Summary: | verisign not Validated signture | ||
---|---|---|---|
Product: | [Applications] kleopatra | Reporter: | Zbigniew Luszpinski <mr.zbiggy+bugs.kde.org> |
Component: | general | Assignee: | kdepim bugs <kdepim-bugs> |
Status: | RESOLVED NOT A BUG | ||
Severity: | normal | CC: | mutz |
Priority: | NOR | ||
Version: | 0.40 (KDE 3.x) | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: |
Description
Zbigniew Luszpinski
2006-12-08 00:04:24 UTC
Looking at certificate path the top one is missing making all sub certificates not valid. The top one, missing certificate is: Certificate issuer not found ( OU=Class 1 Public Primary Certification Authority, O=Verisign, Inc.,C=US) Where I can download this missing main Verisign certificate? I exported all certificates from MS Outlook Express and imported to kleopatra. However all (except top one) were imported. Nothing happened. Then I tried K->Control Center->Security and Privacy->Cryptography->SSL Signatures. And again imported certificates from outlook. The top one was not imported because KDE claimed it is already on the list. The rest of certificates were imported fine. Everytime KDE asked me if KMail is allowed to use imported certificates I said Yes. Still nothing. The problem still exist in KMail 1.9.7/KDE 3.4.7. There is problem with S/MIME signed e-mails KMail 1.9.7, Kleopatra 0.40: "issuer certificate is not found (OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US)" - signed mail is displayed in yellow colour, with text: "Not enough information to check signature. [Details] Status: No status information available." I saved the signed mail gone to windows and checked e-mail in outlook. All was fine message is signed and valid. Then checked certificate path - it was full. So exported all certificates from path to files. Gone to Linux. Thunderbird 2.0.0.0 complained about missing certificates. So imported all of them. Thunderbird said that has the top one because it is already built in Thunderbird so it was not imported. Then I opened saved e-mail and signature was verified - the certificate path was full. Next tried KMail. I imported all certificates using Kleopatra. The situation was the same like with Thunderbird (KMail said that has the top one is already built in so it was not imported). The rest of certificates appeared in Kleopatra window as local certificates. Then I chosen check for both certificates - all was valid. Then I reopened KMail - the signed mail is still yellow. The certificate path is broken - the top certificate (the built in one): "issuer certificate is not found (OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US)" is not found. Please fix connection between the top (built in) certificate and those subcertificates which are imported later. I think when the connection will be fixed the path will be full and my signed mail will become green and valid. I checked Thunderbird and KMail. The difference is only in broken certificate path between built in/top/master certificate and the first first imported/lower/sub one in KMail. All more imported/lower/further certificates are correctly connected together both in KMail and Thunderbird. I also imported certificates to Konqueror. It asked me to make them available to KMail too - I clicked YES. All certificates were imported except the master/top one - it was already present in Konqueror's list. Nothing helped/changed - my signed mail is still yellow. I can confirm the exact behavior with Kleopatra 0.40 (KDE 3.5.7). S/MIME trust is hierarchical, so you need to have the root certificate imported, and have it trusted, for signatures to verify correctly. As for where to get that certificate, you have to ask Verisign. It seems like you've tried to import the certificates from Outlook. Please make sure you have a file with only the root certificate in it, and try to import that into Kleopatra. If it doesn't work (says '1 considered, 0 imported'), then please try to import it on the command line: gpgsm --import < file and paste the error you get there. If either of the two worked out, make sure the root is trusted. If it is not, set gpg-agent.conf:allow-mark-trusted (via config file, or in the GUI -> Configure GnuPG Backend -> Gpg Agent -> [x] Allow clients to mark keys as "trusted", then do a validating keylisting (Shift-F5). The agent should ask you whether you trust the root cert. After that, the signature should verify. You might have to disable crl checks ("never consult a CRL"), too. No response, old version. |