Kmail and smime

Ingo Klöcker kloecker at kde.org
Fri Feb 27 15:06:02 GMT 2026 

On Freitag, 27. Februar 2026 14:58:11 Mitteleuropäische Normalzeit Sebastian 
Gödecke wrote:
> Am Fr., 27. Feb. 2026 um 14:53 Uhr schrieb Ingo Klöcker <kloecker at kde.org>:
> > On Freitag, 27. Februar 2026 12:49:10 Mitteleuropäische Normalzeit
> > Sebastian> 
> > Gödecke wrote:
> > > Am Fr., 27. Feb. 2026 um 12:23 Uhr schrieb Ingo Klöcker 
<kloecker at kde.org>:
> > > > On Freitag, 27. Februar 2026 11:46:12 Mitteleuropäische Normalzeit
> > > > Sebastian>
> > > > 
> > > > Gödecke wrote:
> > > > > Hi,
> > > > > i've a smime cert and try to use it with Kontakt/Kmail. It is
> > > > > imported
> > > > > in Kleopatra and there is everything okay.
> > > > > So i set it up in kmail to use this cert and when i try to write an
> > > > > email, my email will be added with this smime.p7s and has the
> > > > > signitar. So i send my mail, have to type my password for this cert
> > > > > and then it will be sent. So i try it now to send it to me and then
> > > > > it's a red sign, and it says: The signature is invalid: Incorrect
> > > > > signature
> > > > 
> > > > I think it would be best if you could send a signed message to this
> > > > mailing list.
> > > 
> > > Well, with my other (business) email i'm not here on the list!?
> > 
> > That doesn't matter. Your message will be held for moderation, but I can
> > approve it.
>
> okay i just send to the list.

Thanks!

The error "Bad signature" is misleading. The problem is that the certificate of 
the root CA is not available. You can see this when you click on the 
certificate ID next to "Signature created with certificate". This should open 
Kleopatra. When you click on "Trust Chain Details" you can see that it says 
"Issuer Certificate Not Found (CN=HARICA Client RSA Root CA 2021,O=Hellenic 
Academic and Research Institutions CA,C=GR)".

By default, GnuPG doesn't include the root CA certificate in the signature. You 
can change this as follows:
In Kleopatra open the configuration dialog (Settings->Configure Kleopatra...). 
Click on GnuPG System and then on S/MIME. For the option "Number of 
certificates to include" you should see the value "-2" (which means "include 
all certificates except for the root certificate"). Change this value to "-1" 
(which means "include all certificates").

This should fix the problem for all future emails that you sign with your 
certificate.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 265 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kdepim-users/attachments/20260227/df0564bc/attachment.sig>

More information about the kdepim-users mailing list