Hi, I'm stumped getting gpgsm to lookup S/MIME certificates in my organization. I've got a temporary working solution with ldapsearch after logging into my VPN with NetworkManager+OpenConnect: ldapsearch -Wt -b OU=Accounts,DC=ads,DC=foo,DC=com -D CN=jscott,OU=Accounts,DC=ads,DC=foo,DC=com '(mailNickname=[recipient])' userSMIMECertificate
This saves the signed message to a temporary file which I do gpgsm --verify on, although the certs themselves are also stored in the userCertificate record IIRC. ldapsearch also works if I use only LDAPv2. My dirmngr_ldapservers.conf reads ads.foo.com:636:ads\jscott:PassPhrase:ou=Accounts,dc=ads,dc=foo,dc=com and to be extra safe I've put an explicit no-use-tor and ldapserverlist-file dirmngr_ldapservers.conf in my dirmngr.conf. Reloading dirmngr and gpgsm after getting on the VPN doesn't help. Looking up recipients with both dirmngr-client and gpgsm --verbose --list-external-keys [recipient] are fruitless whether I drop the ads\ from my username or not. I've bumped the ldaptimeout to 25. Still both commands finish instantaneously—not unlike ldapsearch however. $ gpgsm --debug-level expert -vvvvv --list-external-keys anything gpgsm: enabled debug flags: x509 crypto cache ipc gpgsm: DBG: chan_3 <- # Home: /home/john/.gnupg gpgsm: DBG: chan_3 <- # Config: /home/john/.gnupg/dirmngr.conf gpgsm: DBG: chan_3 <- OK Dirmngr 2.2.20 at your service gpgsm: DBG: connection to the dirmngr established gpgsm: DBG: chan_3 -> GETINFO version gpgsm: DBG: chan_3 <- D 2.2.20 gpgsm: DBG: chan_3 <- OK gpgsm: DBG: chan_3 -> OPTION audit-events=1 gpgsm: DBG: chan_3 <- OK gpgsm: DBG: chan_3 -> LOOKUP anything gpgsm: DBG: chan_3 <- OK secmem usage: 0/16384 bytes in 0 blocks I'm using 2.2.20 on Debian Bullseye. Other options set are add-servers in dirmngr.conf and auto-issuer-key-retrieve in gpgsm.conf. $ systemctl --user status dirmngr ● dirmngr.service - GnuPG network certificate management daemon Loaded: loaded (/usr/lib/systemd/user/dirmngr.service; static; vendor preset: enabled) Active: active (running) since Sat 2020-05-16 22:52:38 EDT; 23min ago TriggeredBy: ● dirmngr.socket Docs: man:dirmngr(8) Main PID: 26309 (dirmngr) CGroup: /user.slice/user-1000.slice/user@1000.service/dirmngr.service └─26309 /usr/bin/dirmngr --supervised I also use GnuPG's SSH agent emulation and have in my .bashrc export GPG_TTY=$(tty) export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpg-connect-agent updatestartuptty /bye >/dev/null
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users