Singing and Encryption with S/MIME certificate fails

Hi all,
I’m using Kleopatra/GPGEX for encryption and singing files without any trouble. But when I use my S/MIME certificate I’m facing this error message (for both options - singing and encryption): “System error w/o errno” and main status is: Singing and Encryption failed.
Is there any log where I can check what is wrong? I’m using the latest version.
Thank you in advance.

Hi Matej,

the following pages may help you:
https://wiki.gnupg.org/TroubleShooting
https://wiki.gnupg.org/X.509

A command line could be
gpgsm -v --sign

Best Regards,
Bernhard

Hi Bernhard,
thanks a lot!
I was trying to run it, but I’m facing this error:
gpgsm -v --sign test.txt > test.p7s
gpgsm: failed to open ‘C:\Users\mkopecky\AppData\Roaming\gnupg\policies.txt’: No
such file or directory
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #XXXXXXXXXXXXXXXXXXXX
gpgsm: checking the CRL failed: System error w/o errno
gpgsm: validation model used: shell
gpgsm: error creating signature: System error w/o errno

Any other advise?
Thank you.

Regards
Matej

Hi Matej,
disable the crl checking to see if this is the problem.

Create an empty policy file for testing.

Use a second “-v”, aka “-v -v” to get more infos.

Best Regards,
Bernhard

Hi Bernhard,
I just created a empty policy file, I have also added another -v command into my script, but I cannot find where I can switch off CRL checking.
I find this on internet:
If “dirmngr” does not work well, you can disable CRL checks by putting the following to “~/.gnupg/gpgsm.conf”.

disable-crl-checks

But I cannot find gpgsm.conf file on my computer, where I should find it?
Thank you.

Regards
Matej

In Kleopatra → Configure Kleopatra → S/MIME Validation → “Never consult a CRL”.

Under windows the config file would be c:\users\yourusername\appdata\roaming\gnupg\gpgsm.conf If it does not exist you would have to create it. But Kleo does it for you so better to set it in Kleopatra.

Hi Andre,
it’s working now! Should I leave CRL switched off permanently or it’s too risky?

Regards
Matej

Depends on your threat model, to go into the full details of this would be a bit too much here.
I can only say for me personally I usually have it off.

CRL’s are mostly important if a communication partners certificate is compromised. But usually they only inform you if someone has lost their private key and has a new certificate.

Hi Andre,
ok, thanks a lot for your explanation.

Regards
Matej

Hi Matej,
just note that most official S/MIME profiles require a revocation checking to be active.
So personally I have it active always (except for debugging).

If you need to find out why the CRL checking is not working, the next step probably is to turn on and get logs from dirmngr, which is responsible for checking the revocation information.

Regards,
Bernhard

Hi Bernhard,
ok ok and where I can switch on a log file for dirmngr?
Thank you.

Regards
Matej

Hi Matej,
check the dirmngr documentation, there are several ways to do so.
(If you are using dirmngr.conf you can just create the file if it is not there.)

Best,
Bernhard

Hello,
regarding:
In Kleopatra → Configure Kleopatra → S/MIME Validation → “Never consult a CRL”.

I do it like this too for smooth Outlook processing of S/Mime messages, but CRL checking is done by batch once a day in times Outlook is not used:

: CRL auffrischen für schnellere Bearbeitung in OL-2016
: Lauf mit Admin-Rechten, nur Liste:
: gpgsm -k > C:\Batch\crl-upd.log

gpgsm --force-crl-refresh --with-validation -k > C:\Batch\crl-upd.log
timeout /T 1 /nobreak
start “C:\Program Files (x86)\Notepad++\notepad++.exe” C:\Batch\crl-upd.log
exit

Regards Chris

yes that is something that I also recommended to someone using S/MIME heavily in Outlook. Thanks for providing your script. Maybe we should put that in the wiki.

Another idea I had was to remember the last used certificates for validation and encryption in GpgOL and start a CRL validation in the background (optional) for the last 50 or so used certificates in Outlook. When Outlook is started. That way it can run without disturbing the user when he verifies or uses such a certificate.

It would be pretty simple but we kind of have this long running issue that the dirmngr component in GnuPG should do such things by itself and this would be the better solution, but that is more complicated to get in.

During release testing for 3.1.15 we noticed that system error without errno is an internal problem since gnupg-2.2.24. It will be fixed in the next release that should be done this week.