Hi, I observed the same problem as the original submitter.
After digging into the issue here are my observations and a possible solution: /etc/Muttrc.d/smime.rc contains the line/setting set smime_pk7out_command="openssl smime -verify -in %f -noverify -pk7out" That command fails on Debian 13: $ openssl smime -verify -in file -noverify -pk7out smime: Cannot use -pk7out together with -verify This is (now) also written in the openssl-smime(1) man page: There are six operation options that set the type of operation to be performed: -encrypt, -decrypt, -sign, -resign, -verify, and -pk7out. These are mutually exclusive. The meaning of the other options varies according to the operation type. This limitation does not exist in Debian 12 or earlier and the smime_pk7out_command works there. The openssl-smime(1) on Deb12 does not mention any "... mutually exclusive". Based on the man-page I altered the command: $ openssl smime -pk7out -in file -noverify produces the same output on Debian 13 as the old command on Debian 12 I put that into mutt: :set smime_pk7out_command="openssl smime -pk7out -in %f -noverify" and I can extract the keys again. My proposed solution: Please change the "set smime_pk7out_command ..." in the shipped /etc/Muttrc.d/smime.rc and prepare a package update for the next minor release: ### --- a/smime.rc 2026-03-27 19:35:34.937045484 +0100 +++ b/smime.rc 2026-03-27 19:36:23.236809935 +0100 @@ -58,7 +58,7 @@ # These are used to extract a certificate from a message. # First generate a PKCS#7 structure from the message. -set smime_pk7out_command="openssl smime -verify -in %f -noverify -pk7out" +set smime_pk7out_command="openssl smime -pk7out -in %f -noverify" # Extract the included certificate(s) from a PKCS#7 structure. set smime_get_cert_command="openssl pkcs7 -print_certs -in %f" ### Best, Andreas -- --------------------------------------------------------------- Zentrum fuer Informationsdienste und Hochleistungsrechnen Andreas Weigand Alle Anfragen zu ZIH-Diensten immer an den Service-Desk: [email protected] oder Tel. 40000
smime.p7s
Description: S/MIME cryptographic signature
