Werner, you're spot on with your diagnosis. Still I am unable to make it work and it may be that I haven't understood the important part yet. Please read on…
* Werner Koch via Gnupg-users <[email protected]>: > On Fri, 22 Aug 2025 01:21, Patrick Ben Koetter said: > > > My S/MIME key is valid until 2027 and the key's cert is imported into gpgsm > > as > > well. What is it I'm missing? The CA cert? Can I / must I set a trust for a > > (CA) cert? Any help to debug is very much welcome as I don't really know > > what > > Yes you need to assign trust to the Root-CA cert. Unless the > "no-allow-mark-trusted" option is set in gpg-agent.conf you should see a > prompt to verify the fingerprint of the Root CA's certificate. If that I don't have no-allow-mark-trusted set in gpg-agent.conf: % cat .gnupg/gpg-agent.conf default-cache-ttl 600 max-cache-ttl 7200 And when I run gpgsm --list-chain --with-validation 0x3CE75B94 it tells me *my* cert would not be trusted, while it says the Root CA and all intermediate certs are good: [keyboxd] --------- ID: 0x3CE75B94 S/N: 7575B7A3CA4820B8AC6C0AAC5B56E654C216F4BE (dec): 670577104657847191671762158918724704718357460158 Issuer: /CN=SwissSign RSA SMIME SV ICA 2024 - 1/O=SwissSign AG/C=CH Subject: /CN=Patrick Koetter/O=sys4 AG/L=Munchen/ST=BY/C=DE/[email protected]/2.5.4.97=NTRDE-DED2601V.HRB199263 aka: [email protected] validity: 2024-09-21 11:59:52 through 2027-09-21 11:59:52 key type: rsa4096 key usage: digitalSignature nonRepudiation keyEncipherment dataEncipherment ext key usage: clientAuth (suggested), emailProtection (suggested), ms-smartcardLogon (suggested), ms-encryptedFileSystem (suggested) policies: 2.23.140.1.5.3.1:N:,0.4.0.2042.1.1:N:,2.16.756.1.89.2.1.13:N: sha1 fpr: 10:32:B7:3A:C1:7A:62:45:28:61:23:A0:C6:39:F9:6A:3C:E7:5B:94 sha2 fpr: 59:4F:F9:5B:73:2E:01:66:54:C7:E5:1E:18:6D:82:50:1A:D6:A8:DE:3F:65:4C:1C:AC:51:1D:1A:76:85:1B:02 [Die CRL konnte nicht geprüft werden: Nicht vertrauenswürdig] [certificate is bad: Nicht vertrauenswürdig] Certified by ID: 0x064CD0CD S/N: 3E50FE6114AC70E44C4E7956BEC81FFC0F3B02EB (dec): 355763646962456683480335676319500923810294203115 Issuer: /CN=SwissSign RSA SMIME Root CA 2022 - 1/O=SwissSign AG/C=CH Subject: /CN=SwissSign RSA SMIME SV ICA 2024 - 1/O=SwissSign AG/C=CH validity: 2024-05-28 09:03:21 through 2036-05-28 09:03:21 key type: rsa4096 key usage: certSign crlSign ext key usage: clientAuth (suggested), emailProtection (suggested), ms-smartcardLogon (suggested), ms-encryptedFileSystem (suggested) policies: 2.23.140.1.5.3.1:N:,2.23.140.1.5.3.2:N:,2.23.140.1.5.3.3:N:,0.4.0.2042.1.1:N:,2.16.756.1.89.2.1.12:N:,2.16.756.1.89.2.1.13:N: chain length: 0 sha1 fpr: A6:11:C4:18:88:29:CE:85:E1:CF:6C:B5:29:2E:3F:4B:06:4C:D0:CD sha2 fpr: 7E:30:19:88:A1:02:A5:E9:3D:22:49:66:6B:B6:31:02:0B:A5:8F:C7:03:DE:7B:58:3E:91:D5:44:9F:D0:D3:AF [certificate is good] Certified by ID: 0xA07D0AEA S/N: 00B30511B116B4A056511D7C681F877D (dec): 929523951410811236428169985765902205 Issuer: /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH Subject: /CN=SwissSign RSA SMIME Root CA 2022 - 1/O=SwissSign AG/C=CH validity: 2022-06-28 11:26:01 through 2036-09-22 11:26:01 key type: rsa4096 key usage: certSign crlSign policies: 2.5.29.32.0:N: chain length: unlimited sha1 fpr: D5:37:4C:8C:93:CE:C7:93:35:B9:C6:6F:4A:22:BE:33:A0:7D:0A:EA sha2 fpr: 5A:84:C9:40:54:D3:40:D6:50:A2:99:85:EF:97:BB:39:63:52:E2:15:AE:D6:C0:B3:3C:A7:FF:DD:3B:D5:D2:A2 [certificate is good] Certified by ID: 0x9F1A2761 S/N: 00BB401C43F55E4FB0 (dec): 13492815561806991280 Issuer: /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH Subject: /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH validity: 2006-10-25 08:30:35 through 2036-10-25 08:30:35 key type: rsa4096 key usage: certSign crlSign policies: 2.16.756.1.89.1.2.1.1:N: chain length: unlimited sha1 fpr: D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61 sha2 fpr: 62:DD:0B:E9:B9:F5:0A:16:3E:A0:F8:E7:5C:05:3B:1E:CA:57:EA:55:C8:68:8F:64:7C:68:81:F2:C8:35:7B:95 [certificate is good] If I check my cert using openssl it says it was signed by the intermediate CA last in chain before my personal cert: % openssl x509 -in p.pem -noout -issuer -subject issuer=C=CH, O=SwissSign AG, CN=SwissSign RSA SMIME SV ICA 2024 - 1 subject=C=DE, ST=BY, L=Munchen, O=sys4 AG, organizationIdentifier=NTRDE-DED2601V.HRB199263, [email protected], CN=Patrick Koetter Does this mean I need to explicitly trust *my* cert by putting it (some of the data) into ~/.gnupg/trustlist.txt? TIA, p@rick > option is set you need to insert it yourself into ~/.gnupg/trustlist.txt > - there is a comment at the top explaining it. Rules for GnuPG > (VS-)Desktop are a bit different; see the respecitive FAQ. > > I would suggest to run > > gpgsm --list-chain --with-validation <user-id> > > This should give enough hints on what is going on. > > > Salam-Shalom, > > Werner > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein > _______________________________________________ > Gnupg-users mailing list > [email protected] > https://lists.gnupg.org/mailman/listinfo/gnupg-users -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein _______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
