Page MenuHome GnuPG

Invalid ID in GpgOL while sending myself a signed and encrypted message
Closed, ResolvedPublic

Description

I am using GPG4Win Version 4.0.4.

I see the following Problem, if I send myself (same mail adress as sender and recipient) a signed and encrypted message using SMIME:

S/MIME Verschlüsselte Nachricht (Entschlüsselung nicht möglich)
Daten konnten nicht entschlüsselt werden: Invalid ID

Outlook and GpgOL are not able to decrypt the message. I do not know, what is going wrong here. Is it a bug or do I something nasty?

Best Regards,
Joerg

Details

Version
GPG4Win 4.0.4

Event Timeline

PS
The problem is also active, if I send an encryptet (not signed) message to myself.
If I get mails from other people, wich are encryptet using smime and the same certtificate and signed by the sender, there is no problem. GpgOL works fine here.

I do not understand, why it is not working, if I send a mail to myself.

BR, Joerg

aheinecke triaged this task as Wishlist priority.Dec 22 2022, 3:44 PM
aheinecke added projects: S/MIME, Info Needed.
aheinecke added a subscriber: aheinecke.

Please attach the certificate so that we can check what is problematic with that certificate. I am changing this issue to wishlist as the solution here will most likely be that we have to extend the S/MIME capabilities of Gpg4win.

Do you have any config changes, like a different compliance mode or so?

Hello Andre Heinecke,

thank you very much for your feedback. Certificate is attached.

I have not made any special settings. I use a YubiKey to store the private OpenPGP keys. But since that works poorly together with SMIME email at the moment, I don't use the PIV module in the YubiKey and thus this feature for SMIME certificates. So should have no influence.

Attachment
Certificate:

Thanks for the certificate, looks good as far as I can tell. I have trouble with CRL checks for your certificate as https://crl.sectigo.com/ does not work for me. But that should not be an issue when decrypting.

Invalid ID is something that can come from our Smartcard access tool. I know you say that you do not use the yubikey for S/MIME but maybe our system thinks that is the case.

Please go to %APPDATA%\gnupg\private-keys-v1.d and look for 00CD9BB27A8821FF646FE8873A4F8CD4FB6828C5.key
Then open it with an editor (e.g. notepad).
If it says "Key: (private-key ..." or protected-private-key I am clueless and need help from a collegue.
If it says "Key: (shadowed-private-key ...") Then it thinks that it is on a smartcard.
Please do _not_ paste the contents of that file (well in case of shadowed-private-key that would be fine).

Another Idea I have is that maybe you have another old test key with the same email address in your keyring and when you encrypt to yourself you accidentally encrypt to that key and if others encrypt to you they are using your real key?

Does kleopatra show multiple keys for your mail address?

Hello Andre Heinecke,

thank you again very much for your feedback.

I will test on next monday, if a file 00CD9BB27A8821FF646FE8873A4F8CD4FB6828C5.key exists. I currently have no access to the computer. If it shows "shadowed-private-key", I will delete it and report again. I already had a problem 6 months ago where Kleopatra no longer searched for the private keys of an OpenPGP key on the Yubikey. Again, an incorrect file in the %APPDATA%\gnupg\private-keys-v1.d folder was responsible.

"Another Idea I have is that maybe you have another old test key with the same email address in your keyring and when you encrypt to yourself you accidentally encrypt to that key and if others encrypt to you they are using your real key?"

Good hint. But I am skilled in dealing with multiple keys. Therefore, I do not assume a mistake on my part yet.

"Does kleopatra show multiple keys for your mail address?"

Yes it does. I use several keys and can keep them well apart. There are several OpenPGP keys and 1 SMIME certificate. Of the OpenPGP keys, all but one are expired keys.

best regards
Jörg

jrg.sichermann claimed this task.

Hello Andre Heinecke,

deleting the file 00CD9BB27A8821FF646FE8873A4F8CD4FB6828C5.key and importing the certificate again using gpgsm.exe solved the problem :)
The file said "Key: (shadowed-private-key ...)".

best regards
Jörg