.gnupg.org/pipermail/gpa-dev/2003-October/001482.html
  • I'm only aware of one problem in Claws Mail, where you'll get "Bad signature" warnings, when you forward (via CM) a signed+encrypted email with an attachment and sign+encrypt the email itself again too.
  • Error message: Couldn't decrypt: "unsupported algorithm" - this happens when you receive an email which got encrypted with the RC2 algorithm (e.g. some Outlook and some Thunderbird MUAs). I'm currently not aware of a solution on your side, as the underlying libgcrypt doesn't handle it for patent reasons. (see https://intevation.de/roundup/aegypten/issue11 and http://forums.mozillazine.org/viewtopic.php?p=2858116 ) You can ask your email partner to reconfigure their clients though (I know that it works for recent Outlook versions on >=Windows Vista to force certain algorithms).