Page MenuHomekolab.org

Windows: Encrypted mails
Closed, ResolvedPublic

Description

We need support for sending and receiving encrypted emails.
This also includes Kleopatra to manage keys.

Details

Ticket Type
Task

Event Timeline

mollekopf created this task.Aug 3 2015, 3:25 PM
mollekopf updated the task description. (Show Details)
mollekopf raised the priority of this task from to 60.
mollekopf added projects: KDE PIM, Restricted Project.
mollekopf changed Ticket Type from Task to Task.
mollekopf raised the priority of this task from 60 to Unbreak Now!.
mollekopf assigned this task to knauss.
mollekopf added a subscriber: mollekopf.
knauss removed knauss as the assignee of this task.Aug 5 2015, 4:35 PM
knauss moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 6 2015, 1:34 PM
knauss added a subscriber: knauss.
  • kmail -> settings -> identity -> crypto -> select key
  • starting kleopatra -> selftest complains about too old gpgsm (SMIME) -> and too old gpgconf

GPG:

  • can create an gpg keypair
  • can search for gpgkeys (mail@sandroknauss.de)
  • can not import them
  • can select keys for encrypt/sign
  • can create encrypted and signed emails
  • can read the own creates mails
  • can import gpg keys via GPA and use them in kmail afterwards

SMIME:

  • could not create SMIME keypair
knauss added a comment.EditedAug 6 2015, 3:42 PM

with gpg4win full and that included kleopatra i can search ind import gpg keys

I think the following apps are missing: gpgsm, gpg-agent, pinentry, gnugp2

knauss reassigned this task from knauss to mollekopf.Aug 6 2015, 3:44 PM

This needs to rebuild

knauss moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 6 2015, 3:44 PM

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/inst-gnupg2.nsi
-> gpgsm (smime handling), gpgagent (the agent to ask for keys), gpg2 (OpenPGP handling),...

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/inst-pinentry.nsi
-> getting a pinentry for gpg/smime keys

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/inst-dirmngr.nsi
->for getting CLRs (certificate revocation lists)

also very interessting is the documentation of gpg4win:
http://wald.intevation.org/frs/download.php/1385/gpg4win-compendium-en-3.0.0.pdf

With the version 2015-08-10-12-19 and gpg4win 2.2.0 more works but not everything:

bugs:

  • can't import new certificates(gpg) - he always says no imported certificate:
    • settings add a keyserver (pool.sks-keyserver.net)
    • open"Search for certificate" and search for "knauss@kolabsys.com"
    • see one matching key
    • import that key
    • see a dialog, that the key is imported
  • can't see new created smime certificate
mollekopf moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 11 2015, 2:04 PM

Note that importing a gpg certificate from a server crashes on linux. Importing from a file works on windows and linux.

mollekopf added a comment.EditedAug 12 2015, 5:31 PM

It was not possible to change the ownertrust using kleopatra.

After changing the ownertrust using gpg2:

$ gpg2 --edit-key {recipient email address}

trust
5 (select 5 if you ultimately trust the key)
save

KMail was able to verify a signature, but not decrypt a message. So signature verification is working once the key is trusted using openpgpg. Decryption is not working

All of this was tested using gpg4win-vanilla 2.2.0 which contains the same libassuan and gcrypt version as we use in emerge.

To decrypt something using gpg2:

Export secret key:

gpg2 --list-secret-keys
gpg2 --export-secret-keys -a "Christian Mollekopf<cmollekopf@gmail.com>" > cmollekopf.private.key

Import secret key on windows:

gpg2 --allow-secret-key-import --import cmollekopf.private.key

Configure pinentry to be used in C:\Users\kolab\AppData\Roaming\gnupg\gpg-agent.conf:

pinentry-program C:\Program Files (x86)\GNU\GnuPG\pinentry.exe

Start gpg-agent:

gpg-agent.exe --daemon

I had to start it twice until I've seen "set GPG_AGENT_INFO=C:\Users\kolab\AppData\Roaming\gnupg\S.gpg-agent;4756;1" in the output.

Then decrypt the file:

gpg2.exe --decrypt C:\Users\kolab\Desktop\encrypted.pgp

Encrypted.pgp contains a copy-paste out of the MIME message of the ecrypted part (including begin/end signatures).

This will trigger a password dialog and the decryption then succeeds.

And with all of that working decryption in kmail works as well.

Well I had never problems with kmail encrypt/decrypt emails. I think the main issue is the ownertrust/ permission issue. Becuase if gpg detects that the permissions are to open and/ore the owenrtrust is not correct that gpg-agent is not started automatically and gnupg complains about that and do nothing.

With my tests the permission/ownertrust was setup correcly if I restared windows and relogin into linux to gibe gpg-agent the possibility to start. As far as I know it is only triggered by login.

petersen added a project: Restricted Project.Aug 18 2015, 9:47 AM
petersen moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

smime:

  • you need to create a PCKS12 for import into kleopatra

http://serverfault.com/questions/103263/can-i-create-my-own-s-mime-certificate-for-email-encryption

  • that PCKS12 can be imported via kleopatra,but the trusted issuer is not set to ulimate after import
Marking it has trusted can be done by manually editing the
file ~/.gnupg/trustlist.txt (there are instructions on the top) or by
putting a line "allow-mark-trusted" into ~/.gnupg/gpg-agent.conf" and
giving gpg-agent a HUP.  With allow-mark-trusted active, gpg-agent will
ask you whether you trust that root certificate and insert it for you
into the trustlist.txt.

https://lists.gnupg.org/pipermail/gnupg-users/2009-February/035754.html

  • the docu to kleopatra also metion these things:

https://docs.kde.org/stable4/en/kdepim/kleopatra/menucertificates.html

till now i did not get my self signed certificate shown as trust ulimate :(

What about the tests inside kdepim exspecially messageviewer/rendertest,this onetests smime and gpg encrypted/signed messages.

In T678#9584, @knauss wrote:

What about the tests inside kdepim exspecially messageviewer/rendertest,this onetests smime and gpg encrypted/signed messages.

Never got them to run anywhere (also not linux).

With "disable-crl-checks" in .gnupg/gpgsm.conf I managed to use my self-signed certificate and encrypt/decrypt an email on linux.
disable-crl-checks is only necessary because the certificate I created has no crl list (crlDP: [none] in the dump)

And what is the problem onwindows withsetting this paramenter?

Therendertests i use on linux a lot and actually make sure that the encrypted/signed mails are displayed correctly. At least I was them using before we switched to docker based testing. So I know they are working.

The test just got stuck for me.

smime on windows is also working once the "Never consult a CRL" option is activated in Kleopatra (which is the disable-crl-checks option in the config file). With that it's possible to select the certificate, and to encrypt/decrypt and sign a message.

Importing the keys directly trusted the root certificate and imported it into the trustlist.txt.

mollekopf moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 21 2015, 10:44 AM
petersen moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 31 2015, 6:09 PM
mollekopf closed this task as Resolved.Sep 24 2015, 11:34 AM