S/MIME Digital Signature Issue. Linux Newbie.

Autumnlord · 09-05-2007, 10:57 AM

Hello all. Im determined to cut the strings from Microsoft to Linux. Im a MCSE but my new job has a ton of Linux boxes. Im intrigued by the product so I have redone my Laptop in Fedora Core 5. I love the software but have one small issue. I have to be able to send email encrypted and digitally signed. Ill list the info below.

Issuing Agent: Verisign
Type of Certificate: VeriSign Class 1 Individual Subscriber CA - G2
SSL Client Certificate
SSL Server Certificate
Email Signer Certificate
Email Recipient Certificate

Operating version: Fedora Core 5

Email Client: Evolution 2.6.0

When I try to send an encrypted email it works just fine. However, if I try to send an encrypted with a signature or a signature alone I get the following error message.

Could not create message.

Because "Cannot add SMIMEEncKeyPrefs attribute", you may need to select different mail options.

Im not sure how to trouble shoot this issue. Any help you can provide would be greatly appreciated.

Thank you

Nick_Battle · 09-06-2007, 07:21 AM

The discussion here: http://bugzilla.gnome.org/show_bug.cgi?id=273233

...suggests it's because you've not explicitly said you trust the CA that signed the key.

"Go into the Certificate settings, and over to Authorities. Edit the trust
settings for CACert to say you trust them for signing email keys."

HTH,
-nick

Autumnlord · 09-06-2007, 12:00 PM

I ensured that the cert was indeed trusted, and it is. I have tried various other mail clients to try and see if it was an Evolution error. Doesnt seem to be, it seems to be fairly universal. Ive tried two operating systems, OpenSues and this version of Fedora Core 5. I can sure use an experts help. If I cant get this signature to work Im gonna have to scrap the conversion to Linux. Thanks in advance.

Nick_Battle · 09-07-2007, 02:52 AM

Hmmm. By way of an experiment, could you try getting another key pair to see if that works - you can get a free one at www.cacert.org. I know you probably need to use the one particular key pair you have a problem with, but it may give some clue.

What other email clients did you try. Different Linux distributions are unlikely to be different (it's more likely to be an application problem).

Just to be absolutely clear, you did add trust to the CA certificate, not (just) your own certificate, right?

I think it's true that X.509 certificates can carry permissions about what they're allowed to be used for (authentication, signing, encryption). Do you know that the certificate is allowed to be used for signing? If not, it will never work (though the error message is very inappropriate, if that's the case!).

Cheers,
-nick