Mailing List Archive

Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME
Hello,

I've been trying to figure out why my setting (Emacs + Gnus) is giving
me trouble to sign SMIME messages. Well, the only problem seems to be
when I select the option for loopback pinentry, and only for SMIME
messags. For signing with PGP loopback seems to work fine and I get
asked the passphrase in the Emacs minibuffer, but for SMIME there seems
to be a problem.

By setting epg-debug in Emacs to True I found that most of the moves are
OK, but that the error comes from not being able to get the passphrase:

the " *gpg-error* buffer comes with:
,----
| gpgsm: Note: non-critical certificate policy not allowed
| gpgsm: Note: non-critical certificate policy not allowed
| gpgsm: Note: non-critical certificate policy not allowed
| gpgsm: CRLs not checked due to --disable-crl-checks option
| gpgsm: DBG: adding certificates at level -2
| gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE'
| gpgsm: error creating signature: No passphrase given <GPG Agent>
`----

while the gpg-agent.log tells me:
,----
| DBG: chan_9 -> OK Pleased to meet you, process 3382246
| DBG: chan_9 <- RESET
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION ttytype=dumb
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION display=:0.0
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION xauthority=/home/angelv/.Xauthority
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION putenv=XDG_SESSION_TYPE=x11
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION putenv=INSIDE_EMACS=28.2,epg
| DBG: chan_9 -> OK
| DBG: chan_9 <- GETINFO version
| DBG: chan_9 -> D 2.2.40
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION allow-pinentry-notify
| DBG: chan_9 -> OK
| DBG: chan_9 <- OPTION pinentry-mode=loopback
| DBG: chan_9 -> OK
| DBG: chan_9 <- HAVEKEY FC155E4BAF3DA44364C84711DA0B7137EA89D084
| DBG: chan_9 -> OK
| DBG: chan_9 <- ISTRUSTED D1EB23A46D17D68FD92564C2F1F1601764D8E349
| DBG: chan_9 -> S TRUSTLISTFLAG relax
| DBG: chan_9 -> OK
| DBG: chan_9 <- RESET
| DBG: chan_9 -> OK
| DBG: chan_9 <- SIGKEY FC155E4BAF3DA44364C84711DA0B7137EA89D084
| DBG: chan_9 -> OK
| DBG: chan_9 <- SETKEYDESC
| Please+enter+the+passphrase+to+unlock+the+secret+key+for+the+X.509+certificate:%0A%22/CN=Angel+M+de+Vicente/O=Instituto+de+Astrofisica+de+Canarias/STREET=Calle+Vía+Láctea,+s\x2fn/ST=Santa+Cruz+de+Tenerife/C=ES%22%0AS/N+00B4307E9B17A8814A2B5CAE68E09B520E,+ID+0x74A5504B,%0Acreated+2022-10-31,+expires+2024-10-30.%0A
| DBG: chan_9 -> OK
| DBG: chan_9 <- SETHASH 9 96D6D02821BA0498546EF7BD466B9712FD1C8126AD583F895CD8DDA26DD07B7BBFD74F8A5A6E3087C0893C7BBDD78CCB
| DBG: chan_9 -> OK
| DBG: chan_9 <- PKSIGN
| DBG: agent_get_cache 'FC155E4BAF3DA44364C84711DA0B7137EA89D084'.0 (mode 2) ...
| DBG: ... miss
| DBG: agent_get_cache '6F4B59E5A9FBC6FB684CB55FDBB7CC30EEE197E3'.0 (mode 2) (stored cache key) ...
| DBG: ... miss
| DBG: chan_9 -> S INQUIRE_MAXLEN 255
| DBG: chan_9 -> [[Confidential data not shown]]
| DBG: chan_9 <- [[Confidential data not shown]]
| failed to unprotect the secret key: No passphrase given
| failed to read the secret key
| command 'PKSIGN' failed: No passphrase given
| DBG: chan_9 -> ERR 67109041 No passphrase given <GPG Agent>
| DBG: chan_9 <- [eof]
`----

I have removed gnome-keyring and seahorse in my system (in case there
was a conflict with them).

Any ideas as to what might cause this?

Many thanks
--
Ángel de Vicente
Research Software Engineer (Supercomputing and BigData)
Tel.: +34 922-605-747
Web.: http://research.iac.es/proyecto/polmag/

GPG: 0x8BDC390B69033F52
Re: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME [ In reply to ]
Am Freitag 04 November 2022 20:03:35 schrieb Angel de Vicente:
> Any ideas as to what might cause this?

Not really, I would start the analysis by asserting that
gpgsm --sign
still works outside of Emacs and then somehow try to emulate the loopback
mode. Maybe there is a different problem somewhere.

Bernhard

--
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
Re: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME [ In reply to ]
Hello,

Bernhard Reiter <bernhard@intevation.de> writes:

> Am Freitag 04 November 2022 20:03:35 schrieb Angel de Vicente:
>> Any ideas as to what might cause this?
>
> Not really, I would start the analysis by asserting that
> gpgsm --sign
> still works outside of Emacs and then somehow try to emulate the loopback
> mode. Maybe there is a different problem somewhere.

gpgsm --sign outside of Emacs does work without any problems.

I actually have no problems signing with S/MIME also inside Emacs (as
far as the passphrase has been cached). And I have no problems signing
with PGP (pinentry loopback works fine then).

So it looks like something that affects exclusively pinentry loopback
while signing with S/MIME (actually you will see this e-mail signed with
S/MIME. Basically I try to sign it, if I get the error because the
passphrase was not cached, I simply sign a region with PGP (which asks
me correctly for the passphrase and it gets cached, and then I have no
problem signing and sending the message).

I really have no clue what could be going on...

Thanks,
--
Ángel de Vicente
Research Software Engineer (Supercomputing and BigData)
Tel.: +34 922-605-747
Web.: http://research.iac.es/proyecto/polmag/

GPG: 0x8BDC390B69033F52
Re: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME [ In reply to ]
Am Freitag 11 November 2022 14:40:13 schrieb Angel de Vicente:
> I actually have no problems signing with S/MIME also inside Emacs (as
> far as the passphrase has been cached). And I have no problems signing
> with PGP (pinentry loopback works fine then).
>
> So it looks like something that affects exclusively pinentry loopback
> while signing with S/MIME

As always, there must be a difference in how OpenPGP and S/MIME
signing with GnuPG is called from Emacs/Gnus.
(There is a small chance that it is with the specific keypair you are using.)

Comparing detailed logs of OpenPGP and S/MIME might reveal the difference.
I darkly remember Gnus using GPGME, if this is the case, maybe a GPGME_DEBUG
log can help you. Otherwise you need to look into how Emacs can produce more
details about what it is going (I am not an Emacs user, so I cannot really
help you there.)

Regards
Bernhard
Re: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME [ In reply to ]
On Fri, 4 Nov 2022 19:03, Angel de Vicente said:

> Any ideas as to what might cause this?

No. But you may want to add

debug-pinentry

to gpg-agent/conf


Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
Re: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME [ In reply to ]
Hello,

Werner Koch <wk@gnupg.org> writes:

>> Any ideas as to what might cause this?
>
> No. But you may want to add
>
> debug-pinentry

Thanks. I had already tried that, but didn't seem to report anything
useful to figure out the problem in my case...

--
Ángel de Vicente
Research Software Engineer (Supercomputing and BigData)
Tel.: +34 922-605-747
Web.: http://research.iac.es/proyecto/polmag/

GPG: 0x8BDC390B69033F52