+++ This bug was initially created as a clone of Bug #612269 +++

Description of problem:
After applying the latest evolution update in Fedora, I am no longer able to send digitally signed emails.

Version-Release number of selected component (if applicable):
evolution-2.30.2-1.fc13.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Import personal certificate and select my cert in the Security section of the Account Editor under the Secure MIME (S/MIME) area.
2. Compose an email.
3. Make sure this is enabled: Options->S/MIME Sign
3. Hit the Send button.
  
Actual results:
A popup dialog appears with the following error message:
Could not create message.
Because "Uknown error. (-12285) - Failed to encode data", you may need to select different mail options.

Expected results:
Email should be sent with my signature.

Additional info:
I have had the digital signature option enabled in evolution for the last 1-2 years and it has always worked without problem, until I updated to the latest version in F13, 2.30.2.

--- Additional comment from mcrha on 2010-07-08 09:12:36 EDT ---

Thanks for a bug report. I can reproduce this too, there seems to be two issues:
a) certificate name changed, thus one needs to change his/her certificate chosen in account preferences, otherwise there is shown an error about "not able to find the certificate".

b) even when I select the right certificate, then it fails to sign with it, with an error "Failed to encode data".

Finally, I cannot import a certificate to MY store with a new version, as I guess I do not know the password for it. I saw there also my evolution certificates for the first run, its name had Evolution prefix, but I do not see them now, only if I downgrade to the previous version, to 2.30.1.

I reopened the upstream bug [1], where I guess comes the issue from. Let's move with any further discussion there.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=585301

--- Additional comment from dwmw2 on 2010-07-08 12:29:57 EDT ---

This could well be an NSS bug -- NSS in Fedora enables the 'shared system database' by default, but it doesn't really work without some NSS patches that I don't think have made it into updates yet.

As root, please run 'setup-nsssysinit.sh off'.

--- Additional comment from dwmw2 on 2010-07-08 12:42:29 EDT ---

FWIW, I've tested this myself with the shared database disabled, and also with it enabled and with the patch from https://bugzilla.redhat.com/show_bug.cgi?id=603313#c10 applied. Both worked fine.

--- Additional comment from smithj4 on 2010-08-11 17:14:47 EDT ---

Any chance this might get updated soon?  One month later and not even an rpm in testing to try out.

--- Additional comment from dwmw2 on 2010-08-11 17:35:06 EDT ---

As indicated by comments #2 and #3, please test this again and confirm whether you still have issues either with:
 - The fixed NSS packages (see bug 603313), or
 - The shared system database turned off

--- Additional comment from smithj4 on 2010-08-12 10:35:56 EDT ---

I didn't know you were waiting for me to respond since you replied to your own comment and seemed to be confirming the problem and a working solution.

I tried the first solution "setup-nsssysinit.sh off" but I get the exact same error message.

As for the suggested patch from bug #603313, has the nss-3.12.6-11.fc13 rpm made it into the testing repo yet and does it contain the necessary patch?  I can't find it.  It would be much easier for me to try installing that test rpm, rather that trying to patch and rebuild myself.

--- Additional comment from emaldona on 2010-08-12 10:53:10 EDT ---

I pushed a new update with an additional fix Yesterday wich obsoleted the previous one, see https://admin.fedoraproject.org/updates/nss-3.12.6-11.fc13
Give it a day or two for the notification to show up on bug #603313 (hopefully here as well as I marked that one a blocker of this one)

--- Additional comment from dwmw2 on 2010-08-12 11:04:14 EDT ---

(In reply to comment #6)
> I tried the first solution "setup-nsssysinit.sh off" but I get the exact same
> error message.

Ok, that's interesting. That was working for me, as I said. Is there something different about your key store? Does it have a master password?

Can you show the output of 'certutil -d $HOME/.evolution -L' and
'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of /etc/pki/nssdb/pkcs11.txt

--- Additional comment from smithj4 on 2010-08-12 11:27:21 EDT ---

(In reply to comment #8)
> Ok, that's interesting. That was working for me, as I said. Is there something
> different about your key store? Does it have a master password?

Yes, the first time I try to send a signed email, I get prompted with "Enter the password for `NSS User Private Key and Certificate Services'".

> Can you show the output of 'certutil -d $HOME/.evolution -L' and
> 'certutil -d sql:$HOME/.pki/nssdb -L', and the contents of
> /etc/pki/nssdb/pkcs11.txt    

Do you need the full contents, it looks like it contains the email address of a lot of people that have sent me signed email.  A few key lines, related only to me are (I assume I am listed 3 times because my x509 cert expires every year and I have imported it 3 times over the past few years):

$ certutil -d $HOME/.evolution -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u
DOEGrids CA 1 - ESnet                                        CT,C,C


$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DOEGrids CA 1 - ESnet                                        CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
ESnet Root CA 1 - ESnet                                      CT,C,C
Jason A. Smith 236749's  ID                                  u,u,u
Jason A. Smith 236749's  ID                                  u,u,u


$ cat /etc/pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

--- Additional comment from smithj4 on 2010-08-16 10:11:24 EDT ---

I tried the nss packages (nss-3.12.6-11.fc13.x86_64) in the testing repo (yum --enablerepo=updates-testing update nss), turned it back on since it didn't help for me (setup-nsssysinit.sh on), restarted evolution and tried to send a signed email.  First, it looked like the password prompt changed: "Enter the password for `NSS Application Slot 00000004'", and then I got the exact same error message:

Could not create message.
Because "Uknown error. (-12285) - Failed to encode data", you may need to
select different mail options.

PS. I also just noticed that there is a spelling mistake in the error message: Uknown.

--- Additional comment from fedora-admin-xmlrpc on 2010-09-07 16:54:02 EDT ---

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.