Re: [ext] Re: Display info about S/MIME signature
IIUC, you would like to see which certificates have been used while reading the mail. Sometime I also need such extra info, and I was struggling to get the info. So I dove again a bit into it. On 13Oct22 08:26+0200, Ralf Hildebrandt via Mutt-users wrote: > > gpgsm --list-keys ralf.hildebra...@charite.de > > > > would give you all information about the key, including ID (which is the > > last part of the fingerprint), serial etc. > > Yeah, that's awesome. Exactly what I need! gpgsm actually lists the content of your gnupg pubring. So you need to have the certificate already added to this database. Otherwise it is not finding the cert. And also this seems to be unrelated to the mail which is currently open in mutt's pager. Another solution might be: In mutt (pager or index view), you can use the pipe_message function (default keybind is |) and pipe the mail to: --- paste: --- openssl smime -pk7out | openssl pkcs7 -print_certs -text|less --- eop --- This command should work on smime multipart emails. It extracts the attached certificates and prints them. So you can see, which certificate (and which CA) were used to sign this particular email. I think it is straight forward to bind this function to a key. It might also be possible to modify the config option 'smime_verify_commmand'. But that did not work in my tests, mutt claimed verification is not successful even though openssl returned successfully. Cheers, -- Bastian
Re: [ext] Re: Display info about S/MIME signature
* ckeader via Mutt-users : > gpgsm --list-keys ralf.hildebra...@charite.de > > would give you all information about the key, including ID (which is the > last part of the fingerprint), serial etc. Yeah, that's awesome. Exactly what I need! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de
Re: [ext] Re: Display info about S/MIME signature
> certificate b43f1e2c.0 (foo) for firstname.lastn...@charite.de added. > > But what *IS* "b43f1e2c"? Is it a serial number, a part of the fingerprint? It looks like an openssl hash, the type c_rehash generates. Like, what you may find under /etc/ssl/certs. > > Also check the config options `crypt_verify_sig`, and > > `smime_verify_command`, `smime_verify_opaque_command` > > I'll have a look at those. > > > When receiving a smime signed mail, mutt tells me if the signature is > > valid or not. > > Well yes, but in some cases (please don't ask) my moron users have > more than one valid certifcate in use and I'd like to know which one > that is (because they don't know). I do not seem to have this problem. Maybe using S/MIME support via gpgme makes this all a bit easier to handle? gpgsm --list-keys ralf.hildebra...@charite.de would give you all information about the key, including ID (which is the last part of the fingerprint), serial etc.
Re: [ext] Re: Display info about S/MIME signature
* Bastian : > Try ^K, which is the default keybind for `extract-keys`. > This command extracts the public key and adds is to your keyring > (smime_keys). Yes, but this only displays precious little info. Enter label: Found 1 certificate chains Processing chain: subject=C = DE, ST = Berlin, L = Berlin, O = Charite- Universitaetsmedizin Berlin, SN = Lastname, GN = Firstname, CN = Firstname Lastname Certificate: /home/hildeb-adm/.smime/certificates/6ab64010.0 already installed. ==> about to verify certificate of b43f1e2c.0 /home/hildeb-adm/.smime/certificates/b43f1e2c.0: OK ==> checking purpose flags for b43f1e2c.0 S/MIME signing : Yes S/MIME encryption : Yes certificate b43f1e2c.0 (foo) for firstname.lastn...@charite.de added. But what *IS* "b43f1e2c"? Is it a serial number, a part of the fingerprint? > Also check the config options `crypt_verify_sig`, and > `smime_verify_command`, `smime_verify_opaque_command` I'll have a look at those. > When receiving a smime signed mail, mutt tells me if the signature is > valid or not. Well yes, but in some cases (please don't ask) my moron users have more than one valid certifcate in use and I'd like to know which one that is (because they don't know). -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de