You are not logged in.

#1 2020-06-17 09:33:08

iyanmv
Member
Registered: 2016-11-08
Posts: 39
Website

[Solved] Issue with S/MIME certificate in Archlinux

Solution
Removing ipv6.disable=1 from kernel parameters. See comment #8
Or (even better for me) keep ipv6 disable but add the option disable-ipv6 to ~/.gnupg/dirmngr.conf and restart user systemd service with systemctl --user restart dirmngr.service
---

Hi everyone!

At some point before 22 January (when I sent last signed email) I stopped being able to sign emails with my certificate using Kmail. I thought it was a Kmail bug (there were some KDE Applications/Frameworks/etc. updates), and that is why I opened this bug report:

https://bugs.kde.org/show_bug.cgi?id=417862

However, I had to install a VM with KDE Neon recently to try to debug a different issue in KDE (https://bugs.kde.org/show_bug.cgi?id=422870) and I decided to try to use the same certificate. And, surprise surprise, it works!
So something is wrong in Arch or in my system. I hope you can try to help me debug this because it is really annoying and I was using Thunderbird whenever I had to sign emails.

Edit: It also works in a VM with a fresh Archlinux (see comments below)

I will start from the beginning. I have a s/mime certificate that I obtained from a German university. The chain of trust is the following:

T-TeleSec GlobalRoot Class 2 (Root CA) -> DFN-Verein Certification Authority 2 -> DFN-Verein Global Issuing CA -> My certificate

Problem

First time that I wanted to use it to sign emails I followed this instructions:

https://bbs.archlinux.org/viewtopic.php?id=171506
https://userbase.kde.org/KMail/S_MIME

And it worked just fine. In KDE Neon, actually I didn't follow any of that. I just installed Kleopatra, import my certificate, trust the root CA and it worked directly. Kmail was able to use the certificate without any issues.

In Archlinux, however, when I try to use the certificate in Kmail I get the error: "Sending message failed. Could not compose message: Address family not supported by protocol.".
I also realized that in Kleopatra, if I open my certificate, in the trust level column I have an "invalid" while in KDE Neon I get the right "full" after trusting the root CA.

Kleopatra in Archlinux Kleopatra in Archlinux

Things I've tried

  • Remove .gnupg folder and import certificate again in my user

  • Reinstall gnupg

  • Create a new user and try to configure the certificate there

My guess is that something is broken in gnupg in Archlinux or in my system. Anyone using certificates can replicate this issue? Any things I can try?

gnupg in KDE Neon

iyan@iyan-VirtualBox:~$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/iyan/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

gnupg in Archlinux

[iyan@master ~]$ gpg --version
gpg (GnuPG) 2.2.20
libgcrypt 1.8.5
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/iyan/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Last edited by iyanmv (2020-06-19 15:31:14)

Offline

#2 2020-06-18 14:46:11

iyanmv
Member
Registered: 2016-11-08
Posts: 39
Website

Re: [Solved] Issue with S/MIME certificate in Archlinux

I have done a fresh installation of Archlinux in a different laptop (I did the installation in my desktop back in 2015) and I can replicate exactly same issue.
So I guess this has something to do with either gpg or libgcrypt versions, or with some general configuration.
I will try to downgrade gpg to the version I was using before 22 January and see if it works, just to narrow a bit where to look.

Offline

#3 2020-06-18 20:52:25

iyanmv
Member
Registered: 2016-11-08
Posts: 39
Website

Re: [Solved] Issue with S/MIME certificate in Archlinux

So in order to determine exactly what package was breaking this for me I installed Arch on a VM and I followed this article to go back to 22/01/2020. Then I kept modifying the date until I reach the first date that I knew it stopped working in my desktop. But surprise, it works! So then I did a full update using a normal mirror and still works!

So clearly something's broken on my system and it's not in my user folder because I can replicate the issue in a fresh user with a clean home folder. What else can it be? Where should I look? I don't think gnupg has any global configuration files, right?

Offline

#4 2020-06-18 21:59:29

progandy
Member
Registered: 2012-05-17
Posts: 5,211

Re: [Solved] Issue with S/MIME certificate in Archlinux

gnupg might somehow interact with the system certificate store through gnutls and p11-kit.

You can try to investige the ca-certificates* packages, as well as p11-kit, and gnutls.


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2020-06-18 23:37:55

iyanmv
Member
Registered: 2016-11-08
Posts: 39
Website

Re: [Solved] Issue with S/MIME certificate in Archlinux

I've check that and except all the lib32 packages that I have in my system, I don't see any other differences. Debugging this is driving me crazy... It must be some configuration that I have changed over the years of using my desktop. But what can it be? Good thing about this is that I have checked and removed/modify all config files that have a .pacnew file

Offline

#6 2020-06-19 10:32:20

Lone_Wolf
Forum Moderator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,020

Re: [Solved] Issue with S/MIME certificate in Archlinux

In Archlinux, however, when I try to use the certificate in Kmail I get the error: "Sending message failed. Could not compose message: Address family not supported by protocol.".

That message kinda suggests the problem is network related.

Please run

$ ping -6 -c 10 archlinux.org
$ ping -4 -c 10 archlinux.org

on the host archlinux system and the 2 VMs .
If any of the 6 commands report less than 100% success post the outputs of those.

Edit: corrected typos

Last edited by Lone_Wolf (2020-06-19 11:16:55)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#7 2020-06-19 10:48:45

LukeLR
Member
Registered: 2016-03-18
Posts: 8

Re: [Solved] Issue with S/MIME certificate in Archlinux

There is a typo in the second ping command (easy to spot, but still worth mentioning): The dot in the second domain is a comma instead. Should of course be a dot. So watch out when copy-pasting smile

Offline

#8 2020-06-19 10:56:13

iyanmv
Member
Registered: 2016-11-08
Posts: 39
Website

Re: [Solved] Issue with S/MIME certificate in Archlinux

Lone_Wolf wrote:
In Archlinux, however, when I try to use the certificate in Kmail I get the error: "Sending message failed. Could not compose message: Address family not supported by protocol.".

That message kinda suggests the problem is network related.

You were 100% right!
I got exactly the same error message when trying to run the ping with IPv6. And then, boom, I remembered that I disabled IPv6 at some point in the past because I had some issues.
So I removed the ipv6.disable=1 option from kernel parameters and it's working again! I will see if with ipv6.disable_ipv6=1 still works.

Now my question is: is this a bug? Or is it an expected issue? Maybe a little comment should be added on the wiki regarding ipv6.disable=1.

Thank you so much @Lone_Wolf

Offline

#9 2020-06-19 11:01:16

iyanmv
Member
Registered: 2016-11-08
Posts: 39
Website

Re: [Solved] Issue with S/MIME certificate in Archlinux

LukeLR wrote:

There is a typo in the second ping command (easy to spot, but still worth mentioning): The dot in the second domain is a comma instead. Should of course be a dot. So watch out when copy-pasting smile

Yes yes, I noticed it. Also an extra space in "-c". But a minor typo that I forgot immediately when I realized the IPv6 was the real issue! big_smile

Offline

#10 2020-06-19 16:07:22

iyanmv
Member
Registered: 2016-11-08
Posts: 39
Website

Re: [Solved] Issue with S/MIME certificate in Archlinux

I added a little subsection in GnuPG IPv6 wiki article
https://wiki.archlinux.org/index.php/Gn … bling_IPv6
https://wiki.archlinux.org/index.php/IPv6#GnuPG

Last edited by iyanmv (2020-06-20 12:44:33)

Offline

Board footer

Powered by FluxBB