KMail & Kleopatra & S/MIME

[Ingo Klöcker]

On Samstag, 25. März 2023 10:38:18 CET Kai Bojens wrote:
> On 24.03.23 22:00, Ingo Klöcker wrote:
> > This is correct. KMail and Kleopatra both use GnuPG as backend and GnuPG
> > explicitly does not trust the certificates in the system wide CA store.
> > 
>  > This is more a question for the kdepim-users mailing list.
> 
> Not necessarily. I'm a longtime KDE user but have always avoided the KDE
> PIM Suite due to these little things. That's why I'd like to know if
> there have been any plans in the past to change this behavior.
> 
> And in good old open source fashion I would also like to change the way
> these certificates are handled within KMail but I have absolutely no
> clue about the inner workings of KMail and Kleopatra. (but of course I'm
> willing to learn)

The short answer is: KMail and Kleopatra delegate the certificate handling to 
GnuPG.

> So, the simple question would be: what do you think would be the best
> way to solve this? Within KMail or within Kleopatra?

Depends on the way you intend to solve this. Kleopatra does already allow you 
to trust root certificates. And, I think, the GnuPG backend asks you whether 
you want to trust a root certificate if a certificate certified (directly or 
indirectly) by the root certificate is validated.

The GnuPG backend will trust the CA stores curated by the distributions over 
Werner Koch's dead body. Peoples' lifes depend on GnuPG not blindly trusting 
anybody and their certificates by default.

If you want to trust the CA store provided by your distribution, then your 
best option is probably to write a script/tool which syncs the certificates in 
the CA store with GnuPG's trustlist.txt file.

Regards,
Ingo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20230325/e0e47299/attachment.sig>