Page MenuHome GnuPG - static
Create Task
Maniphest T8188

gpgsm: No error/warning on verification or decryption in case of trusted but not VS-compliant certificate
Testing, NormalPublic
Actions

Description

For replicating this you need a valid but not VS-compliant S/MIME certificate. (The corresponding Root CA is trusted but it is noch VS-compliant, this is the case if GpgsmCompatibility is not set and the Root CA is missing the de-vs flag.)

Encrypting and signing works for such a certificate as expected, encryption and signing is marked as "not VS-NfD compliant".
But on decryption and verification Kleopatra (and GpgOL) both inform that the action was VS-compliant:

Kleopatra and GpgOL get the false information by the gpgme function decryptionResult.isDeVs() which in turn gets the info from gpgsm.
And Gpgsm on the Command line seems not to know about the non-compliance:

C:\Users\g10code.WIN-TEST3\Documents>gpgsm --status-fd 2 --verify test.txt.p7s test.txt
[GNUPG:] NEWSIG
gpgsm: Signatur erzeugt am 2026-03-24 11:10:12 UTC
gpgsm:                mittels rsa3072-Schlüssel A8363E8C52A262B04E8B2FC772A2E3036291C878
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
[GNUPG:] GOODSIG A8363E8C52A262B04E8B2FC772A2E3036291C878 /CN=Berta Boss/OU=demo/O=g10 Code GmbH/C=DE
[GNUPG:] VALIDSIG A8363E8C52A262B04E8B2FC772A2E3036291C878 2026-03-24 20260324T111012 20630405T170000 0 0 1 8 00
gpgsm: Korrekte Signatur von "/CN=Berta Boss/OU=demo/O=g10 Code GmbH/C=DE"
gpgsm:                 alias "berta.boss@demo.gnupg.com"
[GNUPG:] TRUST_FULLY 0 shell

Details

Version
VSD 3.3.6.1

Revisions and Commits

rG GnuPG
rGf0c1043ef751 gpgsm: Fix the compatibility flag de-vs-trustlist.
rGfa1ac5c23d16 gpgsm: add a certificate chain check for de-vs compliance

Related Objects

Event Timeline

ebo created this task.Mar 24 2026, 2:12 PM
pl13 added a subscriber: pl13.Mar 24 2026, 2:13 PM
werner triaged this task as Normal priority.Mar 26 2026, 9:26 AM
pl13 mentioned this in Unknown Object (Maniphest Task).Mar 30 2026, 9:54 AM
pl13 added a comment.Apr 1 2026, 2:28 PM

Here is my attempt for fixing the de-vs compliance check when verifying a signature:

verify_de_vs_check.diff5 KBDownload

pl13 added a project: gnupg22.Apr 7 2026, 1:37 PM
pl13 moved this task from Backlog to WiP on the gnupg22 board.
pl13 added a commit: rGfa1ac5c23d16: gpgsm: add a certificate chain check for de-vs compliance.Apr 7 2026, 1:51 PM
werner changed the task status from Open to Testing.Apr 7 2026, 3:15 PM
werner moved this task from Backlog to WIP on the gnupg26 board.
pl13 mentioned this in Unknown Object (Maniphest Task).Apr 13 2026, 8:54 AM
werner added a project: vsd33.Wed, Apr 15, 11:56 AM
werner moved this task from WiP to QA on the gnupg22 board.Wed, Apr 15, 2:43 PM
ebo moved this task from Backlog to QA on the vsd33 board.Wed, Apr 15, 2:48 PM
ebo added a comment.EditedWed, Apr 15, 4:08 PM

with GnuPG-VS-Desktop-3.3.90.9-Beta-Standard gpgsm now never shows the line [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23. Therefore Kleopatra always shows "not VS compliant" now on verification and decryption. Even though the certificate is shown a VS-compliant in the list an when encryping:

Note that I tested with a local trustlist.txt and the setting GpgsmCompatibility=de-vs-trustlist

ebo added a comment.Thu, Apr 16, 2:02 PM

Without GpgsmCompatibility set and with the trust in the Root-CA established in the global trustlist file (the local one does not work for vs-complicane without GpgsmCompatibility=de-vs-trustlist , as expected), the compliance of a signature or decryption is now shown correctly and in accordance with the certificate status shown in Kleopatra. If the Root-CA is only trusted locally, the certificate and the signature are shown as "certified" resp. "not-compliant".
In short: everything works as expected if GpgsmCompatibility is not set.

The issue mentioned above only occurs when GpgsmCompatibility=de-vs-trustlist and the Root CA is only trusted in the local trustlist.txt

Note to self: Beware that if a local trustlist.txt exist, it must have a line include-default for the global trustlist to be read.

werner added a commit: rGf0c1043ef751: gpgsm: Fix the compatibility flag de-vs-trustlist..Fri, Apr 17, 2:17 PM
ebo edited projects, added vsd33 (vsd-3.3.7), gnupg22 (gnupg-2.2.54); removed vsd33, gnupg22.Fri, Apr 17, 4:50 PM

with VS-Desktop-3.3.97.11-Beta (GnuPG 2.2.54-beta9)

It works now as expected in the setup described in https://dev.gnupg.org/T8188#216999 (local trustlist.txt and the setting GpgsmCompatibility=de-vs-trustlist):

C:\Users\g10code.WIN-TEST3\Documents>gpgsm --status-fd 2 --verify test.txt.p7s test.txt
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
[GNUPG:] NEWSIG
gpgsm: Signatur erzeugt am 2026-04-15 13:12:08 UTC
gpgsm:                mittels rsa3072-Schlüssel A8363E8C52A262B04E8B2FC772A2E3036291C878
[GNUPG:] PROGRESS starting_agent ? 0 0
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
[GNUPG:] GOODSIG A8363E8C52A262B04E8B2FC772A2E3036291C878 /CN=Berta Boss/OU=demo/O=g10 Code GmbH/C=DE
[GNUPG:] VALIDSIG A8363E8C52A262B04E8B2FC772A2E3036291C878 2026-04-15 20260415T131208 20630405T170000 0 0 1 8 00
gpgsm: Korrekte Signatur von "/CN=Berta Boss/OU=demo/O=g10 Code GmbH/C=DE"
gpgsm:                 alias "berta.boss@demo.gnupg.com"
[GNUPG:] TRUST_FULLY 0 shell

And showing the correct info "compliant" / "not compliant" for verification (and decryption) of course still works, without GpgsmCompatibility mode set and the trust set with "de-vs" (or not) in the global config, too.

pl13 mentioned this in Unknown Object (Maniphest Task).Mon, Apr 20, 10:10 AM
werner mentioned this in T7998: Release GnuPG 2.5.19.Fri, Apr 24, 1:21 PM