Re: gpgsm --verify

2018-05-01 Thread Werner Koch 
On Tue,  1 May 2018 10:55, stefan.cl...@posteo.de said:

> openssl cms -verify -in original.eml > message.txt && \
> openssl cms -cmsout -in original.eml | \
> sed "1,4d" | base64 -d > file.sig && \
> gpgsm --verify file.sig message.txt

Adding --verbose to the gpgsm invocation may give you additional hints.
IIRC, "--debug x509" may be helpful to.  Is file.sig a valid CMS file;
that is can you parse it with dumpasn1 or the openssl sub-command?

BTW, gpgsm has an option --assume-base64 so that you don't need the base64
tool.


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp4dTK6pYfQI.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: CRL server error with gpgsm

2018-05-01 Thread Werner Koch 
On Sun, 29 Apr 2018 22:27, m-guel...@phoenixmail.de said:

> gpgsm: checking the CRL failed: Server indicated a failure
> gpgsm: error creating signature: Server indicated a failure 

Dirmngr (the network access component of GnuPG) got an DNS error; that
is it can't find the IP of the requested server with the CRL.

> gpgsm (GnuPG) 2.1.18

We have fixed quite a bit since 2.1.18 and I don't know how much of that
has been backported by Debian.

> gpgsm version on the Gentoo system:
>
> $ gpgsm --version
> gpgsm (GnuPG) 2.2.4

As you wrote it does not happen in this version; so updating to the
latest version will fix the problem.  For Debian specific bugs, dkg
might be able to help.  

As a possible workaround you can try to add 

standard-resolver

to ~/.gnupg/dirmngr.conf


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpFQE2YO3mv7.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --verify

2018-05-01 Thread Stefan Claas 

Am 23.04.18 um 08:50 schrieb Stefan Claas:

Am 23.04.18 um 08:36 schrieb Werner Koch:

On Sun, 22 Apr 2018 20:26, stefan.cl...@posteo.de said:


i was wondering when receiving an S/MIME
message created with Thunderbird, how do
i properly verify the message with gpgsm?

You need to de-compose the S/MIME message to get the CMS objects.
Despit ethe name, gpgsm does not known about S/MIME (or MIME at all) and
thus can't parse it.  That is actually the same as with PGP/MIME which
can't be handled directly by gpg [1].

In gnupg/tools/ you can find a basic MIME parser but it is not well
documented and only used for manual testing.


Thank you very much for the information!

I will check out the MIME parser.


Just for the record...

I was not able to successfully compile the parser and did
therefore the following:

I saved in Thunderbird my original message from this thread.
Edited out the additional headers the list server has added,
so that the saved message looks like this:

[snip]

Sender: "Gnupg-users" 
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; 
micalg=sha-256; boundary="ms070707040603000709040508"


This is a cryptographically signed message in MIME format.

--ms070707040603000709040508
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Language: de-DE

Hi all,

i was wondering when receiving an S/MIME
message created with Thunderbird, how do
i properly verify the message with gpgsm?

As an example i sign now this message
and would appreciate any tips!

P.S. when i do a verify on a Thunderbird
S/MIME message i always get:

gpgsm: enabled debug flags: ipc
gpgsm: ksba_cms_parse failed: Dateiende
secmem usage: 0/16384 bytes in 0 blocks

Best regards
Stefan


--ms070707040603000709040508
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC

[snip]

pfXbwE0DHTM+Fp8xjnGXHBD+8Jfp/R5pAVZehZXh6UYzFMjdS6LzWWM+c2/M9Cum2GS49Q8d
g82Q6zqwFZp4LvVf
--ms070707040603000709040508--

and for de-composing the message i used openssl, so that i had the
content ready to be verified by gpgsm. IMHO not the smartest way,
i assume, but for me as a Mac dummie it works.

openssl cms -verify -in original.eml > message.txt && \
openssl cms -cmsout -in original.eml | \
sed "1,4d" | base64 -d > file.sig && \
gpgsm --verify file.sig message.txt

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users