Bug 165821

Summary: S/MIME signature verification always fails, encryption never works
Product: [Fedora] Fedora Reporter: Michel Alexandre Salim <michel.salim>
Component: evolutionAssignee: Dave Malcolm <dmalcolm>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-12 23:48:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 158504    

Description Michel Alexandre Salim 2005-08-12 15:50:48 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8b4) Gecko/20050811 Firefox/1.0+

Description of problem:
Using personal S/MIME email certificates from Thawte, tested to work fine with both Apple Mail and Mozilla Thunderbird, I could send signed messages from Evolution just fine, but when receiving signed emails they are said to have 'Invalid signature' . clicking on the message status yields this:

The signature of this message cannot be verified, it
may have been altered in transit.

Signer: John Doe <j.doe@acme.corp>: Signing certificate not trusted

When trying to /send/ an encrypted email, Evolution acts as if the Thawte certificate cannot be used to encrypt, even though its own certificate manager says otherwise:

Could not create message.

Because "Cannot add SMIMEEncKeyPrefs attribute", you may
need to select different mail options.

Version-Release number of selected component (if applicable):
evolution-2.2.3-2.fc4, mozilla-nss-1.7.10-1.5.1

How reproducible:

Steps to Reproduce:
1. Get two Thawte certificates from thawte.com
2. Send signed e-mails from one to the other
3. (Try) sending encrypted e-mails

Actual Results:  Evolution sends signed e-mails fine but the signatures cannot be verified (the same e-mail, accessed by Thunderbird using IMAP, verifies just fine).

Evolution fails to encrypt, described above; again, Thunderbird works just fine.

There is no way to add the received certificate to the list of contacts' public certificates, nor to declare the certificate trusted.

Expected Results:  Evolution should work similarly to Thunderbird - perhaps this is fixed in a future version? I checked the CVS ChangeLog but didn't see any S/MIME update recently. Maybe it's a problem with the version of NSS it's linked against?

Additional info:

Comment 1 Michel Alexandre Salim 2005-08-12 23:48:31 UTC
My mistake. When a new certificate issuer is first encountered by Evolution, it
is not trusted to certify anything. Editing the trust level for the certificate
issuer results in the mails being verified properly.