Q: gpgsm says "Unsupported certificate"

Albrecht Dreß albrecht.dress at arcor.de
Tue Oct 4 21:19:28 CEST 2011 

Hi all,

a while ago, I added gpg and gpgsm support to the MUA balsa (see <http://pawsa.fedorapeople.org/balsa/>), building on top of gpgme.

One user asked why a s/mime signed mail in Evolution is marked as "good", whereas gpgme (from gpgsm) and in turn balsa reports the same signature as having a GPGME_VALIDITY_UNKNOWN validity.  Using the same code, all my trusted certs report GPGME_VALIDITY_FULL, so unfortunately, I'm lost here...

The gpgsm log (activated via the conf file reports:

----8<-------------------------------------------------------------
DBG: gcry_pk_verify: Success
root certificate is good
DBG: connection to agent established
DBG: gcry_pk_verify: Success
checking the trust list failed: Unsupported certificate
validation model used: shell
invalid certification chain: Unsupported certificate
enabled debug flags: x509 mpi crypto memory cache memstat hashing assuan
----8<-------------------------------------------------------------

The certificate chain seems to be present, as 'gpgsm --list-chain' reports

----8<-------------------------------------------------------------
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing assuan
/home/pawsa/.gnupg/pubring.kbx
------------------------------
            ID: 0x7B5AAEE8
           S/N: 0726F0
        Issuer: /CN=Certum Level IV CA/OU=Certum Certification Authority/O=Unizeto Technologies S.A./C=PL
       Subject: /CN=Idea Bank S.A./OU=IT/O=IdeaBank/L=Warszawa/ST=mazowieckie/C=PL/EMail=kontakt at ideabank.pl
           aka: kontakt at ideabank.pl
      validity: 2010-12-09 12:00:26 through 2012-12-09 12:00:26
      key type: 2048 bit RSA
     key usage: digitalSignature nonRepudiation keyEncipherment dataEncipherment
ext key usage: clientAuth (suggested), emailProtection (suggested)
      policies: 1.2.616.1.113527.2.2.4:N:
   fingerprint: FB:1E:3E:EA:76:D9:FF:1B:B6:7E:A6:A8:C2:1F:3E:49:7B:5A:AE:E8
Certified by
            ID: 0xFFFFFFFF9491906A
           S/N: 047A54
        Issuer: /CN=Certum CA/O=Unizeto Sp. z o.o./C=PL
       Subject: /CN=Certum Level IV CA/OU=Certum Certification Authority/O=Unizeto Technologies S.A./C=PL
      validity: 2009-03-03 12:54:25 through 2024-03-03 12:54:25
      key type: 2048 bit RSA
     key usage: certSign crlSign
      policies: 2.5.29.32.0:N:
  chain length: unlimited
   fingerprint: 70:7C:9A:C5:3A:B2:3D:6E:39:63:61:DA:75:27:48:3A:94:91:90:6A
Certified by
            ID: 0x51B18118
           S/N: 010020
        Issuer: /CN=Certum CA/O=Unizeto Sp. z o.o./C=PL
       Subject: /CN=Certum CA/O=Unizeto Sp. z o.o./C=PL
      validity: 2002-06-11 10:46:39 through 2027-06-11 10:46:39
      key type: 2048 bit RSA
  chain length: unlimited
   fingerprint: 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18

random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
               outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/16384 bytes in 0 blocks
----8<-------------------------------------------------------------

Any idea what goes wrong here?

Thanks in advance,
Albrecht.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: </pipermail/attachments/20111004/e29179e6/attachment-0001.pgp>

More information about the Gnupg-devel mailing list