Page MenuHome GnuPG
Create Task
Maniphest T3538

Signing does not work
Closed, ResolvedPublic
Actions

Description

Hi,

I tested Gpg4win 3.0.1 in regard to signing emails without encryption having both a valid and trusted pgp and smime certificate stored in cleopatra.

I did 1) a quick test under Windows 10 Home, 64 bit Version 1703 and a more detailed test after Windows Update to 1709. In both cases I sent a signed email to myself:

Case 1)
-create new mail; sign; send

  • Message Box shows up correctly and lets me choose between pgp and smime certificate. I choose pgp. Afterwards I enter my secret key
  • Outlook goes into a deadlock after pressing sent. Email still stays on the screen but Outlook doesn't respond any more. Trying to close outlook gives my the "do you want to wait for the application screen". I end outlook by saying no (after a long waiting period)
  • Restarting Outlook gives me the "GPG4win Plugin warning" with the choice to deactivate this plugin, since it showed a mayour problem...

When trying to sign with smime I get a Message Boy that GPG4win is not able to sign with my smime certificate. "Fehler Kleopatra: Signieren fehlgeschlagen: kein CRL bekannt"

Case 2)
PGP Test

  • Kleopatro not running, fresh start of outlook
  • Message Box shows correctly up and lets me choose between pgp and smime certificate. I choosed pgp. Afterwards I had to enter my passphrase
  • Mail sent out correctly
  • going to inbox: preview is blanc; no mail body visible; mail is "unsecure"; GPG4win does not show any decryption/analyzing activity
  • opening mail: msgbox "Laufzeitfehler im Microsoft Access Add-In: Fehler bei Aufruf der Rückruffunktion "Ribbon_GetDCVisible" " ; clicked "alle ok"
  • next msg box: Laufzeitfehler in Kerio Outlook Connector: Fehler bei Rückruffunktion "InspectorOnGetButtonEnabled", clicked "alle ok"
  • mail window is showing. Mail body is empty (same as in preview); closing mailwindow; switching to another mailitem, switching back to the previous mail; preview still blanc; no activity
  • opening mail again no message box shows up. mail body still empty; when closing message box pops up: Die Eigenschaft von [Text in Betreff] wurde geändert; sollen die Änderungen gespeichert werden?; i click no -opening same mail again; no message boxes; this time mail body shows correctly!; closing this times works without message box; opening again works correctly; -switching to new item; switching back; preview is ok!; opening is ok
    • going to my mail in sent folder; preview blanc; opening works without messageboxes; mail body is blanc; I close; change mailitem; switch back; preview still blanc
    • opening mailitem; mailbody blanc; closing; message box pops up "Die Eigenschaft von [Text in Betreff] wurde geändert; sollen die Änderungen gespeichert werden?"; I click no
    • preview now shows correctly! I open the mail with out problems; mail body is ok
    • I restart Outlook
    • looking at my mail in inbox: preview blanc; mail unsafe; opening mail; message box "Laufzeitfehler im Microsoft Access Add-In: Fehler bei Aufruf der Rückruffunktion "Ribbon_GetDCVisible" " ; clicked "alle ok"
    • next msg box: Laufzeitfehler in Kerio Outlook Connector: Fehler bei Rückruffunktion "InspectorOnGetButtonEnabled", clicked "alle ok"; mail shows up with blanc mailbody; closing mail; preview blanc
    • switching mailitem; selecting mail again; preview blanc; opening; message box "Laufzeitfehler im Microsoft Access Add-In: Fehler bei Aufruf der Rückruffunktion "Ribbon_GetDCVisible" " ; clicked "alle ok" no second msgbox for "Kerio"; mail shows up with blanc mailbody; I close; message box pops up "Die Eigenschaft von [Text in Betreff] wurde geändert; sollen die Änderungen gespeichert werden?"; I click no
  • preview now ok; opens ok now; mailbody shows correctly; switching mailitem forth and back; preview ok; mail opens correctly; status is still "unsicher"
  • going to outbox to look at my mail
  • preview shoes "OPENPGP Verschlüsselte Nachricht: Bitte warten Sie während die Nachricht entschlüsselt /geprüft wird"; this preview message stays forever
  • opening mail without any messageboxes; mail body same as preview: "OPENPGP Verschlüsselte Nachricht: Bitte warten Sie während die Nachricht entschlüsselt /geprüft wird" ; i close mail
  • switch mailitem forth back; preview now blanc; opening mail; body blanc; closing mail; message box pops up "Die Eigenschaft von [Text in Betreff] wurde geändert; sollen die Änderungen gespeichert werden?"; I click no
  • preview now ok; mail opens ok and shows mailbody correctly; closing without any messageboxes

-I go back to inbox: mail previe still ok;opening ok; closing ok

  • I restart outlook; same behaviour like last restart; so the above is reproducible

Summary: pgp signed mails are "unsave"; mail body does not show correctly; you need to open email three times to see email body correctly; after message box "Die Eigenschaft von [Text in Betreff] wurde geändert; sollen die Änderungen gespeichert werden?" the mail item seems to be "healed". When you restart outlook everything starts from beginning. So the above procedures are reproducible.

smime signature test:
-closing cleopatra running in the background

  • restarting outlook;
  • create new signed mail; send mail

-Message Box shows up correctly and lets me chosse between pgp and smime certificate. I choose smime any my smime certificate.
-message box "Fehler Kleopatra: Signieren fehlgeschlagen: kein CRL bekannt". I click ok
-so I can't sign at all. When I use the same certificate withe the native, built in outlook smime certification, everything works fine (at least it worked half a year ago; I'm not up to date how much certificate trouble startcom has at the moment; at least cleopatra states that my certificate is valid)

attached you find log files for the above procedures{F209629}

Details

Version
GPG4Win 3.0.1, Win10 Home; 64 bit; latest version

Revisions and Commits

rO GpgOL
rOc96f484c79a5 Improve error handling for signed only
rO3f49889ab026 Restore body on verification error

Related Objects

Event Timeline

tstreibl created this task.Nov 26 2017, 12:18 AM
aheinecke claimed this task.Nov 27 2017, 9:27 AM
aheinecke triaged this task as Normal priority.
aheinecke added a subscriber: aheinecke.

Thanks for the detailed report. I can't reproduce this behavior. Neither on my Outlook 2010 test system or my Outlook 2016 test system.
I can see several verification errors in the Log. First todo: Communicate the error and restore the original body.

The error happens because for you GpgOL does not recieve the complete MIME Structure of the mail but an already parsed structure. I'm not sure why this happens for you, GpgOL changes the MessageClass when the Mail is first viewed to prevent that. If we don't get the original MIME structure we can't verify the mail correctly. I'll try playing around with signed only mails a bit more (this can only happen for sign only)

  • opening mail: msgbox "Laufzeitfehler im Microsoft Access Add-In: Fehler bei Aufruf der Rückruffunktion "Ribbon_GetDCVisible" " ; clicked "alle ok"
  • Laufzeitfehler im Microsoft Access Add-In: Fehler bei Aufruf der Rückruffunktion "Ribbon_GetDCVisible

Interesting, some other Add-In's Error for you. (Remember seeing these errors is a developer setting and they may not be fatal)
Do you get the same Add-In errors when GpgOL is disabled?

-message box "Fehler Kleopatra: Signieren fehlgeschlagen: kein CRL bekannt". I click ok

GnuPG is very strict about CertificateRevocation Lists. For your Certificate the CRL could not be obtained so it's a hard failure. You can disable CRL Checks in Kleopatra's settings. This is a "real" problem and signing would also fail on the command line with gpgsm.

aheinecke raised the priority of this task from Normal to High.Nov 27 2017, 9:57 AM

I can reproduce it if I send and receive with Outlook 2010. I have some working mails in my Outlook 2010 though, this is the reason why I first thought that it did not happen for me. Looking at the same mails in Outlook 2016 works fine.

aheinecke added a comment.Nov 27 2017, 10:54 AM

So the error handling is improved now. We restore the original body on error and show the error in the tooltip of the GpgOL Status Icon.

Now I'm checking if we can fix the Outlook 2010 verify error.

aheinecke added a commit: rO3f49889ab026: Restore body on verification error.Nov 27 2017, 10:56 AM
aheinecke added a commit: rOc96f484c79a5: Improve error handling for signed only.
tstreibl added a comment.Nov 27 2017, 1:20 PM

tried to answer in the text with ###:

Am 27.11.2017 09:27 schrieb "aheinecke (Andre Heinecke)" <
noreply@dev.gnupg.org>:

aheinecke triaged this task as "Normal" priority.
aheinecke claimed this task.
aheinecke added a comment.

Thanks for the detailed report. I can't reproduce this behavior. Neither on
my Outlook 2010 test system or my Outlook 2016 test system.
I can see several verification errors in the Log. First todo: Communicate
the error and restore the original body.

The error happens because for you GpgOL does not recieve the complete MIME
Structure of the mail but an already parsed structure.

It is possible that one of my macros is parsing the incoming mail. I will
check that but can't do that before weekend.

I'm not sure why this happens for you, GpgOL changes the MessageClass when
the Mail is first viewed to prevent that. If we don't get the original MIME
structure we can't verify the mail correctly. I'll try playing around with
signed only mails a bit more (this can only happen for sign only)

  • opening mail: msgbox "Laufzeitfehler im Microsoft Access Add-In: Fehler bei Aufruf der Rückruffunktion "Ribbon_GetDCVisible" " ; clicked "alle ok"
  • Laufzeitfehler im Microsoft Access Add-In: Fehler bei Aufruf der Rückruffunktion "Ribbon_GetDCVisible

Interesting, some other Add-In's Error for you. (Remember seeing these
errors is a developer setting and they may not be fatal)
Do you get the same Add-In errors when GpgOL is disabled?

No, didn't see these errors before. I'll crosscheck anyway. Don't even
remember that I installed access add ins. I guess it comes with office.
Kerio defenitely had no message box before

-message box "Fehler Kleopatra: Signieren fehlgeschlagen: kein CRL
bekannt". I click ok

GnuPG is very strict about CertificateRevocation Lists. For your
Certificate the CRL could not be obtained so it's a hard failure. You can
disable CRL Checks in Kleopatra's settings. This is a "real" problem and
signing would also fail on the command line with gpgsm.

Thanks for the solution. I'll try.

*TASK DETAIL*
https://dev.gnupg.org/T3538

*EMAIL PREFERENCES*
https://dev.gnupg.org/settings/panel/emailpreferences/

*To: *aheinecke
*Cc: *aheinecke, tstreibl, gp_ast

aheinecke mentioned this in T3746: Outlook 2016 - Cannot display signed email in sent folder.Jan 18 2018, 1:15 PM
aheinecke closed this task as Resolved.Apr 29 2019, 9:39 AM

With the last release we improved the handling of sent mails, again.

Please let us know if you still have problems.