Page MenuHome GnuPG
Create Task
Maniphest T4878

gpgsm's default for include-certs should include the signing cert if it is self-signed
Open, LowPublic
Actions

Description

The default for include-certs is -2, meaning "everything but the root cert".

In some cases, gpgsm will be used with a self-signed cert. In this case, the default means that the signer's certificate simply isn't included at all in the PKCS#7 signature.

This seems unhelpful if the goal is to get the certificate distributed to the recipient, who may have some other means of verifying the certificate (e.g. out-of-band communication).

I think the default for include-cert of -2 should instead mean "the signer's certificate, plus every certificate up to the root cert". That is, it should ship the signer's certificate by default even if it is self-signed, since some S/MIME consumers expect to see the signer's certificate in the application/pkcs7-signature part.

Details

Version
2.2.19

Event Timeline

dkg created this task.Mar 12 2020, 7:51 AM
werner triaged this task as Low priority.Mar 12 2020, 9:59 AM
werner added a project: gnupg (gpg23).
dkg added a comment.Mar 12 2020, 2:01 PM

For reference, here's an error message from openssl smime when it is trying to verify an e-mail message with no embedded certificate at all (despite it knowing about the relevant certificate):

$ openssl smime -verify -CAfile test.crt < test.eml
Verification failure
140288791569600:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:../crypto/pkcs7/pk7_smime.c:420:
$

This can be worked around in OpenSSL by adding -certfile test.crt as well, i think, but it seems more robust to just ship the signing certificate with every signature.

werner added a project: gnupg24.Dec 13 2022, 11:21 AM