[Solved] Issue with S/MIME certificate in Archlinux

iyanmv · 2020-06-17 09:33:08

Solution
Removing ipv6.disable=1 from kernel parameters. See comment #8
Or (even better for me) keep ipv6 disable but add the option disable-ipv6 to ~/.gnupg/dirmngr.conf and restart user systemd service with systemctl --user restart dirmngr.service
---

Hi everyone!

At some point before 22 January (when I sent last signed email) I stopped being able to sign emails with my certificate using Kmail. I thought it was a Kmail bug (there were some KDE Applications/Frameworks/etc. updates), and that is why I opened this bug report:

https://bugs.kde.org/show_bug.cgi?id=417862

However, I had to install a VM with KDE Neon recently to try to debug a different issue in KDE (https://bugs.kde.org/show_bug.cgi?id=422870) and I decided to try to use the same certificate. And, surprise surprise, it works!
So something is wrong in Arch or in my system. I hope you can try to help me debug this because it is really annoying and I was using Thunderbird whenever I had to sign emails.

Edit: It also works in a VM with a fresh Archlinux (see comments below)

I will start from the beginning. I have a s/mime certificate that I obtained from a German university. The chain of trust is the following:

T-TeleSec GlobalRoot Class 2 (Root CA) -> DFN-Verein Certification Authority 2 -> DFN-Verein Global Issuing CA -> My certificate

Problem

First time that I wanted to use it to sign emails I followed this instructions:

https://bbs.archlinux.org/viewtopic.php?id=171506
https://userbase.kde.org/KMail/S_MIME

And it worked just fine. In KDE Neon, actually I didn't follow any of that. I just installed Kleopatra, import my certificate, trust the root CA and it worked directly. Kmail was able to use the certificate without any issues.

In Archlinux, however, when I try to use the certificate in Kmail I get the error: "Sending message failed. Could not compose message: Address family not supported by protocol.".
I also realized that in Kleopatra, if I open my certificate, in the trust level column I have an "invalid" while in KDE Neon I get the right "full" after trusting the root CA.

Things I've tried

Remove .gnupg folder and import certificate again in my user
Reinstall gnupg
Create a new user and try to configure the certificate there

My guess is that something is broken in gnupg ~~in Archlinux or~~ in my system. Anyone using certificates can replicate this issue? Any things I can try?

gnupg in KDE Neon

iyan@iyan-VirtualBox:~$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/iyan/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

gnupg in Archlinux

[iyan@master ~]$ gpg --version
gpg (GnuPG) 2.2.20
libgcrypt 1.8.5
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/iyan/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Last edited by iyanmv (2020-06-19 15:31:14)

iyanmv · 2020-06-18 14:46:11

I have done a fresh installation of Archlinux in a different laptop (I did the installation in my desktop back in 2015) and I can replicate exactly same issue.
So I guess this has something to do with either gpg or libgcrypt versions, or with some general configuration.
I will try to downgrade gpg to the version I was using before 22 January and see if it works, just to narrow a bit where to look.

iyanmv · 2020-06-18 20:52:25

So in order to determine exactly what package was breaking this for me I installed Arch on a VM and I followed this article to go back to 22/01/2020. Then I kept modifying the date until I reach the first date that I knew it stopped working in my desktop. But surprise, it works! So then I did a full update using a normal mirror and still works!

So clearly something's broken on my system and it's not in my user folder because I can replicate the issue in a fresh user with a clean home folder. What else can it be? Where should I look? I don't think gnupg has any global configuration files, right?

progandy · 2020-06-18 21:59:29

gnupg might somehow interact with the system certificate store through gnutls and p11-kit.

You can try to investige the ca-certificates* packages, as well as p11-kit, and gnutls.

iyanmv · 2020-06-18 23:37:55

I've check that and except all the lib32 packages that I have in my system, I don't see any other differences. Debugging this is driving me crazy... It must be some configuration that I have changed over the years of using my desktop. But what can it be? Good thing about this is that I have checked and removed/modify all config files that have a .pacnew file

Lone_Wolf · 2020-06-19 10:32:20

In Archlinux, however, when I try to use the certificate in Kmail I get the error: "Sending message failed. Could not compose message: Address family not supported by protocol.".

That message kinda suggests the problem is network related.

Please run

$ ping -6 -c 10 archlinux.org
$ ping -4 -c 10 archlinux.org

on the host archlinux system and the 2 VMs .
If any of the 6 commands report less than 100% success post the outputs of those.

Edit: corrected typos

Last edited by Lone_Wolf (2020-06-19 11:16:55)

LukeLR · 2020-06-19 10:48:45

There is a typo in the second ping command (easy to spot, but still worth mentioning): The dot in the second domain is a comma instead. Should of course be a dot. So watch out when copy-pasting

iyanmv · 2020-06-19 10:56:13

Lone_Wolf wrote:

In Archlinux, however, when I try to use the certificate in Kmail I get the error: "Sending message failed. Could not compose message: Address family not supported by protocol.".

That message kinda suggests the problem is network related.

You were 100% right!
I got exactly the same error message when trying to run the ping with IPv6. And then, boom, I remembered that I disabled IPv6 at some point in the past because I had some issues.
So I removed the ipv6.disable=1 option from kernel parameters and it's working again! I will see if with ipv6.disable_ipv6=1 still works.

Now my question is: is this a bug? Or is it an expected issue? Maybe a little comment should be added on the wiki regarding ipv6.disable=1.

Thank you so much @Lone_Wolf

iyanmv · 2020-06-19 11:01:16

LukeLR wrote:

There is a typo in the second ping command (easy to spot, but still worth mentioning): The dot in the second domain is a comma instead. Should of course be a dot. So watch out when copy-pasting

Yes yes, I noticed it. Also an extra space in "-c". But a minor typo that I forgot immediately when I realized the IPv6 was the real issue!

iyanmv · 2020-06-19 16:07:22

I added a little subsection in ~~GnuPG~~ IPv6 wiki article
~~https://wiki.archlinux.org/index.php/Gn … bling_IPv6~~
https://wiki.archlinux.org/index.php/IPv6#GnuPG

Last edited by iyanmv (2020-06-20 12:44:33)

Arch Linux

#1 2020-06-17 09:33:08

[Solved] Issue with S/MIME certificate in Archlinux

#2 2020-06-18 14:46:11

Re: [Solved] Issue with S/MIME certificate in Archlinux

#3 2020-06-18 20:52:25

Re: [Solved] Issue with S/MIME certificate in Archlinux

#4 2020-06-18 21:59:29

Re: [Solved] Issue with S/MIME certificate in Archlinux

#5 2020-06-18 23:37:55

Re: [Solved] Issue with S/MIME certificate in Archlinux

#6 2020-06-19 10:32:20

Re: [Solved] Issue with S/MIME certificate in Archlinux

#7 2020-06-19 10:48:45

Re: [Solved] Issue with S/MIME certificate in Archlinux

#8 2020-06-19 10:56:13

Re: [Solved] Issue with S/MIME certificate in Archlinux

#9 2020-06-19 11:01:16

Re: [Solved] Issue with S/MIME certificate in Archlinux

#10 2020-06-19 16:07:22

Re: [Solved] Issue with S/MIME certificate in Archlinux

Board footer