Page MenuHome GnuPG

gpgsm's default for include-certs should include the signing cert if it is self-signed
Open, LowPublic


The default for include-certs is -2, meaning "everything but the root cert".

In some cases, gpgsm will be used with a self-signed cert. In this case, the default means that the signer's certificate simply isn't included at all in the PKCS#7 signature.

This seems unhelpful if the goal is to get the certificate distributed to the recipient, who may have some other means of verifying the certificate (e.g. out-of-band communication).

I think the default for include-cert of -2 should instead mean "the signer's certificate, plus every certificate up to the root cert". That is, it should ship the signer's certificate by default even if it is self-signed, since some S/MIME consumers expect to see the signer's certificate in the application/pkcs7-signature part.



Event Timeline

werner added a project: gnupg (gpg23).

For reference, here's an error message from openssl smime when it is trying to verify an e-mail message with no embedded certificate at all (despite it knowing about the relevant certificate):

$ openssl smime -verify -CAfile test.crt < test.eml
Verification failure
140288791569600:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:../crypto/pkcs7/pk7_smime.c:420:

This can be worked around in OpenSSL by adding -certfile test.crt as well, i think, but it seems more robust to just ship the signing certificate with every signature.