error signing data: Not trusted

Patrick Ben Koetter p at sys4.de
Tue Aug 26 16:44:23 CEST 2025 

Werner,

you're spot on with your diagnosis. Still I am unable to make it work and it
may be that I haven't understood the important part yet. Please read on…

* Werner Koch via Gnupg-users <wk at gnupg.org>:
> On Fri, 22 Aug 2025 01:21, Patrick Ben Koetter said:
> 
> > My S/MIME key is valid until 2027 and the key's cert is imported into gpgsm as
> > well. What is it I'm missing? The CA cert? Can I / must I set a trust for a
> > (CA) cert? Any help to debug is very much welcome as I don't really know what
> 
> Yes you need to assign trust to the Root-CA cert.  Unless the
> "no-allow-mark-trusted" option is set in gpg-agent.conf you should see a
> prompt to verify the fingerprint of the Root CA's certificate.  If that

I don't have no-allow-mark-trusted set in gpg-agent.conf:

% cat .gnupg/gpg-agent.conf
default-cache-ttl 600
max-cache-ttl 7200


And when I run gpgsm --list-chain --with-validation 0x3CE75B94 it tells me
*my* cert would not be trusted, while it says the Root CA and all intermediate
certs are good:

[keyboxd]
---------
           ID: 0x3CE75B94
          S/N: 7575B7A3CA4820B8AC6C0AAC5B56E654C216F4BE
        (dec): 670577104657847191671762158918724704718357460158
       Issuer: /CN=SwissSign RSA SMIME SV ICA 2024 - 1/O=SwissSign AG/C=CH
      Subject: /CN=Patrick Koetter/O=sys4 AG/L=Munchen/ST=BY/C=DE/EMail=p at sys4.de/2.5.4.97=NTRDE-DED2601V.HRB199263
          aka: p at sys4.de
     validity: 2024-09-21 11:59:52 through 2027-09-21 11:59:52
     key type: rsa4096
    key usage: digitalSignature nonRepudiation keyEncipherment dataEncipherment
ext key usage: clientAuth (suggested), emailProtection (suggested), ms-smartcardLogon (suggested), ms-encryptedFileSystem (suggested)
     policies: 2.23.140.1.5.3.1:N:,0.4.0.2042.1.1:N:,2.16.756.1.89.2.1.13:N:
     sha1 fpr: 10:32:B7:3A:C1:7A:62:45:28:61:23:A0:C6:39:F9:6A:3C:E7:5B:94
     sha2 fpr: 59:4F:F9:5B:73:2E:01:66:54:C7:E5:1E:18:6D:82:50:1A:D6:A8:DE:3F:65:4C:1C:AC:51:1D:1A:76:85:1B:02
  [Die CRL konnte nicht geprüft werden: Nicht vertrauenswürdig]
  [certificate is bad: Nicht vertrauenswürdig]
Certified by
           ID: 0x064CD0CD
          S/N: 3E50FE6114AC70E44C4E7956BEC81FFC0F3B02EB
        (dec): 355763646962456683480335676319500923810294203115
       Issuer: /CN=SwissSign RSA SMIME Root CA 2022 - 1/O=SwissSign AG/C=CH
      Subject: /CN=SwissSign RSA SMIME SV ICA 2024 - 1/O=SwissSign AG/C=CH
     validity: 2024-05-28 09:03:21 through 2036-05-28 09:03:21
     key type: rsa4096
    key usage: certSign crlSign
ext key usage: clientAuth (suggested), emailProtection (suggested), ms-smartcardLogon (suggested), ms-encryptedFileSystem (suggested)
     policies: 2.23.140.1.5.3.1:N:,2.23.140.1.5.3.2:N:,2.23.140.1.5.3.3:N:,0.4.0.2042.1.1:N:,2.16.756.1.89.2.1.12:N:,2.16.756.1.89.2.1.13:N:
 chain length: 0
     sha1 fpr: A6:11:C4:18:88:29:CE:85:E1:CF:6C:B5:29:2E:3F:4B:06:4C:D0:CD
     sha2 fpr: 7E:30:19:88:A1:02:A5:E9:3D:22:49:66:6B:B6:31:02:0B:A5:8F:C7:03:DE:7B:58:3E:91:D5:44:9F:D0:D3:AF
  [certificate is good]
Certified by
           ID: 0xA07D0AEA
          S/N: 00B30511B116B4A056511D7C681F877D
        (dec): 929523951410811236428169985765902205
       Issuer: /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH
      Subject: /CN=SwissSign RSA SMIME Root CA 2022 - 1/O=SwissSign AG/C=CH
     validity: 2022-06-28 11:26:01 through 2036-09-22 11:26:01
     key type: rsa4096
    key usage: certSign crlSign
     policies: 2.5.29.32.0:N:
 chain length: unlimited
     sha1 fpr: D5:37:4C:8C:93:CE:C7:93:35:B9:C6:6F:4A:22:BE:33:A0:7D:0A:EA
     sha2 fpr: 5A:84:C9:40:54:D3:40:D6:50:A2:99:85:EF:97:BB:39:63:52:E2:15:AE:D6:C0:B3:3C:A7:FF:DD:3B:D5:D2:A2
  [certificate is good]
Certified by
           ID: 0x9F1A2761
          S/N: 00BB401C43F55E4FB0
        (dec): 13492815561806991280
       Issuer: /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH
      Subject: /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH
     validity: 2006-10-25 08:30:35 through 2036-10-25 08:30:35
     key type: rsa4096
    key usage: certSign crlSign
     policies: 2.16.756.1.89.1.2.1.1:N:
 chain length: unlimited
     sha1 fpr: D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61
     sha2 fpr: 62:DD:0B:E9:B9:F5:0A:16:3E:A0:F8:E7:5C:05:3B:1E:CA:57:EA:55:C8:68:8F:64:7C:68:81:F2:C8:35:7B:95
  [certificate is good]


If I check my cert using openssl it says it was signed by the intermediate CA
last in chain before my personal cert:

% openssl x509 -in p.pem -noout -issuer -subject
issuer=C=CH, O=SwissSign AG, CN=SwissSign RSA SMIME SV ICA 2024 - 1
subject=C=DE, ST=BY, L=Munchen, O=sys4 AG, organizationIdentifier=NTRDE-DED2601V.HRB199263, emailAddress=p at sys4.de, CN=Patrick Koetter

Does this mean I need to explicitly trust *my* cert by putting it (some of the
data) into ~/.gnupg/trustlist.txt?

TIA,

p at rick



> option is set you need to insert it yourself into ~/.gnupg/trustlist.txt
> - there is a comment at the top explaining it.  Rules for GnuPG
> (VS-)Desktop are a bit different; see the respecitive FAQ.
> 
> I would suggest to run
> 
>   gpgsm --list-chain --with-validation <user-id>
> 
> This should give enough hints on what is going on.
> 
> 
> Salam-Shalom,
> 
>    Werner
> 
> -- 
> The pioneers of a warless world are the youth that
> refuse military service.             - A. Einstein



> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users


-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Gnupg-users mailing list