We need support for sending and receiving encrypted emails.
This also includes Kleopatra to manage keys.
Description
Details
- Ticket Type
- Task
Status | Assigned | Task | ||
---|---|---|---|---|
Resolved | mollekopf | T678 Windows: Encrypted mails | ||
Resolved | mollekopf | T682 Build gnupg on windows | ||
Resolved | • knauss | T694 Crash when trying to create an smime key (on linux) | ||
Wontfix | mollekopf | T695 Windows: Failed to change ownertrust of pgpg certificate | ||
Resolved | mollekopf | T711 Can't use smime keys in kmail |
Event Timeline
- kmail -> settings -> identity -> crypto -> select key
- starting kleopatra -> selftest complains about too old gpgsm (SMIME) -> and too old gpgconf
GPG:
- can create an gpg keypair
- can search for gpgkeys (mail@sandroknauss.de)
- can not import them
- can select keys for encrypt/sign
- can create encrypted and signed emails
- can read the own creates mails
- can import gpg keys via GPA and use them in kmail afterwards
SMIME:
- could not create SMIME keypair
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/inst-gnupg2.nsi
-> gpgsm (smime handling), gpgagent (the agent to ask for keys), gpg2 (OpenPGP handling),...
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/inst-pinentry.nsi
-> getting a pinentry for gpg/smime keys
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/inst-dirmngr.nsi
->for getting CLRs (certificate revocation lists)
also very interessting is the documentation of gpg4win:
http://wald.intevation.org/frs/download.php/1385/gpg4win-compendium-en-3.0.0.pdf
With the version 2015-08-10-12-19 and gpg4win 2.2.0 more works but not everything:
bugs:
- can't import new certificates(gpg) - he always says no imported certificate:
- settings add a keyserver (pool.sks-keyserver.net)
- open"Search for certificate" and search for "knauss@kolabsys.com"
- see one matching key
- import that key
- see a dialog, that the key is imported
- can't see new created smime certificate
Note that importing a gpg certificate from a server crashes on linux. Importing from a file works on windows and linux.
It was not possible to change the ownertrust using kleopatra.
After changing the ownertrust using gpg2:
$ gpg2 --edit-key {recipient email address}
trust
5 (select 5 if you ultimately trust the key)
save
KMail was able to verify a signature, but not decrypt a message. So signature verification is working once the key is trusted using openpgpg. Decryption is not working
All of this was tested using gpg4win-vanilla 2.2.0 which contains the same libassuan and gcrypt version as we use in emerge.
To decrypt something using gpg2:
Export secret key:
gpg2 --list-secret-keys gpg2 --export-secret-keys -a "Christian Mollekopf<cmollekopf@gmail.com>" > cmollekopf.private.key
Import secret key on windows:
gpg2 --allow-secret-key-import --import cmollekopf.private.key
Configure pinentry to be used in C:\Users\kolab\AppData\Roaming\gnupg\gpg-agent.conf:
pinentry-program C:\Program Files (x86)\GNU\GnuPG\pinentry.exe
Start gpg-agent:
gpg-agent.exe --daemon
I had to start it twice until I've seen "set GPG_AGENT_INFO=C:\Users\kolab\AppData\Roaming\gnupg\S.gpg-agent;4756;1" in the output.
Then decrypt the file:
gpg2.exe --decrypt C:\Users\kolab\Desktop\encrypted.pgp
Encrypted.pgp contains a copy-paste out of the MIME message of the ecrypted part (including begin/end signatures).
This will trigger a password dialog and the decryption then succeeds.
Well I had never problems with kmail encrypt/decrypt emails. I think the main issue is the ownertrust/ permission issue. Becuase if gpg detects that the permissions are to open and/ore the owenrtrust is not correct that gpg-agent is not started automatically and gnupg complains about that and do nothing.
With my tests the permission/ownertrust was setup correcly if I restared windows and relogin into linux to gibe gpg-agent the possibility to start. As far as I know it is only triggered by login.
smime:
- you need to create a PCKS12 for import into kleopatra
http://serverfault.com/questions/103263/can-i-create-my-own-s-mime-certificate-for-email-encryption
- that PCKS12 can be imported via kleopatra,but the trusted issuer is not set to ulimate after import
Marking it has trusted can be done by manually editing the file ~/.gnupg/trustlist.txt (there are instructions on the top) or by putting a line "allow-mark-trusted" into ~/.gnupg/gpg-agent.conf" and giving gpg-agent a HUP. With allow-mark-trusted active, gpg-agent will ask you whether you trust that root certificate and insert it for you into the trustlist.txt.
https://lists.gnupg.org/pipermail/gnupg-users/2009-February/035754.html
- the docu to kleopatra also metion these things:
https://docs.kde.org/stable4/en/kdepim/kleopatra/menucertificates.html
till now i did not get my self signed certificate shown as trust ulimate :(
What about the tests inside kdepim exspecially messageviewer/rendertest,this onetests smime and gpg encrypted/signed messages.
With "disable-crl-checks" in .gnupg/gpgsm.conf I managed to use my self-signed certificate and encrypt/decrypt an email on linux.
disable-crl-checks is only necessary because the certificate I created has no crl list (crlDP: [none] in the dump)
And what is the problem onwindows withsetting this paramenter?
Therendertests i use on linux a lot and actually make sure that the encrypted/signed mails are displayed correctly. At least I was them using before we switched to docker based testing. So I know they are working.
smime on windows is also working once the "Never consult a CRL" option is activated in Kleopatra (which is the disable-crl-checks option in the config file). With that it's possible to select the certificate, and to encrypt/decrypt and sign a message.
Importing the keys directly trusted the root certificate and imported it into the trustlist.txt.