On Sunday 20 May 2007 18:10, Mick wrote: > On Sunday 20 May 2007 16:54, Jure Varlec wrote: > > Hm, installing dirmngr should at least get rid of the "Not enough > > information to check signature" problem. *shrugs* > > I suggest you start kwatchgnupg, it listens on the gnupg socket and > > displays all messages your apps send through there. It's the only way I > > found to see what's actually going on, because kmail's and kleopatra's > > error messages couldn't be less informative. > > > > Hopefully, that should give a clue as to what to do next. > > Thanks again Jure, I am getting this much now when I try to look at a > message sent to me encrypted and signed with a cacert.org certificate: > ============================================================ > [client at fd 4 connected] > 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> Home: ~/.gnupg > 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> > Config: /home/michael/.gnupg/gpgsm.conf > 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> > AgentInfo: /tmp/gpg-IOOUO2/S.gpg-agent:7251:1 > 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> DirmngrInfo: [not > set] 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> GNU Privacy > Guard's S/M server 1.9.21 ready > 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: <- OPTION display=:0.0 > 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> OK > 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: <- OPTION lc-ctype=C > 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> OK > 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: <- OPTION > lc-messages=C 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> OK > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- INPUT FD=15 > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> OK > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- OUTPUT FD=19 > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> OK > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- DECRYPT > 4 - 2007-05-20 17:41:10 gpgsm[9033]: unsupported algorithm > `1.2.840.113549.3.2' > 4 - 2007-05-20 17:41:10 gpgsm[9033]: (this is the RC2 algorithm) > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> S ERROR > decrypt.algorithm 50331732 1.2.840.113549.3.2 > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> S DECRYPTION_FAILED > 4 - 2007-05-20 17:41:10 gpgsm[9033]: message decryption failed: > Unsupported algorithm > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> ERR 50331732 > Unsupported algorithm > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- BYE > 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> OK closing > connection [client at fd 4 disconnected] > ============================================================ > > I notice two things above; a)the DirmngrInfo: [not set] is telling me that > the dirmngr has not been set yet - is this OK? and, b)gpgsm spits feathers > when it sees the RC2 algorithm?! > > When I try to compose a message and select to use a cacert.org certificate > I am getting these messages: > ============================================================ > 4 - 2007-05-20 17:49:28 gpgsm[9059]: DBG: connection to agent established > 4 - 2007-05-20 17:49:28 gpgsm[9059]: can't connect to the dirmngr - trying > fall back > 4 - 2007-05-20 17:49:28 gpgsm[9059]: no running dirmngr - starting > `/usr/bin/dirmngr' > 4 - 2007-05-20 17:49:28 gpgsm[9059]: DBG: connection to dirmngr > established ============================================================ > which shows me that dirmngr is being brought up when required - probably > the previous message about not being set is nothing to worry about then. > > Then I am getting dirmngr trying to connect to cacert.org to verify the > certificate I am going to use: > =========================================================== > 6 - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: -> INQUIRE > SENDISSUERCERT > 6 - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: <- [ 44 20 30 82 07 > 3d 30 82 05 25 32 35 a0 03 02 01 02 02 01 00 30 25 30 44 06 09 [snip...] 6 > - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: <- [ 44 20 31 1e 30 1c > 06 03 55 04 0b 13 15 68 74 74 70 3a 2f 2f 77 77 77 2e 63 61 63 65 72 74 2e > 6f 72 67 31 22 30 20 06 03 55 04 03 13 19 43 41 20 43 65 72 74 [snip...] 6 > - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: <- END > 6 - 2007-05-20 17:49:30 dirmngr[9060]: using OCSP responder > `http://ocsp.cacert.org' > 6 - 2007-05-20 17:49:31 dirmngr[9060]: OCSP responder at > `http://ocsp.cacert.org' status: success > 6 - 2007-05-20 17:49:31 dirmngr[9060.0x8080078] DBG: -> S > ONLY_VALID_IF_CERT_VALID D6A20C9D62F2892DABCA9B67[snip] > 6 - 2007-05-20 17:49:31 dirmngr[9060]: certificate status is: good > (this=20070516T061242 next=20070520T165947) > 6 - 2007-05-20 17:49:31 dirmngr[9060]: OCSP responder returned a > non-current status > 6 - 2007-05-20 17:49:31 dirmngr[9060]: now: 20070520T165931 this_update: > 20070516T061242 > 6 - 2007-05-20 17:49:31 dirmngr[9060]: command ISVALID failed: Time > conflict 6 - 2007-05-20 17:49:31 dirmngr[9060.0x8080078] DBG: -> ERR > 167772199 Time conflict > 4 - 2007-05-20 17:49:31 gpgsm[9059]: response of dirmngr: ec=10.39 > 4 - 2007-05-20 17:49:31 gpgsm[9059.0x80806a0] DBG: -> D > crs:i:2048:1:CC3E6023C[snip...] 6F6D,CN=CAcert WoT User::%0Auid:i:::::::::: > %0Auid:i::::::::::%0A > 4 - 2007-05-20 17:49:32 gpgsm[9059.0x80806a0] DBG: -> OK > [client at fd 7 connected] > =========================================================== > What's this "Time conflict" about? My cert is valid from 2007-04-23 to > 2007-10-20. > > Shall I disable "Validate Certificates Online" in Kmail's crypto > preferences? Is CRL preferable? > > Grateful for your views on the above and any more suggestions. :)
OK, I also tried Validate with CRL and I am now getting a CRL related error: ============================================================= 5 - 2007-05-20 19:09:00 gpg-agent[7251]: handler 0x80c8820 for fd 0 terminated 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- ISVALID CDECFDC58640B7262B39CCB59B61E8EEFF2ED4D0.0380C6 7 - 2007-05-20 19:09:01 dirmngr[9532]: no CRL available for issuer id CDECFDC58640B7262B39CCB59B61E8EEFF2ED4D0 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: -> INQUIRE SENDCERT 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- [ 44 20 30 82 05 42 30 82 03 2a a0 03 02 01 02 02 03 03 80 c6 30 25 30 44 06 09 2a [snip ] 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- [ 44 20 1c 45 de 3e 49 63 5f 1f 65 58 03 4f 5c 08 82 ef cd b0 15 bd a7 2b 3e 58 76 [snip ] 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- END 7 - 2007-05-20 19:09:01 dirmngr[9532]: crl_fetch via issuer failed: Configuration error 7 - 2007-05-20 19:09:01 dirmngr[9532]: command ISVALID failed: Configuration error 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: -> ERR 167772275 Configuration error 6 - 2007-05-20 19:09:01 gpgsm[9531]: response of dirmngr: ec=10.115 6 - 2007-05-20 19:09:01 gpgsm[9531]: checking the CRL failed: Configuration error 6 - 2007-05-20 19:09:01 gpgsm[9531.0x80806a0] DBG: -> S INV_RECP 0 9964FAAE960AD708013D03A5CC3E6023CDC3E990 6 - 2007-05-20 19:09:01 gpgsm[9531.0x80806a0] DBG: -> ERR 167772275 Configuration error 6 - 2007-05-20 19:09:04 gpgsm[9531.0x80806a0] DBG: <- BYE 6 - 2007-05-20 19:09:05 gpgsm[9531.0x80806a0] DBG: -> OK closing connection 7 - 2007-05-20 19:09:05 dirmngr[9532.0x8080078] DBG: <- [EOF] ============================================================= What should I use OCP or CRL and if the latter how am I supposed to configure this? -- Regards, Mick
pgpYkqAK7FdTX.pgp
Description: PGP signature
