https://www.claws-mail.org/faq/api.php?action=feedcontributions&user=JG&feedformat=atom Claws Mail FAQ - User contributions [en] 2024-03-29T07:21:41Z User contributions MediaWiki 1.35.7 https://www.claws-mail.org/faq/index.php?title=S/MIME_howto&diff=2131 S/MIME howto 2009-11-20T14:02:59Z <p>JG: adding seahorse &quot;unknown ipc command&quot; problem, reported by an irc user</p> <hr /> <div>==Claws Mail &amp; S/MIME plugin howto==<br /> This howto describes configuring S/MIME for Claws Mail which uses GnuPG. It is<br /> based on Gentoo Linux but should be working fine on every other distribution if<br /> adjusting it accordingly.<br /> &lt;br /&gt;<br /> <br /> As of 16th November 2009 Thawte discontinued their free S/MIME certificates. As<br /> some things of this howto were also somewhat out of date and many things were<br /> based on Thawte, it's time for an update. A big difference to the previous howto<br /> is enabling the use of certificate revocation lists (CRL) which didn't work<br /> properly with Thawte before. I won't use OCSP support because of privacy issues,<br /> see man dirmngr.<br /> <br /> ===Requirements===<br /> # recent Claws Mail version, recommended: latest available version (v3.7.3 at the time of writing this), because many fixes for S/MIME have been incorporated lately<br /> # most recent S/MIME plugin/package, or &quot;smime&quot; USE flag on Gentoo<br /> # S/MIME certificate (e.g. you can get free (personal use) certificates from Comodo at http://www.instantssl.com)<br /> # pinentry, gnupg, gpgme, dirmngr (for CRL support), ca-certificates (and openssl) in recent versions<br /> # gpg-agent<br /> &lt;br /&gt;<br /> It is important to note that gpgme &gt;=1.1.8 ''does not work for me'' and always<br /> results in an error message hence I have it masked here and use v1.1.6.<br /> See bug 2059: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2059<br /> &lt;br /&gt;<br /> I've tested this howto with the following package versions:<br /> &lt;br /&gt;<br /> # emerge -p pinentry gnupg gpgme ca-certificates dirmngr claws-mail<br /> [ebuild R ] app-crypt/pinentry-0.7.6 USE=&quot;gtk ncurses qt3 qt4 -caps -static&quot; 464 kB<br /> [ebuild R ] app-misc/ca-certificates-20090709 151 kB<br /> [ebuild R ] app-crypt/dirmngr-1.0.3 USE=&quot;nls&quot; 544 kB<br /> [ebuild R ] app-crypt/gnupg-2.0.13 USE=&quot;bzip2 ldap nls smartcard -adns -caps -doc -openct -pcsc-lite (-selinux) -static&quot; 3,855 kB<br /> [ebuild R ] app-crypt/gpgme-1.1.6 USE=&quot;-pth&quot; 1,061 kB<br /> [ebuild R ] mail-client/claws-mail-3.7.3 USE=&quot;bogofilter crypt dbus dillo gnome gnutls imap ipv6 kde ldap nntp session smime spamassassin ssl xface -doc -pda -spell -startup-notification&quot; 0 kB<br /> <br /> ===Configuring &amp; running the GPG agent===<br /> Claws Mail depends on a running gpg-agent for using any S/MIME feature. Furthermore<br /> it is used to cache the passphrase. A gpg-agent will need a pinentry<br /> application to ask for the pin.<br /> <br /> &lt;br /&gt;<br /> Configuration file: &quot;$HOME/.gnupg/gpg-agent.conf&quot; (adjust the paths accordingly)<br /> &lt;br /&gt;<br /> pinentry-program /usr/bin/pinentry-qt<br /> default-cache-ttl 86400 # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your needs<br /> max-cache-ttl 86400<br /> disable-scdaemon<br /> write-env-file ~/.gnupg/.gpg-agent-info<br /> allow-mark-trusted<br /> keep-display<br /> display :0.0<br /> debug-level basic<br /> &lt;br /&gt;<br /> <br /> Running gpg-agent is quite trivial:<br /> <br /> eval `gpg-agent --daemon`<br /> <br /> As you see, it eval's the command, that means, gpg-agent returns an environment<br /> variable and exports it, something like `GPG_AGENT_INFO=xxx; export<br /> GPG_AGENT_INFO`. This means, that you will have to run claws-mail from the same<br /> session, because it will need this environment variable in order to access the<br /> agent. Check gpg-agent(1) for more details on the usual startup customs.<br /> <br /> ====KDE Users====<br /> KDE has a way to run scripts and thus export environment variables at startup<br /> time. Every application running in this session will get access to these variables. All<br /> you have to do is create a file under the directory ~/.kde/env/ (if it doesn't<br /> exist, then create it). I named it gpgagent.sh, the content of this shell script<br /> is quite trivial (don't forget to chmod +x):<br /> <br /> #!/bin/sh<br /> eval `gpg-agent --daemon`<br /> <br /> Also create the directory ~/.kde/shutdown/ and place another shell script in it<br /> (e.g. again gpgagent.sh) with the following contents:<br /> #!/bin/sh<br /> # the second field of the GPG_AGENT_INFO variable is the<br /> # process ID of the gpg-agent active in the current session<br /> # so we'll just kill that, rather than all of them :)<br /> [ -n &quot;${GPG_AGENT_INFO}&quot; ] &amp;&amp; kill `echo &quot;${GPG_AGENT_INFO}&quot; | cut -d ':' -f 2`<br /> <br /> <br /> ====Optional====<br /> You can also use keychain, ~/.xsession startup, or any other method to start<br /> gpg-agent. Choose what you like, here are somes howtos:<br /> &lt;br /&gt;<br /> http://www.funtoo.org/en/security/keychain/intro/&lt;br /&gt;<br /> http://www.gentoo-wiki.info/HOWTO_KMail_gpg-agent_kde#Setting_up_gpg-agent_with_keychain&lt;br /&gt;<br /> http://www.claws-mail.org/faq/index.php/Plugins#How_do_I_configure_gpg-agent_and_the_PGP_plugin.3F &lt;br /&gt;<br /> man gpg-agent, section DESCRIPTION<br /> <br /> <br /> ===Importing S/MIME certificates into gpgsm===<br /> Regardless whether you have obtained your S/MIME certificate in Mozilla Firefox<br /> or another browser, you have to export/backup it to a PKCS12 (.p12) file<br /> somewhere on your disk. I'm using the filename &quot;certbundle.p12&quot; for this howto,<br /> you can call it as you wish (e.g. $emailaddress_$certdate.p12)<br /> <br /> Current versions of GnuPG support importing PKCS12 files directly, there's no<br /> need to use openssl anymore, as described in the previous howto. (If it doesn't<br /> work for you, you can still view the old howto through the history and use<br /> openssl to extract and convert the keys). Gpg-agent has to be properly setup and<br /> running by now.<br /> &lt;br /&gt;<br /> $ gpgsm --import certbundle.p12<br /> &lt;br /&gt;<br /> You will be asked to enter your passphrase for the backup file in the pinentry<br /> popup and you then have choose another passphrase for importing it to gpgsm.<br /> This passphrase will be the one you have to enter everytime you want to decrypt<br /> or sign emails (of course there's the possibility to cache the passphrase).<br /> <br /> Now one has to add the issuer certificates (CA + intermediate CA) into gpgsm if<br /> they are not already there. The following command will add more than 100 CA certificates<br /> from the ca-certificates package, but you could also only add the specific CA's<br /> for your certificate if you want.<br /> &lt;br /&gt;<br /> $ gpgsm --import /usr/share/ca-certificates/mozilla/*<br /> <br /> Check if your key has been added:&lt;br /&gt;<br /> $ gpgsm --list-secret-keys<br /> <br /> <br /> ===Configuring GnuPG S/MIME===<br /> You'll now have to properly configure GnuPG for S/MIME. As opposed to the<br /> previous howto, we'll also be using certificate revocation list (CRL) support with dirmngr to<br /> be able to detect revoked certificates within the mail client. (It didn't work<br /> before because Thawte has some messed up CRL which GnuPG couldn't handle<br /> properly - but because Thawte doesn't provide S/MIME anymore, we're fine now :)<br /> We only have to import the large Thawte CRL once as all of their certificates<br /> have been revoked.<br /> &lt;br /&gt;<br /> <br /> This is my &quot;$HOME/.gnupg/gpgsm.conf&quot;:&lt;br /&gt;<br /> disable-policy-checks<br /> auto-issuer-key-retrieve<br /> debug-level basic<br /> &lt;br /&gt;<br /> You will also probably want to enter the following entry to gpgsm.conf ( use<br /> the fingerprint output from the command &quot;gpgsm --list-secret-keys&quot;)<br /> default-key fingerprint_of_your_key<br /> <br /> &lt;br /&gt;<br /> My &quot;$HOME/.gnupg/dirmngr.conf&quot; file only contains the following line, everything<br /> is set to default. Dirmngr will be used for CRL support internally by GnuPG. It<br /> is also possible to setup a system-wide dirmngr daemon which is not part of this<br /> howto (see man page).<br /> debug-level basic<br /> &lt;br /&gt;<br /> If you encounter any problems with CRL support you can use the old<br /> configuration files from the history in this wiki which disables it. Be aware<br /> that by having imported all CA's dirmngr might encounter a CRL where it can't<br /> fetch it properly and hangs (sometimes happens to me when starting kleopatra).<br /> <br /> ====Importing Thawte CRL and testing CRL support====<br /> As of 16th November 2009 all Thawte S/MIME certificates have been revoked. As<br /> dirmngr doesn't automatically work with the Thawte CRL, one has to import them<br /> manually once. A working gpg-agent setup is again needed, then perform the<br /> following steps:<br /> # download the Thawte CRL<br /> wget http://crl.thawte.com/ThawtePersonalFreemailCA.crl<br /> wget http://crl.thawte.com/ThawtePersonalFreemailIssuingCA.crl<br /> <br /> # import to dirmngr<br /> gpgsm --call-dirmngr loadcrl ThawtePersonalFreemailCA.crl<br /> gpgsm --call-dirmngr loadcrl ThawtePersonalFreemailIssuingCA.crl<br /> &lt;br /&gt;<br /> If you have old Thawte certificates that are still valid according to their<br /> expiry date or other revoked certificates you can verify that dirmngr works with<br /> the following command:<br /> gpgsm --list-keys --with-validation &lt;keyid|name|fingerprint&gt;<br /> &lt;br /&gt;<br /> The output will be like this:<br /> [...]<br /> validity: 2009-03-24 08:26:26 through 2010-03-24 08:26:26<br /> key type: 2048 bit RSA<br /> fingerprint: xxxx<br /> [certificate has been revoked]<br /> [validation model used: shell]<br /> [certificate is bad: Certificate revoked]<br /> <br /> See &quot;[certificate is bad: Certificate revoked]&quot; message instead of<br /> &quot;[certificate is good]&quot;.<br /> <br /> ====Setting up the trust====<br /> We used the option &quot;allow-mark-trusted&quot; in gpg-agent.conf which allows the<br /> client to mark keys as trusted, i.e. put them in the file<br /> $HOME/.gnupg/trustlist.txt (see man gpg-agent). Hence you should be asked<br /> automatically to trust another key or CA, e.g. it mainly happens for me when I<br /> click on an email in Claws Mail where the CA is missing from trustlist.txt or<br /> when I start the tool &quot;kleopatra&quot; where I'm asked to trust the CAs.<br /> &lt;br /&gt;<br /> <br /> If it doesn't work for you automatically you have to create the file (if it<br /> doesn't exist) &quot;$HOME/.gnupg/trustlist.txt&quot; to add your CA (e.g. Comodo, Thawte)<br /> to the trusted key list. This makes it possible to verify/sign/.../ with your<br /> personal certificate. I also added my own certificate to the trustlist.<br /> &lt;br /&gt;<br /> <br /> Usually one adds the SHA1 fingerprints to the file (not the serial number, and<br /> it doesn't matter whether with or without the colon). With<br /> the following command (borrowed and adjusted from this German howto<br /> http://www.kire.ch/blog/2009/05/07/claws-mail-und-smime-verschlusselung-mit-cacert-zertifikat/)<br /> you can add all your CA's and keys at once (of course you have to trust all the CA's of<br /> the ca-certificate package - if you don't then you have to manually dump the<br /> certificate chain and add the fingerprints accordingly):<br /> &lt;br /&gt;<br /> gpgsm --list-keys 2&gt;/dev/null | grep fingerprint | awk '{print $2 &quot; S&quot;}' &gt;&gt; ~/.gnupg/trustlist.txt<br /> (the command will append, not overwrite the old file)<br /> &lt;br /&gt;<br /> Note that when manually changing trustlist.txt or gpg-agent.conf, you need to give<br /> gpg-agent a SIGHUP.<br /> &lt;br /&gt;<br /> <br /> ===Setting up Claws Mail itself===<br /> There's not much you have to configure in Claws Mail. Go to the menu &quot;Configuration - Edit Accounts | choose your account | - Edit - Account - Privacy - Default privacy system&quot; =&gt; S-MIME<br /> &lt;br /&gt;<br /> Set the options to your need, e.g. I've set all but the last (Save sent encrypted as clear text).<br /> &lt;br /&gt;<br /> As we have configured gpgsm to use a &quot;default key&quot; you can set &quot;Use default GnuPG key&quot; in the Account preferences Plugins/GPG menu.<br /> <br /> ===Working with Claws Mail S/MIME and problems/bugs===<br /> * If you receive the error message &quot;The signature can't be checked - Unknown IPC Command&quot; and you're using &quot;seahorse-agent&quot; try to switch to the gpg-agent of the GnuPG package. <br /> <br /> * If you encounter the error message &quot;Couldn't decrypt: No CMS object&quot; then it is likely that your gpgme version is incompatible with Claws Mail. In my tests only v1.1.6 worked, everything newer (1.1.8 and 1.2.0) doesn't work for me! This doesn't necessarily mean that it doesn't work for you. See http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2059<br /> <br /> * Error message &quot;Cannot sign: General error&quot; usually means that there's something wrong with the gpg-agent (e.g. not running or wrong environment)<br /> <br /> * If you're an old Thawte user trying to use their offer for a free VeriSign S/MIME certificate with Claws Mail, you're out of luck because GnuPG doesn't support the ancient MD2 algorithm being used by VeriSign for their CA. I've tried getting it to work but never succeeded (except by using Thunderbird), here's a statement from the developer of GnuPG/libgcrypt: http://lists.gnupg.org/pipermail/gpa-dev/2003-October/001482.html<br /> <br /> * I'm only aware of one problem in Claws Mail, where you'll get &quot;Bad signature&quot; warnings, when you forward (via CM) a signed+encrypted email with an attachment and sign+encrypt the email itself again too.<br /> <br /> * Error message: Couldn't decrypt: &quot;unsupported algorithm&quot; - this happens when you receive an email which got encrypted with the RC2 algorithm (e.g. some Outlook and some Thunderbird MUAs). I'm currently not aware of a solution on your side, as the underlying libgcrypt doesn't handle it for patent reasons. (see https://intevation.de/roundup/aegypten/issue11 and http://forums.mozillazine.org/viewtopic.php?p=2858116 ) You can ask your email partner to reconfigure their clients though (I know that it works for recent Outlook versions on &gt;=Windows Vista to force certain algorithms).</div> JG https://www.claws-mail.org/faq/index.php?title=S/MIME_howto&diff=2130 S/MIME howto 2009-11-19T15:46:43Z <p>JG: </p> <hr /> <div>==Claws Mail &amp; S/MIME plugin howto==<br /> This howto describes configuring S/MIME for Claws Mail which uses GnuPG. It is<br /> based on Gentoo Linux but should be working fine on every other distribution if<br /> adjusting it accordingly.<br /> &lt;br /&gt;<br /> <br /> As of 16th November 2009 Thawte discontinued their free S/MIME certificates. As<br /> some things of this howto were also somewhat out of date and many things were<br /> based on Thawte, it's time for an update. A big difference to the previous howto<br /> is enabling the use of certificate revocation lists (CRL) which didn't work<br /> properly with Thawte before. I won't use OCSP support because of privacy issues,<br /> see man dirmngr.<br /> <br /> ===Requirements===<br /> # recent Claws Mail version, recommended: latest available version (v3.7.3 at the time of writing this), because many fixes for S/MIME have been incorporated lately<br /> # most recent S/MIME plugin/package, or &quot;smime&quot; USE flag on Gentoo<br /> # S/MIME certificate (e.g. you can get free (personal use) certificates from Comodo at http://www.instantssl.com)<br /> # pinentry, gnupg, gpgme, dirmngr (for CRL support), ca-certificates (and openssl) in recent versions<br /> # gpg-agent<br /> &lt;br /&gt;<br /> It is important to note that gpgme &gt;=1.1.8 ''does not work for me'' and always<br /> results in an error message hence I have it masked here and use v1.1.6.<br /> See bug 2059: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2059<br /> &lt;br /&gt;<br /> I've tested this howto with the following package versions:<br /> &lt;br /&gt;<br /> # emerge -p pinentry gnupg gpgme ca-certificates dirmngr claws-mail<br /> [ebuild R ] app-crypt/pinentry-0.7.6 USE=&quot;gtk ncurses qt3 qt4 -caps -static&quot; 464 kB<br /> [ebuild R ] app-misc/ca-certificates-20090709 151 kB<br /> [ebuild R ] app-crypt/dirmngr-1.0.3 USE=&quot;nls&quot; 544 kB<br /> [ebuild R ] app-crypt/gnupg-2.0.13 USE=&quot;bzip2 ldap nls smartcard -adns -caps -doc -openct -pcsc-lite (-selinux) -static&quot; 3,855 kB<br /> [ebuild R ] app-crypt/gpgme-1.1.6 USE=&quot;-pth&quot; 1,061 kB<br /> [ebuild R ] mail-client/claws-mail-3.7.3 USE=&quot;bogofilter crypt dbus dillo gnome gnutls imap ipv6 kde ldap nntp session smime spamassassin ssl xface -doc -pda -spell -startup-notification&quot; 0 kB<br /> <br /> ===Configuring &amp; running the GPG agent===<br /> Claws Mail depends on a running gpg-agent for using any S/MIME feature. Furthermore<br /> it is used to cache the passphrase. A gpg-agent will need a pinentry<br /> application to ask for the pin.<br /> <br /> &lt;br /&gt;<br /> Configuration file: &quot;$HOME/.gnupg/gpg-agent.conf&quot; (adjust the paths accordingly)<br /> &lt;br /&gt;<br /> pinentry-program /usr/bin/pinentry-qt<br /> default-cache-ttl 86400 # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your needs<br /> max-cache-ttl 86400<br /> disable-scdaemon<br /> write-env-file ~/.gnupg/.gpg-agent-info<br /> allow-mark-trusted<br /> keep-display<br /> display :0.0<br /> debug-level basic<br /> &lt;br /&gt;<br /> <br /> Running gpg-agent is quite trivial:<br /> <br /> eval `gpg-agent --daemon`<br /> <br /> As you see, it eval's the command, that means, gpg-agent returns an environment<br /> variable and exports it, something like `GPG_AGENT_INFO=xxx; export<br /> GPG_AGENT_INFO`. This means, that you will have to run claws-mail from the same<br /> session, because it will need this environment variable in order to access the<br /> agent. Check gpg-agent(1) for more details on the usual startup customs.<br /> <br /> ====KDE Users====<br /> KDE has a way to run scripts and thus export environment variables at startup<br /> time. Every application running in this session will get access to these variables. All<br /> you have to do is create a file under the directory ~/.kde/env/ (if it doesn't<br /> exist, then create it). I named it gpgagent.sh, the content of this shell script<br /> is quite trivial (don't forget to chmod +x):<br /> <br /> #!/bin/sh<br /> eval `gpg-agent --daemon`<br /> <br /> Also create the directory ~/.kde/shutdown/ and place another shell script in it<br /> (e.g. again gpgagent.sh) with the following contents:<br /> #!/bin/sh<br /> # the second field of the GPG_AGENT_INFO variable is the<br /> # process ID of the gpg-agent active in the current session<br /> # so we'll just kill that, rather than all of them :)<br /> [ -n &quot;${GPG_AGENT_INFO}&quot; ] &amp;&amp; kill `echo &quot;${GPG_AGENT_INFO}&quot; | cut -d ':' -f 2`<br /> <br /> <br /> ====Optional====<br /> You can also use keychain, ~/.xsession startup, or any other method to start<br /> gpg-agent. Choose what you like, here are somes howtos:<br /> &lt;br /&gt;<br /> http://www.funtoo.org/en/security/keychain/intro/&lt;br /&gt;<br /> http://www.gentoo-wiki.info/HOWTO_KMail_gpg-agent_kde#Setting_up_gpg-agent_with_keychain&lt;br /&gt;<br /> http://www.claws-mail.org/faq/index.php/Plugins#How_do_I_configure_gpg-agent_and_the_PGP_plugin.3F &lt;br /&gt;<br /> man gpg-agent, section DESCRIPTION<br /> <br /> <br /> ===Importing S/MIME certificates into gpgsm===<br /> Regardless whether you have obtained your S/MIME certificate in Mozilla Firefox<br /> or another browser, you have to export/backup it to a PKCS12 (.p12) file<br /> somewhere on your disk. I'm using the filename &quot;certbundle.p12&quot; for this howto,<br /> you can call it as you wish (e.g. $emailaddress_$certdate.p12)<br /> <br /> Current versions of GnuPG support importing PKCS12 files directly, there's no<br /> need to use openssl anymore, as described in the previous howto. (If it doesn't<br /> work for you, you can still view the old howto through the history and use<br /> openssl to extract and convert the keys). Gpg-agent has to be properly setup and<br /> running by now.<br /> &lt;br /&gt;<br /> $ gpgsm --import certbundle.p12<br /> &lt;br /&gt;<br /> You will be asked to enter your passphrase for the backup file in the pinentry<br /> popup and you then have choose another passphrase for importing it to gpgsm.<br /> This passphrase will be the one you have to enter everytime you want to decrypt<br /> or sign emails (of course there's the possibility to cache the passphrase).<br /> <br /> Now one has to add the issuer certificates (CA + intermediate CA) into gpgsm if<br /> they are not already there. The following command will add more than 100 CA certificates<br /> from the ca-certificates package, but you could also only add the specific CA's<br /> for your certificate if you want.<br /> &lt;br /&gt;<br /> $ gpgsm --import /usr/share/ca-certificates/mozilla/*<br /> <br /> Check if your key has been added:&lt;br /&gt;<br /> $ gpgsm --list-secret-keys<br /> <br /> <br /> ===Configuring GnuPG S/MIME===<br /> You'll now have to properly configure GnuPG for S/MIME. As opposed to the<br /> previous howto, we'll also be using certificate revocation list (CRL) support with dirmngr to<br /> be able to detect revoked certificates within the mail client. (It didn't work<br /> before because Thawte has some messed up CRL which GnuPG couldn't handle<br /> properly - but because Thawte doesn't provide S/MIME anymore, we're fine now :)<br /> We only have to import the large Thawte CRL once as all of their certificates<br /> have been revoked.<br /> &lt;br /&gt;<br /> <br /> This is my &quot;$HOME/.gnupg/gpgsm.conf&quot;:&lt;br /&gt;<br /> disable-policy-checks<br /> auto-issuer-key-retrieve<br /> debug-level basic<br /> &lt;br /&gt;<br /> You will also probably want to enter the following entry to gpgsm.conf ( use<br /> the fingerprint output from the command &quot;gpgsm --list-secret-keys&quot;)<br /> default-key fingerprint_of_your_key<br /> <br /> &lt;br /&gt;<br /> My &quot;$HOME/.gnupg/dirmngr.conf&quot; file only contains the following line, everything<br /> is set to default. Dirmngr will be used for CRL support internally by GnuPG. It<br /> is also possible to setup a system-wide dirmngr daemon which is not part of this<br /> howto (see man page).<br /> debug-level basic<br /> &lt;br /&gt;<br /> If you encounter any problems with CRL support you can use the old<br /> configuration files from the history in this wiki which disables it. Be aware<br /> that by having imported all CA's dirmngr might encounter a CRL where it can't<br /> fetch it properly and hangs (sometimes happens to me when starting kleopatra).<br /> <br /> ====Importing Thawte CRL and testing CRL support====<br /> As of 16th November 2009 all Thawte S/MIME certificates have been revoked. As<br /> dirmngr doesn't automatically work with the Thawte CRL, one has to import them<br /> manually once. A working gpg-agent setup is again needed, then perform the<br /> following steps:<br /> # download the Thawte CRL<br /> wget http://crl.thawte.com/ThawtePersonalFreemailCA.crl<br /> wget http://crl.thawte.com/ThawtePersonalFreemailIssuingCA.crl<br /> <br /> # import to dirmngr<br /> gpgsm --call-dirmngr loadcrl ThawtePersonalFreemailCA.crl<br /> gpgsm --call-dirmngr loadcrl ThawtePersonalFreemailIssuingCA.crl<br /> &lt;br /&gt;<br /> If you have old Thawte certificates that are still valid according to their<br /> expiry date or other revoked certificates you can verify that dirmngr works with<br /> the following command:<br /> gpgsm --list-keys --with-validation &lt;keyid|name|fingerprint&gt;<br /> &lt;br /&gt;<br /> The output will be like this:<br /> [...]<br /> validity: 2009-03-24 08:26:26 through 2010-03-24 08:26:26<br /> key type: 2048 bit RSA<br /> fingerprint: xxxx<br /> [certificate has been revoked]<br /> [validation model used: shell]<br /> [certificate is bad: Certificate revoked]<br /> <br /> See &quot;[certificate is bad: Certificate revoked]&quot; message instead of<br /> &quot;[certificate is good]&quot;.<br /> <br /> ====Setting up the trust====<br /> We used the option &quot;allow-mark-trusted&quot; in gpg-agent.conf which allows the<br /> client to mark keys as trusted, i.e. put them in the file<br /> $HOME/.gnupg/trustlist.txt (see man gpg-agent). Hence you should be asked<br /> automatically to trust another key or CA, e.g. it mainly happens for me when I<br /> click on an email in Claws Mail where the CA is missing from trustlist.txt or<br /> when I start the tool &quot;kleopatra&quot; where I'm asked to trust the CAs.<br /> &lt;br /&gt;<br /> <br /> If it doesn't work for you automatically you have to create the file (if it<br /> doesn't exist) &quot;$HOME/.gnupg/trustlist.txt&quot; to add your CA (e.g. Comodo, Thawte)<br /> to the trusted key list. This makes it possible to verify/sign/.../ with your<br /> personal certificate. I also added my own certificate to the trustlist.<br /> &lt;br /&gt;<br /> <br /> Usually one adds the SHA1 fingerprints to the file (not the serial number, and<br /> it doesn't matter whether with or without the colon). With<br /> the following command (borrowed and adjusted from this German howto<br /> http://www.kire.ch/blog/2009/05/07/claws-mail-und-smime-verschlusselung-mit-cacert-zertifikat/)<br /> you can add all your CA's and keys at once (of course you have to trust all the CA's of<br /> the ca-certificate package - if you don't then you have to manually dump the<br /> certificate chain and add the fingerprints accordingly):<br /> &lt;br /&gt;<br /> gpgsm --list-keys 2&gt;/dev/null | grep fingerprint | awk '{print $2 &quot; S&quot;}' &gt;&gt; ~/.gnupg/trustlist.txt<br /> (the command will append, not overwrite the old file)<br /> &lt;br /&gt;<br /> Note that when manually changing trustlist.txt or gpg-agent.conf, you need to give<br /> gpg-agent a SIGHUP.<br /> &lt;br /&gt;<br /> <br /> ===Setting up Claws Mail itself===<br /> There's not much you have to configure in Claws Mail. Go to the menu &quot;Configuration - Edit Accounts | choose your account | - Edit - Account - Privacy - Default privacy system&quot; =&gt; S-MIME<br /> &lt;br /&gt;<br /> Set the options to your need, e.g. I've set all but the last (Save sent encrypted as clear text).<br /> &lt;br /&gt;<br /> As we have configured gpgsm to use a &quot;default key&quot; you can set &quot;Use default GnuPG key&quot; in the Account preferences Plugins/GPG menu.<br /> <br /> ===Working with Claws Mail S/MIME and problems/bugs===<br /> * If you encounter the error message &quot;Couldn't decrypt: No CMS object&quot; then it is likely that your gpgme version is incompatible with Claws Mail. In my tests only v1.1.6 worked, everything newer (1.1.8 and 1.2.0) doesn't work for me! This doesn't necessarily mean that it doesn't work for you. See http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2059<br /> <br /> * Error message &quot;Cannot sign: General error&quot; usually means that there's something wrong with the gpg-agent (e.g. not running or wrong environment)<br /> <br /> * If you're an old Thawte user trying to use their offer for a free VeriSign S/MIME certificate with Claws Mail, you're out of luck because GnuPG doesn't support the ancient MD2 algorithm being used by VeriSign for their CA. I've tried getting it to work but never succeeded (except by using Thunderbird), here's a statement from the developer of GnuPG/libgcrypt: http://lists.gnupg.org/pipermail/gpa-dev/2003-October/001482.html<br /> <br /> * I'm only aware of one problem in Claws Mail, where you'll get &quot;Bad signature&quot; warnings, when you forward (via CM) a signed+encrypted email with an attachment and sign+encrypt the email itself again too.<br /> <br /> * Error message: Couldn't decrypt: &quot;unsupported algorithm&quot; - this happens when you receive an email which got encrypted with the RC2 algorithm (e.g. some Outlook and some Thunderbird MUAs). I'm currently not aware of a solution on your side, as the underlying libgcrypt doesn't handle it for patent reasons. (see https://intevation.de/roundup/aegypten/issue11 and http://forums.mozillazine.org/viewtopic.php?p=2858116 ) You can ask your email partner to reconfigure their clients though (I know that it works for recent Outlook versions on &gt;=Windows Vista to force certain algorithms).</div> JG https://www.claws-mail.org/faq/index.php?title=S/MIME_howto&diff=1604 S/MIME howto 2007-01-13T10:11:25Z <p>JG: </p> <hr /> <div>==Claws Mail &amp; S/MIME plugin howto==<br /> <br /> Recently there were many requests on the mailing list on how to configure the S/MIME plugin to work properly. It is not a trivial task as the GUI doesn't provide any configuration options and everything needs to be done in the console.<br /> <br /> I've had a &quot;half-working&quot; setup but always failed on some point when importing S/MIME certificates. I now managed to have a working config and hopefully this howto will give an insight on how to achieve it.<br /> <br /> This howto is based on Gentoo but should be working fine on every other distribution if adjusting it accordingly :)<br /> <br /> ===Requirements===<br /> # recent Claws Mail version, recommended: v2.7.1 (multiple RFC fixes), or CVS<br /> # recent S/MIME plugin, recommended: v0.6.0 (multiple RFC fixes), or CVS<br /> # S/MIME certificate (this howto is based on Thawte Freemail certs)<br /> # pinentry, gnupg, gpgme, ca-certificates (and openssl) in recent versions<br /> <br /> Those are the versions I'm using:<br /> <br /> # emerge -p pinentry gnupg gpgme ca-certificates<br /> [ebuild R ] app-crypt/pinentry-0.7.2-r3 USE=&quot;gtk ncurses qt3 -caps&quot; 390 kB<br /> [ebuild R ] app-crypt/gnupg-2.0.1-r1 USE=&quot;X bzip2 ldap nls -caps -doc -openct -pcsc-lite (-selinux) -smartcard&quot; 0 kB<br /> [ebuild R ] app-crypt/gpgme-1.1.2-r1 0 kB<br /> [ebuild R ] app-misc/ca-certificates-20050804 92 kB<br /> <br /> ===Optional===<br /> # running gpg-agent for caching the passphrase<br /> I'm using keychain to start gpg-agent. Choose what you like, here are somes howtos:<br /> &lt;br /&gt;<br /> http://www.claws-mail.org/faq/index.php/Plugins#How_do_I_configure_gpg-agent_and_the_PGP_plugin.3F http://gentoo-wiki.com/HOWTO_KMail_gpg-agent_kde#Setting_up_gpg-agent_with_keychain<br /> <br /> <br /> ===Importing S/MIME certificates into gpgsm===<br /> (from http://www.gnupg.org/aegypten/development.en.html#howto_import_external_certs)<br /> &lt;br /&gt;&lt;br /&gt;<br /> First one has to obtain the Thawte Freemail certificate and install it into Firefox/Thunderbird. Export the certificate from Firefox/Thunderbird e.g. to &quot;certbundle.p12&quot; file and remember the passphrase.<br /> <br /> Convert the file into PEM format:&lt;br /&gt;<br /> $ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes<br /> (use the export passphrase)<br /> <br /> Extract the key: &lt;br /&gt;<br /> $ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts -nodes<br /> <br /> Import the key into gpgsm:&lt;br /&gt;<br /> $ gpgsm --call-protect-tool --p12-import --store certkey.p12<br /> <br /> Now one has to add the issuers certificate (Thawte) into gpgsm, you can use the certs included in the Freemail cert, but I did the following:<br /> &lt;br /&gt;<br /> $ gpgsm --import /usr/share/ca-certificates/mozilla/Thawte*<br /> (Thawte_Personal_Basic_CA.crt, Thawte_Personal_Premium_CA.crt, Thawte_Server_CA.crt, Thawte_Personal_Freemail_CA.crt, Thawte_Premium_Server_CA.crt, Thawte_Time_Stamping_CA.crt)<br /> <br /> Check if your key has been added:&lt;br /&gt;<br /> $ gpgsm --list-secret-keys<br /> <br /> If this doesn't show a secret key, you may have to import the three certificates from certbundle.pem: separate them to three files (starting with &quot;--- BEGIN CERTIFICATE ---&quot; and ending with &quot;--- END CERTIFICATE ---&quot;), then run &lt;br /&gt; <br /> $ gpgsm --import cert1.pem cert2.pem cert3.pem<br /> <br /> ===Configuring S/MIME===<br /> You need to create the file (if it doesn't exist) &quot;$HOME/.gnupg/trustlist.txt&quot; to add Thawte to the trusted key list. This makes it possible to verify/sign/.../ with your Thawte certificate. I also added my own certificate to the trustlist. Add the following lines which contain the fingerprint (not serial number!) of the key and the letter S at the end:&lt;br /&gt;<br /> <br /> # 1.2.840.113549.1.9.1=#706572736F6E616C2D667265656D61696C407468617774652E636F6D,CN=Thawte <br /> # Personal Freemail CA,OU=Certification Services Division,O=Thawte<br /> # Consulting,L=Cape Town,ST=Western Cape,C=ZA<br /> 209900B63D955728140CD13622D8C687A4EB0085 S<br /> &lt;br /&gt;<br /> <br /> This is my &quot;$HOME/.gnupg/gpgsm.conf&quot;:&lt;br /&gt;<br /> disable-crl-checks<br /> disable-policy-checks<br /> auto-issuer-key-retrieve<br /> debug-level basic<br /> <br /> &lt;br /&gt;<br /> gpg-agent is only necessary for caching the passphrase: &quot;$HOME/.gnupg/gpg-agent.conf&quot;&lt;br /&gt;<br /> <br /> pinentry-program /usr/bin/pinentry-qt<br /> default-cache-ttl 86400 # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your need<br /> max-cache-ttl 86400<br /> disable-scdaemon<br /> allow-mark-trusted<br /> <br /> <br /> ===Working with S/MIME plugin and problems/bugs===<br /> * As of current CVS (CM =&gt;2.7.0cvs11 and S/MIME &gt;=0.5.8cvs2) the S/MIME plugin is more RFC compliant and signing, encrypting, decrypting and verifying messages is working very well now. I tested compatibility with Outlook 11 and Thunderbird, some Kmail emails in my inbox decrypt fine too!<br /> <br /> * I'm only aware of one problem, where you'll get &quot;Bad signature&quot; warnings, when you forward (via CM) a signed+encrypted email with an attachment and sign+encrypt the email itself again too.<br /> <br /> * Error: Couldn't decrypt: &quot;unsupported algorithm&quot; - this happens when you receive an email which got encrypted with RC2 algorithm (e.g. some Outlook 11 and some Thunderbird MUAs). I'm currently not aware of a solution, as the underlying libgcrypt doesn't handle it well (https://intevation.de/roundup/aegypten/issue11)<br /> <br /> * It seems the &quot;Trust key&quot; dialog doesn't show the name of the key, e.g. &quot;The key of ' ' is not fully trusted&quot;. &lt;br /&gt;CM first asks for the key of the recipient and then asks for the sender's key because CM can't extract it properly: &quot;No exact match for 'email@address'; please select the key.&quot; (guess that is because I have two certs..).&lt;br /&gt; If I send an email to a friend and include myself (To:), CM will ask me three times for the correct keys.<br /> <br /> * As of now the &quot;Select Keys&quot; dialog when encrypting emails is a bit awkward to use if you have more than one key (e.g. one additional key that is expired and you still want to keep it to be able to decrypt older emails). It only shows the Key ID and no info about the expiry date which makes it more difficult to choose the correct one.</div> JG https://www.claws-mail.org/faq/index.php?title=S/MIME_howto&diff=1592 S/MIME howto 2006-12-20T09:20:36Z <p>JG: </p> <hr /> <div>==Claws Mail &amp;&amp; S/MIME plugin howto==<br /> <br /> Recently there were many requests on the mailing list on how to configure the S/MIME plugin to work properly. It is not a trivial task as the GUI doesn't provide any configuration options and everything needs to be done in the console.<br /> <br /> I've had a &quot;half-working&quot; setup but always failed on some point when importing S/MIME certificates. I now managed to have a working config and hopefully this howto will give an insight on how to achieve it.<br /> <br /> This howto is based on Gentoo but should be working fine on every other distribution if adjusting it accordingly :)<br /> <br /> ===Requirements===<br /> # recent Claws Mail version<br /> # recent S/MIME plugin (I'm using 0.5.7cvs2 which fixes some decryption bugs)<br /> # S/MIME certificate (this howto is based on Thawte Freemail certs)<br /> # pinentry, gnupg, gpgme, ca-certificates (and openssl) in recent versions<br /> <br /> Those are the versions I'm using:<br /> <br /> # emerge -p pinentry gnupg gpgme ca-certificates<br /> [ebuild R ] app-crypt/pinentry-0.7.2-r3 USE=&quot;gtk ncurses qt3 -caps&quot; 390 kB<br /> [ebuild R ] app-crypt/gnupg-2.0.1-r1 USE=&quot;X bzip2 ldap nls -caps -doc -openct -pcsc-lite (-selinux) -smartcard&quot; 0 kB<br /> [ebuild R ] app-crypt/gpgme-1.1.2-r1 0 kB<br /> [ebuild R ] app-misc/ca-certificates-20050804 92 kB<br /> <br /> ===Optional===<br /> # running gpg-agent for caching the passphrase<br /> I'm using keychain to start gpg-agent. Choose what you like, here are somes howtos:<br /> &lt;br /&gt;<br /> http://www.claws-mail.org/faq/index.php/Plugins#How_do_I_configure_gpg-agent_and_the_PGP_plugin.3F http://gentoo-wiki.com/HOWTO_KMail_gpg-agent_kde#Setting_up_gpg-agent_with_keychain<br /> <br /> <br /> ===Importing S/MIME certificates into gpgsm===<br /> (from http://www.gnupg.org/aegypten/development.en.html#howto_import_external_certs)<br /> &lt;br /&gt;&lt;br /&gt;<br /> First one has to obtain the Thawte Freemail certificate and install it into Firefox/Thunderbird. Export the certificate from Firefox/Thunderbird e.g. to &quot;certbundle.p12&quot; file and remember the passphrase.<br /> <br /> Convert the file into PEM format:&lt;br /&gt;<br /> $ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes<br /> (use the export passphrase)<br /> <br /> Extract the key: &lt;br /&gt;<br /> $ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts -nodes<br /> <br /> Import the key into gpgsm:&lt;br /&gt;<br /> $ gpgsm --call-protect-tool --p12-import --store certkey.p12<br /> <br /> Now one has to add the issuers certificate (Thawte) into gpgsm, you can use the certs included in the Freemail cert, but I did the following:<br /> &lt;br /&gt;<br /> $ gpgsm --import /usr/share/ca-certificates/mozilla/Thawte*<br /> (Thawte_Personal_Basic_CA.crt, Thawte_Personal_Premium_CA.crt, Thawte_Server_CA.crt, Thawte_Personal_Freemail_CA.crt, Thawte_Premium_Server_CA.crt, Thawte_Time_Stamping_CA.crt)<br /> <br /> Check if your key has been added:&lt;br /&gt;<br /> $ gpgsm --list-secret-keys<br /> <br /> <br /> ===Configuring S/MIME===<br /> You need to create the file (if it doesn't exist) &quot;$HOME/.gnupg/trustlist.txt&quot; to add Thawte to the trusted key list. This makes it possible to verify/sign/.../ with your Thawte certificate. Add the following lines which contain the fingerprint (not serial number!) of the key and the letter S at the end:&lt;br /&gt;<br /> <br /> # 1.2.840.113549.1.9.1=#706572736F6E616C2D667265656D61696C407468617774652E636F6D,CN=Thawte <br /> # Personal Freemail CA,OU=Certification Services Division,O=Thawte<br /> # Consulting,L=Cape Town,ST=Western Cape,C=ZA<br /> 209900B63D955728140CD13622D8C687A4EB0085 S<br /> &lt;br /&gt;<br /> <br /> This is my &quot;$HOME/.gnupg/gpgsm.conf&quot;:&lt;br /&gt;<br /> disable-crl-checks<br /> disable-policy-checks<br /> auto-issuer-key-retrieve<br /> debug-level basic<br /> <br /> &lt;br /&gt;<br /> gpg-agent is only necessary for caching the passphrase: &quot;$HOME/.gnupg/gpg-agent.conf&quot;&lt;br /&gt;<br /> <br /> pinentry-program /usr/bin/pinentry-qt<br /> default-cache-ttl 86400 # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your need<br /> max-cache-ttl 86400<br /> disable-scdaemon<br /> allow-mark-trusted<br /> <br /> <br /> ===Working with S/MIME plugin and problems/bugs===<br /> I think because few people managed to get it to work properly there weren't many bug reports yet :) There are some things I encountered which don't work fine, e.g. keep in mind:<br /> <br /> from the README:<br /> WARNING: This plugin doesn't handle sign+encrypt and encryption of multipart messages very well (yet).<br /> <br /> * That means if you encrypt and sign a message you get some header stuff in the body of the message and it will be a lot more garbage if you have attached files. Encrypting alone (without attachments) or signing alone (with or without attachments) works fine.<br /> <br /> * I always have to choose my key twice in the &quot;Select Keys&quot; dialog when encrypting? It seems the &quot;Trust key&quot; dialog doesn't show the name of the key, e.g. &quot;The key of ' ' is not fully trusted&quot;. &lt;br /&gt;CM first asks for the key of the recipient and then asks for the sender's key because CM can't extract it properly: &quot;No exact match for 'email@address'; please select the key.&quot; (guess that is because I have two certs..).&lt;br /&gt; If I send an email to a friend and include myself (To:), CM will ask me three times for the correct keys.<br /> <br /> * Although I added my own fingerprint to trustlist.txt CM always says that the recipient is not fully trusted when I send encrypted/signed emails. <br /> <br /> * As of now the &quot;Select Keys&quot; dialog when encrypting emails is a bit awkward to use if you have more than one key (e.g. one additional key that is expired and you still want to keep it to be able to decrypt older emails). It only shows the Key ID and no info about the date which makes it more difficult to choose the correct one.</div> JG https://www.claws-mail.org/faq/index.php?title=S/MIME_howto&diff=1591 S/MIME howto 2006-12-20T09:13:56Z <p>JG: </p> <hr /> <div>==Claws Mail &amp;&amp; S/MIME plugin howto==<br /> <br /> Recently there were many requests on the mailing list on how to configure the S/MIME plugin to work properly. It is not a trivial task as the GUI doesn't provide any configuration options and everything needs to be done in the console.<br /> <br /> I've had a &quot;half-working&quot; setup but always failed on some point when importing S/MIME certificates. I now managed to have a working config and hopefully this howto will give an insight on how to achieve it.<br /> <br /> This howto is based on Gentoo but should be working fine on every other distribution if adjusting it accordingly :)<br /> <br /> ===Requirements===<br /> # recent Claws Mail version<br /> # recent S/MIME plugin (I'm using 0.5.7cvs2 which fixes some decryption bugs)<br /> # S/MIME certificate (this howto is based on Thawte Freemail certs)<br /> # pinentry, gnupg, gpgme, ca-certificates (and openssl) in recent versions<br /> <br /> Those are the versions I'm using:<br /> <br /> # emerge -p pinentry gnupg gpgme ca-certificates<br /> [ebuild R ] app-crypt/pinentry-0.7.2-r3 USE=&quot;gtk ncurses qt3 -caps&quot; 390 kB<br /> [ebuild R ] app-crypt/gnupg-2.0.1-r1 USE=&quot;X bzip2 ldap nls -caps -doc -openct -pcsc-lite (-selinux) -smartcard&quot; 0 kB<br /> [ebuild R ] app-crypt/gpgme-1.1.2-r1 0 kB<br /> [ebuild R ] app-misc/ca-certificates-20050804 92 kB<br /> <br /> ===Optional===<br /> # running gpg-agent for caching the passphrase<br /> I'm using keychain to start gpg-agent. Choose what you like, here are somes howtos:<br /> &lt;br /&gt;<br /> http://www.claws-mail.org/faq/index.php/Plugins#How_do_I_configure_gpg-agent_and_the_PGP_plugin.3F http://gentoo-wiki.com/HOWTO_KMail_gpg-agent_kde#Setting_up_gpg-agent_with_keychain<br /> <br /> <br /> ===Importing S/MIME certificates into gpgsm===<br /> (from http://www.gnupg.org/aegypten/development.en.html#howto_import_external_certs)<br /> &lt;br /&gt;&lt;br /&gt;<br /> First one has to obtain the Thawte Freemail certificate and install it into Firefox/Thunderbird. Export the certificate from Firefox/Thunderbird e.g. to &quot;certbundle.p12&quot; file and remember the passphrase.<br /> <br /> Convert the file into PEM format:&lt;br /&gt;<br /> $ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes<br /> (use the export passphrase)<br /> <br /> Extract the key: &lt;br /&gt;<br /> $ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts -nodes<br /> <br /> Import the key into gpgsm:&lt;br /&gt;<br /> $ gpgsm --call-protect-tool --p12-import --store certkey.p12<br /> <br /> Now one has to add the issuers certificate (Thawte) into gpgsm, you can use the certs included in the Freemail cert, but I did the following:<br /> &lt;br /&gt;<br /> $ gpgsm --import /usr/share/ca-certificates/mozilla/Thawte*<br /> (Thawte_Personal_Basic_CA.crt, Thawte_Personal_Premium_CA.crt, Thawte_Server_CA.crt, Thawte_Personal_Freemail_CA.crt, Thawte_Premium_Server_CA.crt, Thawte_Time_Stamping_CA.crt)<br /> <br /> Check if your key has been added:&lt;br /&gt;<br /> $ gpgsm --list-secret-keys<br /> <br /> <br /> ===Configuring S/MIME===<br /> You need to create the file (if it doesn't exist) &quot;$HOME/.gnupg/trustlist.txt&quot; to add Thawte to the trusted key list. This makes it possible to verify/sign/.../ with your Thawte certificate. Add the following lines which contain the fingerprint (not serial number!) of the key and the letter S at the end:&lt;br /&gt;<br /> <br /> # 1.2.840.113549.1.9.1=#706572736F6E616C2D667265656D61696C407468617774652E636F6D,CN=Thawte <br /> # Personal Freemail CA,OU=Certification Services Division,O=Thawte<br /> # Consulting,L=Cape Town,ST=Western Cape,C=ZA<br /> 209900B63D955728140CD13622D8C687A4EB0085 S<br /> &lt;br /&gt;<br /> <br /> This is my &quot;$HOME/.gnupg/gpgsm.conf&quot;:&lt;br /&gt;<br /> disable-crl-checks<br /> disable-policy-checks<br /> auto-issuer-key-retrieve<br /> debug-level basic<br /> <br /> &lt;br /&gt;<br /> gpg-agent is only necessary for caching the passphrase: &quot;$HOME/.gnupg/gpg-agent.conf&quot;&lt;br /&gt;<br /> <br /> pinentry-program /usr/bin/pinentry-qt<br /> default-cache-ttl 86400 # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your need<br /> max-cache-ttl 86400<br /> disable-scdaemon<br /> allow-mark-trusted<br /> <br /> <br /> ===Working with S/MIME plugin and problems/bugs===<br /> I think because few people managed to get it to work properly there weren't many bug reports yet :) There are some things I encountered which don't work fine, e.g. keep in mind:<br /> <br /> from the README:<br /> WARNING: This plugin doesn't handle sign+encrypt and encryption of multipart messages very well (yet).<br /> <br /> * That means if you encrypt and sign a message you get some header stuff in the body of the message and it will be a lot more garbage if you have attached files. Encrypting alone (without attachments) or signing alone (with or without attachments) works fine.<br /> <br /> * I always have to choose my key twice in the &quot;Select Keys&quot; dialog when encrypting? It seems the &quot;Trust key&quot; dialog doesn't show the name of the key, e.g. &quot;The key of ' ' is not fully trusted&quot;. &lt;br /&gt;CM first asks for the key of the recipient and then asks for the sender's key because CM can't extract it properly: &quot;No exact match for 'email@address'; please select the key.&quot; (guess that is because I have two certs..).&lt;br /&gt; If I send an email to a friend and include myself (To:), CM will ask me three times for the correct keys.<br /> <br /> * Although I added my own fingerprint to trustlist.txt CM always says that the recipient is not fully trusted when I send encrypted/signed emails. <br /> <br /> * As of now the &quot;Select Keys&quot; dialog when encrypting emails is a bit awkward to use if you have more than one key (e.g. one expired one you still want to keep to be able to decrypt older emails). It only shows the Key ID and no info about the date which makes it more difficult to choose the correct one.</div> JG https://www.claws-mail.org/faq/index.php?title=S/MIME_howto&diff=1589 S/MIME howto 2006-12-20T08:19:28Z <p>JG: </p> <hr /> <div>==Claws Mail &amp;&amp; S/MIME plugin howto==<br /> <br /> Recently there were many requests on the mailing list on how to configure the S/MIME plugin to work properly. It is not a trivial task as the GUI doesn't provide any configuration options and everything needs to be done in the console.<br /> <br /> I've had a &quot;half-working&quot; setup but always failed on some point when importing S/MIME certificates. I now managed to have a working config and hopefully this howto will give an insight on how to achieve it.<br /> <br /> This howto is based on Gentoo but should be working fine on every other distribution if adjusting it accordingly :)<br /> <br /> ===Requirements===<br /> # recent Claws Mail version<br /> # recent S/MIME plugin (I'm using 0.5.7cvs2 which fixes some decryption bugs)<br /> # S/MIME certificate (this howto is based on Thawte Freemail certs)<br /> # pinentry, gnupg, gpgme, ca-certificates (and openssl) in recent versions<br /> <br /> Those are the versions I'm using:<br /> &lt;code&gt;# emerge -p pinentry gnupg gpgme ca-certificates&lt;/code&gt;&lt;br /&gt;<br /> [ebuild R ] app-crypt/pinentry-0.7.2-r3 USE=&quot;gtk ncurses qt3 -caps&quot; 390 kB<br /> [ebuild R ] app-crypt/gnupg-2.0.1-r1 USE=&quot;X bzip2 ldap nls -caps -doc -openct -pcsc-lite (-selinux) -smartcard&quot; 0 kB<br /> [ebuild R ] app-crypt/gpgme-1.1.2-r1 0 kB<br /> [ebuild R ] app-misc/ca-certificates-20050804 92 kB<br /> <br /> ===Optional===<br /> # running gpg-agent for caching the passphrase<br /> I'm using keychain to start gpg-agent. Choose what you like, here are somes howtos:<br /> &lt;br /&gt;<br /> http://www.claws-mail.org/faq/index.php/Plugins#How_do_I_configure_gpg-agent_and_the_PGP_plugin.3F http://gentoo-wiki.com/HOWTO_KMail_gpg-agent_kde#Setting_up_gpg-agent_with_keychain<br /> <br /> <br /> ===Importing S/MIME certificates into gpgsm===<br /> (from http://www.gnupg.org/aegypten/development.en.html#howto_import_external_certs)<br /> &lt;br /&gt;&lt;br /&gt;<br /> First one has to obtain the Thawte Freemail certificate and install it into Firefox/Thunderbird. Export the certificate from Firefox/Thunderbird e.g. to &quot;certbundle.p12&quot; file and remember the passphrase.<br /> <br /> Convert the file into PEM format:&lt;br /&gt;<br /> $ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes<br /> (use the export passphrase)<br /> <br /> Extract the key: &lt;br /&gt;<br /> $ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts -nodes<br /> <br /> Import the key into gpgsm:&lt;br /&gt;<br /> $ gpgsm --call-protect-tool --p12-import --store certkey.p12<br /> <br /> Now one has to add the issuers certificate (Thawte) into gpgsm, you can use the certs included in the Freemail cert, but I did the following:<br /> &lt;br /&gt;<br /> $ gpgsm --import /usr/share/ca-certificates/mozilla/Thawte*<br /> (Thawte_Personal_Basic_CA.crt, Thawte_Personal_Premium_CA.crt, Thawte_Server_CA.crt, Thawte_Personal_Freemail_CA.crt, Thawte_Premium_Server_CA.crt, Thawte_Time_Stamping_CA.crt)<br /> <br /> Check if your key has been added:&lt;br /&gt;<br /> $ gpgsm --list-secret-keys<br /> <br /> <br /> ===Configuring S/MIME===<br /> You need to create the file (if it doesn't exist) &quot;$HOME/.gnupg/trustlist.txt&quot; to add Thawte to the trusted key list. This makes it possible to verify/sign/.../ with your Thawte certificate. Add the following lines which contain the fingerprint (not serial number!) of the key and the letter S at the end:&lt;br /&gt;<br /> <br /> # 1.2.840.113549.1.9.1=#706572736F6E616C2D667265656D61696C407468617774652E636F6D,CN=Thawte <br /> # Personal Freemail CA,OU=Certification Services Division,O=Thawte<br /> # Consulting,L=Cape Town,ST=Western Cape,C=ZA<br /> 209900B63D955728140CD13622D8C687A4EB0085 S<br /> &lt;br /&gt;<br /> <br /> This is my &quot;$HOME/.gnupg/gpgsm.conf&quot;:&lt;br /&gt;<br /> disable-crl-checks<br /> disable-policy-checks<br /> auto-issuer-key-retrieve<br /> debug-level basic<br /> <br /> &lt;br /&gt;<br /> gpg-agent is only necessary for caching the passphrase: &quot;$HOME/.gnupg/gpg-agent.conf&quot;&lt;br /&gt;<br /> <br /> pinentry-program /usr/bin/pinentry-qt<br /> default-cache-ttl 86400 # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your need<br /> max-cache-ttl 86400<br /> disable-scdaemon<br /> allow-mark-trusted<br /> <br /> <br /> ===Working with S/MIME plugin and problems/bugs===<br /> I think because few people managed to get it to work properly there weren't many bug reports yet :) There are some things I encountered which don't work fine, e.g. keep in mind:<br /> <br /> from the README:<br /> WARNING: This plugin doesn't handle sign+encrypt and encryption of multipart messages very well (yet).<br /> <br /> * That means if you encrypt and sign a message you get some header stuff in the body of the message and it will be a lot more garbage if you have attached files. Encrypting alone (without attachments) or signing alone (with or without attachments) works fine.<br /> <br /> * I always have to choose my key twice in the &quot;Select Keys&quot; dialog when encrypting? It seems the &quot;Trust key&quot; dialog doesn't show the name of the key, e.g. &quot;The key of '' is not fully trusted&quot;. &lt;br /&gt;CM first asks for the key of the recipient and then asks for the sender's key because CM can't extract it properly: &quot;No exact match for 'email@address'; please select the key.&quot; (guess that is because I have two certs..).&lt;br /&gt; If I send an email to a friend and include myself (To:), CM will ask me three times for the correct keys.<br /> <br /> * Although I added my own fingerprint to trustlist.txt CM always says that the recipient is not fully trusted when I send encrypted/signed emails. <br /> <br /> * As of now the &quot;Select Keys&quot; dialog when encrypting emails is a bit awkward to use if you have more than one key (e.g. one expired one you still want to keep to be able to decrypt older emails). It only shows the Key ID and no info about the date which makes it more difficult to choose the correct one.</div> JG