Kmail and signing

Ingo Klöcker kloecker at kde.org
Tue Mar 2 21:57:00 GMT 2021 

On Dienstag, 2. März 2021 22:24:35 CET Aldo Latino wrote:
> In data martedì 2 marzo 2021 20:46:42 CET, Ingo Klöcker ha scritto:
> > [...]
> > How did you do this? Did you set the S/MIME certificate, but not the
> > OpenPGP key in your identity?
> 
> I have setup both my OpenPGP key and my S/MIME certificate. They are both
> active in my Kmail identity. Also, I have chosen S/MIME as preferred format.
> > [...]
> > No idea. Could be a bug or an incorrect configuration.
> 
> I could be wrong, but I think I have setup all correctly. :-)

Yes, sounds correct.

> So, now the situation is clear:
> 1) the OpenPGP key is stored in the YubiKey, which is unblocked at the
> session start by entering the PIN. So, when I write an email, Kmail doesn't
> ask me for any passphrase;

More precisely, GnuPG doesn't ask you for any passphrase, because it's gpg  
(resp. gpg-agent via pinentry) that asks for the passphrase or, in your case, 
for the PIN of your YubiKey. Apparently, your YubiKey is configured to stay 
unblocked indefinitely (or for a long time) after the PIN has been entered 
once and therefore you are not asked for it again. I think you should be able 
to configure your YubiKey to ask for the PIN for every signing operation if 
that's what you want.

> 2) the S/MIME certificate is not stored in the YubiKey, so the first time I
> use it in the session, Kmail asks me for the long passphrase and then Kmail
> (or another program) caches it.

Yes, gpg-agent caches the passphrase.

> I should see if I can have both the OpenPGP
> key and the S/MIME certificate in my Yubikey, which is very convenient to
> use.

The upcoming GnuPG 2.3 will support the PIV smartcard application additionally 
to the OpenPGP smartcard application. If your YubiKey supports the PIV 
application (my YubiKey 5 does), then you could store your S/MIME certificate 
on your YubiKey additionally to your OpenPGP keys. If I remember correctly, 
then uploading the signing key to the PIV application is not possible because 
the PIV specification requires the signing key to be generated on-card. The 
encryption key/certificate can be uploaded to the PIV application.

> > [...]
> > I don't know. What pinentry application (the thingy that asks for your
> > passphrase) are you using?
> 
> I have currently three pinentry packages installed:
> - pinentry-curses
> - pinentry-gnome3
> - pinentry-qt
> 
> I don't know why I have three packages installed.

Those three may be installed by default with gpg because they cover the most 
common cases (curses for text terminals, qt for people using a KDE Plasma 
desktop, gnome3 for people using some variant of the Gnome desktop).

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kdepim-users/attachments/20210302/25124eba/attachment.sig>

More information about the kdepim-users mailing list