Bug 324424

Summary: i can not select my S/MIME certificate for Email Signature
Product: [Applications] kmail2 Reporter: Martin Brugger <martin.brugger>
Component: cryptoAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED UNMAINTAINED    
Severity: normal CC: enrico.tagliavini, leo, maraval_p, mikayel.grigorian
Priority: NOR    
Version: 4.10.5   
Target Milestone: ---   
Platform: Kubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Screen-shot with empty signing certificate config screen

Description Martin Brugger 2013-09-02 20:27:13 UTC
I want to send emails with a digital S/MIME Signature.
Kleopatra is installed and my Certificate is imported.

Now in the Kmail Settings for my Identity, its not possible to select my S/MIME Certificate for signing emails. 

The Listbox is always empty!

But confusing is that i can select my  S/MIME Certificate for crypting emails sucessfully.

What is the failure, if i can select in the listbox my S/MIME Certificate for crypting but not for signing?  


Reproducible: Always
Comment 1 Martin Brugger 2013-09-03 17:33:44 UTC
I have found the failure! The S/MIME Certificate what i need to import in Kleopatra must be a .P12 file. I have do this with an export from my Browser. But I need to watch if the Browser saves the certificate in the correct P12 Format.
Comment 2 Mikayel Grigoryan 2013-10-14 12:02:18 UTC
I also have the same problem in KMail 4.10.5 with S/MIME signing certificates. Not possible to select any, though encryption certificate works well.

Did not figure out what the workaround was, it does not work for me, imported *.pfx certificate will does not show up in S/MIME siging certificate configuration window.
Comment 3 Mikayel Grigoryan 2013-10-14 12:09:20 UTC
Created attachment 82842 [details]
Screen-shot with empty signing certificate config screen

From KMail settings I go to changing my profile --> cryptograhy --> S/MIME signing certificate.
Comment 4 Pierre Maraval 2014-03-25 19:23:05 UTC
The List only displays certificates for which you have the private key installed. A direct solution is to install the private key via gpg/gpgsm.

I had the same Problem. It turned out the certificate was badly imported in Kleopatra, because Kleopatra, gpg (and gpg2) can't handle pcks#12 cert+key files (so i could only import the certificate via the browser, because exporting the private key was only possible in pk12 format).

So I had to convert the certificate-and-privatekey.p12 file to extract the key, which i then installed in gpg. It worked, I didn't even have to import it into Kleopatra. Finally I can send S/MIME mails. But the problem is in Kleopatra and/or gpg.
Comment 5 Pierre Maraval 2014-03-25 19:25:02 UTC
And I still don't know why I could select a certificate for encryption (encryption didn't work for me though, but I could select the certificate in the list).
Comment 6 Mikayel Grigoryan 2014-04-06 14:41:54 UTC
My certificate is *.p12. Should I convert it to some different format and then import to gpgsm?
Comment 7 Enrico Tagliavini 2014-06-24 08:04:50 UTC
Exact same problem with: gentoo linux, kde 4.12.5 using S/MIME.

I have an x509 certificate released by CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE and it is trusted in Kleopatra. The main purpose of this certificate is email signing.

The certificate is imported in Kleopatra and the private key is as well. Kleopatra gives me the option to export the private key and I can sign files from kleopatra with this certificate with S/MIME. Problem is kmail not listing it
Comment 8 Enrico Tagliavini 2014-07-03 18:40:44 UTC
I think I nailed it down. Kmail seems to silently fail if the gpg-agent is not running. I tried on Fedora 20 with KDE 4.13.? (2 maybe?) and it worked out of the box. I did a comparison between fedora and gentoo and I found the gpg-agent was running on fedora and not on gentoo. So I started the gpg-agent from /etc/kde/startup (this is the folder name for gentoo, it is named env in fedora), logged out and back in. It worked.

I have to say there has been also an update of gnupg from version 2.0.22 to version 2.0.25 between my last non working try and the working one..... so this might be another point to keep in mind. The gpg-agent make more sense to me though because kleopatra was actually complaining there was no gpg-agent running.

Even if kleopatra actually complains, it is very confusing to see no certificate listed in kmail with no error reported. I think kmail should complain about missing gpg-agent like kleopatra does, when opening the dialog to select the S/MIME certificate for signing.
Comment 9 Mikayel Grigoryan 2014-07-03 19:07:13 UTC
Brilliant, works for me too!
Comment 10 Leopold Goetze 2014-07-28 13:16:35 UTC
I have the same problem. gpg-agent is running and older emails in the sent mail folder report a valid signature (green colour) as I imported my certificate including the secret key. Since I have selected all emails to be signed for any new email there is a message in the upper status bar that this email will be signed. However if I click on sent I receive an error (no valid signature selected (since I cannot select it for signing or crypting this is rather logical).
Comment 11 Enrico Tagliavini 2014-07-28 14:52:41 UTC
(In reply to Leopold Goetze from comment #10)
> I have the same problem. gpg-agent is running and older emails in the sent
> mail folder report a valid signature (green colour) as I imported my
> certificate including the secret key. Since I have selected all emails to be
> signed for any new email there is a message in the upper status bar that
> this email will be signed. However if I click on sent I receive an error (no
> valid signature selected (since I cannot select it for signing or crypting
> this is rather logical).

Hi Leopold,

I had this problem as well at some point, I'm not entirely sure I sorted it out though. The problem is at gpg level I think, since gpgsm was complaining as well about my key. It was reporting the public part of the key was missing (which makes little sense to me).

You should be able to reproduce with:

gpgsm --local-user <your key id, find it with gpgsm -K>

For sure I performed the following actions multiple times and in different order, at some point I realized it was working again:

 - from kleopatra sign a file with the key you need (I think this is likely what helped most, but I can't be sure)
 - remove your certificate and import it again from kleopatra
 - remove it from the command line (by rm -rf the private key file)
 - import it from the command line with gpgsm, both public and private parts
 - removed and added the CA back

So I would suggest to investigate what kleopatra is reporting about your certificate and if you are able to sign stuff with it. Same with straight gpgsm command, to check the components kmail is using are actually working.
Comment 12 Leopold Goetze 2014-07-28 17:39:34 UTC
(In reply to Enrico Tagliavini from comment #11)
> Hi Leopold,
> 
> I had this problem as well at some point, I'm not entirely sure I sorted it
> out though. The problem is at gpg level I think, since gpgsm was complaining
> as well about my key. It was reporting the public part of the key was
> missing (which makes little sense to me).
> 
> You should be able to reproduce with:
> 
> gpgsm --local-user <your key id, find it with gpgsm -K>
> 
> For sure I performed the following actions multiple times and in different
> order, at some point I realized it was working again:
> 
>  - from kleopatra sign a file with the key you need (I think this is likely
> what helped most, but I can't be sure)
>  - remove your certificate and import it again from kleopatra
>  - remove it from the command line (by rm -rf the private key file)
>  - import it from the command line with gpgsm, both public and private parts
>  - removed and added the CA back
> 
> So I would suggest to investigate what kleopatra is reporting about your
> certificate and if you are able to sign stuff with it. Same with straight
> gpgsm command, to check the components kmail is using are actually working.

Many thanks for your comments, Enrico
Checking with gpgsm I found my private key missing. However, it was quite tricky to finally import it. The following command(s) did the trick:
# Execute the following two commands, where cert.p12 is the 
# certificate file you exported in Firefox and password is 
# the password it is encrypted with.
openssl pkcs12 -in cert.p12 | gpgsm --import
gpgsm --call-protect-tool --p12-import --store -P password cert.p12
I found them referenced on http://forum.ubuntuusers.de/topic/gpgsm-importieren-schlaegt-fehl/
Best regards
Leo
Comment 13 Enrico Tagliavini 2014-08-04 07:38:06 UTC
Ok happened again to me that GPG messed up and signing was not possible anymore. To recover I opened kleopatra and removed the whole root CA, which will remove the chain and my certificate as well. Than I simply imported it again. It looks like an intermediate certificate is messed up, there are 2 entries for it in kleopatra. No idea if it is KDE or gpg fault.
Comment 14 Denis Kurz 2016-09-24 18:23:59 UTC
This bug has only been reported for versions before 4.14, which have been unsupported for at least two years now. Can anyone tell if this bug still present?

If noone confirms this bug for a Framework-based version of kmail2 (version 5.0 or later, as part of KDE Applications 15.12 or later), it gets closed in about three months.
Comment 15 Denis Kurz 2017-01-07 22:25:23 UTC
Just as announced in my last comment, I close this bug. If you encounter it again in a recent version (at least 5.0 aka 15.08), please open a new one unless it already exists. Thank you for all your input.