Hi everyone,
I'm trying to set up S/MIME signing with mutt using gpgsm on Debian
Stable (Stretch). I've successfully imported the PKCS#12
certificate/private key bundle into gpgsm, but it won't let me sign
anything. It fails with an error message as shown below:
$ gpgsm --output sign.bin --sign test.txt
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #1EF41DD8EB16AE2D8B50B8E3/CN=DFN-Verein Global Issuing
CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e.
V.,C=DE
gpgsm: checking the CRL failed: Server indicated a failure
gpgsm: error creating signature: Server indicated a failure <Dirmngr>
The certificate is valid and not revoked. I can perfectly sign with
this certificate using gpgsm under Gentoo Linux using the exact same
command with the same certificate. When I expressly pass the
--disable-crl-checks option, it also works:
$ gpgsm --output sign.bin --disable-crl-checks --sign test.txt
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: DBG: adding certificates at level -2
gpgsm: signature created
The certificate chain is completely available as evidenced by $ gpgsm
--list-chain, so that shouldn't be the problem.
Any idea how I should approach this error? Is it a bug, as it doesn't
happen on Gentoo?
gpgsm version I use on the Debian system:
$ gpgsm --version
gpgsm (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
libksba 1.3.5-unknown
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/quintus/.gnupg
Supported algorithms:
Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256,
SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
Pubkey: RSA, ECC
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL
gpgsm version on the Gentoo system:
$ gpgsm --version
gpgsm (GnuPG) 2.2.4
libgcrypt 1.8.1
libksba 1.3.5
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/quintus/.gnupg
Unterstützte Verfahren:
Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256,
SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
Pubkey: RSA, ECC
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL
Marvin
--
Blog: https://mg.guelker.eu
PGP/GPG ID: F1D8799FBCC8BC4F
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
