Page MenuHome GnuPG
Create Task
Maniphest T8190

GpgOL: Encrypt/Sign issues using S/MIME certs with invalid crlDP
Open, LowPublic
Actions

Description

As I understood T6701: GpgOL: Use GPGME_ENCRYPT_ALWAYS_TRUST, this "retry with fewer validity checks" dialog should enable users to sign/encrypt anyway, if the CRL check fails:

Issues:
I tested this with custom certs for ted/edward with inaccessible/invalid crlDP field:

  • inaccessible: unreachable domain http://gnupg.test/crl.pem
    • retry does not succeed and still errors with invalid CRL object
  • invalid: invalid content https://gnupg.com/share/g10code-key.asc
    • retry does not succeed and still errors with unknown error
  • for both cases, sometimes the process will hang indefinitely (so far, it happend on: initial sign only, retry sign/encrypt with fewer checks)

If those cases are not covered by T6701: GpgOL: Use GPGME_ENCRYPT_ALWAYS_TRUST, it would be nice to know how to create test certs for this.

Setup:

  • Certificates:

    ca.pem2 KBDownload


    edward.tester-crldp_inaccessible.p124 KBDownload
    ted.tester-crldp_inaccessible.p124 KBDownload


    edward.tester-crldp_invalid.p124 KBDownload
    ted.tester-crldp_invalid.p124 KBDownload
  • GpgOL settings:
    • enable smime
    • always show security dialog
    • automatically secure messages
Case 01: CRL Error

Note: CA + invalid certs in the keyring:

  1. Create a mail: from edward, to ted, set sign/encrypt, add subject/content, send (resolving took ~50s, only the first time took so long)

    • Note: Autoencrypt did not work when I added the recipient
  1. Confirm (took ~20s)

  1. Retry (took ~20s) => Invalid CRL Object

Logs:

01-crlerror-gpgol.log396 KBDownload

01-crlerror-gpgsm.log113 KBDownload

Approximate timestamps:

11:07:01 resolve start
11:07:20 resolve end
11:07:49 confirm start
11:08:08 confirm end
11:09:29 retry start
12:10:02 retry end
Case 02: Hang (on retry)

Note: CA + invalid certs in the keyring.

  1. Create a mail: from edward, to ted, set sign/encrypt, add subject/content, send
  2. Confirm
  3. Retry => Processing continues forever

Might be related to T8187: Kleopatra: File encryption with invalid S/MIME certificate hangs indefinitely

Logs:

02-hang-gpgsm.log112 KBDownload

02-hang-gpgol.log73 KBDownload

Approximate timestamps:

12:03:56 resolve start
12:04:02 resolve end
12:04:34 confirm start
12:04:53 confirm end
12:05:05 retry start
12:07:35 no progress -> kill processes
Case 03: Unkown error

Note: CA + inaccessible certs in the keyring.

  1. Create a mail: from edward, to ted, set sign/encrypt, add subject/content, send
  2. Confirm

  1. Retry => Unknown error

Logs:

03-unknownerror-gpgsm.log112 KBDownload

03-unknownerror-gpgol.log72 KBDownload

Approximate timestamps:

12:31:27 resolve start
12:32:10 resolve end
12:32:19 confirm start
12:32:36 confirm end
12:32:43 retry start
12:33:00 retry end

Details

Version
gpg4win-5.0.2 @ win11

Related Objects

Event Timeline

timegrid triaged this task as Low priority.Wed, Mar 25, 1:42 PM
timegrid created this task.
timegrid created this object with edit policy "Contributor (Project)".
timegrid added a comment.Wed, Mar 25, 1:55 PM

With signing only, the retry option is not offered and directly either hangs or shows the "Invalid CRL object" / "Unknown error" error.
Is this intentional?