Lion 10.7.3: Decryption not working

Robert's Avatar


12 Mar, 2012 11:56 AM


I am having trouble decrypting an e-mail. I see only one attached file called smile.p7m. Upon double clicking it, the Mac Keychain opens.
I assume the GPGMail plugin should decrypt the file and display its contents inline; however, this does not happen.

I already tried the nightly build from today, same behavior there.

The GPGMail preference pane shows the green indicator and says it is running correctly. The encrypted mail, however, doesn't show a single GPG icon. Also, I don't have any GPG related menu. This is the first time I install it though, so I have no idea how it is supposed to look.

Screenshot attached.

  1. Support Staff 1 Posted by Luke Le on 12 Mar, 2012 12:04 PM

    Luke Le's Avatar

    Hi Robert,

    smime.p7m files are S/MIME encrypted files. GPGMail is supposed to decrypt GPG but S/MIME related files are handled by Mail directly.
    I assume, if someone sent you an S/MIME encrypted email they must have your public S/MIME certificate.
    You could try to remove GPGMail by deleting GPGMail.mailbundle from your user directory Library/Mail/Bundles and re-start after.
    If the email now decrypts you've just found an error in GPGMail.

    Hope that helps!

  2. 2 Posted by Robert on 12 Mar, 2012 12:12 PM

    Robert's Avatar

    Hi Luke,

    thank you for the quick reply.

    Sorry, I am new to this whole encryption stuff. Situation is as follows:

    Someone sent me a public key enclosed by "-----BEGIN PGP PUBLIC KEY BLOCK-----". I thought I had to install GPGTools for this to work and to create a key pair for myself. I did this and I imported the person's key to the GPGTools Keychain.

    Now I am kind of confused.

  3. Support Staff 3 Posted by Luke Le on 12 Mar, 2012 12:25 PM

    Luke Le's Avatar

    No problem, we all were once :)

    What that person sent you is their public key which allows you to send them an encrypted email using GPG.

    I'll link you our Getting Started guide which might already make things much clearer:

    You might want to checkout out section "Setting up a key" so you can sign emails (which is considered a proof to the person you sent the email to, that the person who sent the email is actually you) and which allows others to encrypt an email to you, if you send them your public key.

    After that read up on "Your first encrypted email".

    If you still have questions don't hesitate to ask.
    Also, most of our team is german speaking so feel free to post your follow up questions in german if you prefer that.

  4. 4 Posted by Robert on 12 Mar, 2012 12:40 PM

    Robert's Avatar

    Thanks for your patience. English is just fine (and good if someone else is having the same problem).
    I'm still not sure whether or not I need GPGTools. I'll explain the whole situation.

    I am in contact with a client that needs to send me a top secret file. He told me that he'd send it via encrypted mail and he sent me a .txt file containing his public PGP key.
    Since I heard about asymmetric encryption before; I knew I had to generate a key pair for myself and send him my public key for this to work. So I installed GPGTools, generated a key pair and sent my public key to my client.

    After this, he sent me the file via encrypted mail, which turns out to be encrypted with S/MIME.

    I guess my problem is that neither my keypair nor the public key of my client are in the Apple Keychain (only in GPGTools keychain), so the built-in S/MIME encryption engine in fails and only shows the smime.p7m file. To be honest, I have no idea how to get any of the keys into the system keychain. Every tutorial I find only tells you to get a certificate from some CA. And about importing public keys, all I find is that the sender should send a signed, unencrypted mail first. But what if all I have is his pubkey in plaintext?

    Sorry if this is not really GPGTools related any more...

  5. Support Staff 5 Posted by Luke Le on 12 Mar, 2012 12:46 PM

    Luke Le's Avatar

    Oh, alright, so this is in fact S/MIME related.
    What I'm wondering though is, what S/MIME certificate your client encrypted to.
    If they have an S/MIME certificate from you, you should have one as well and it should be in your Schlüsselbund (Keychain Access) app registered to the email address your client tries to reach you at.

    Open Apple Keychain Access -> select Meine Zertifikate and search for your address.
    You should find a match if you have one.

    Let me know how that goes after that we'll continue debugging

  6. 6 Posted by Robert on 12 Mar, 2012 01:14 PM

    Robert's Avatar

    There are zero entries in "Meine Zertifikate". I don't know what the client did. We did not exchange any certificates, we only sent each other our PGP private keys (in plain text).

    I'm beginning to think that my client knows even less about mail encryption as I do.
    He asked me whether I am able to receive encrypted mail or not. I thought he meant SSL, so I said yes.
    He then sent me a screenshot of what appears to be an Outlook error message, saying something like "the certificate for this receiver could not be found. If you continue sending this mail, it will be sent unencrypted."
    So I thought, ok, we're talking about real mail encryption now. My client sent me his PGP key and I thought, ok, he's using PGP, let's ask google how to use PGP on Apple Mail - and ended up installing GPGTools, generating a keypair and sending him my key.

    Now I guess he just chose "encrypt mail" when composing, not paying attention to the encryption method. Perhaps I should just ask him to resend the message and to double check that it is encrypted using PGP and not S/MIME.
    Am I correct in this assumption?

  7. Support Staff 7 Posted by Luke Le on 12 Mar, 2012 01:20 PM

    Luke Le's Avatar

    Uuuuh, wait a second. There's a chance this client of yours is sending the mail through an exchange server which seriously mangles PGP/MIME mails.
    Could you attach the email to this discussion or forward it to me at [email blocked]?

    If it's in fact encrypted, I can't look at the encrypted content but I can have a look at the message headers which should make things clearer.

  8. 8 Posted by Robert Klosterm... on 12 Mar, 2012 03:08 PM

    Robert Klostermann's Avatar

    I'm afraid I am not allowed to do this, but I can show you the relevant parts of the headers:

    Accept-Language: de-DE
    Content-Language: de-DE
    X-MS-Has-Attach: yes
    acceptlanguage: de-DE
    Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data;
    Content-Disposition: attachment; filename="smime.p7m"
    Content-Transfer-Encoding: base64
    MIME-Version: 1.0

    Also, the HELO of the sender's server looks like they're using MS Exchange indeed.

    I've dug into S/MIME a little in the meantime and I think my client wanted to use PGP but unintentionally used S/MIME instead (unless the public key for S/MIME is a PGP key). I told my client that I'd like to talk to their IT dept. to clear things up. I suspect their mail clients are configured to use both S/MIME and PGP and the users don't really know anything about this whole encryption stuff, so we exchanged our PGP public keys and then they somehow managed to send me an S/MIME encrypted mail.

    I'll report back if we find a solution for this. Let me say that I am very very grateful for your support, especially because the issue doesn't have anything to do with GPGTools (rather PEBKAC). Thanks.

  9. Support Staff 9 Posted by Luke Le on 12 Mar, 2012 03:31 PM

    Luke Le's Avatar

    It sure is best to talk to their IT department. As you said, the message is in fact a normal S/MIME encrypted message.
    Hope you'll work it out it and if you've got any other questions, just let us know :)

  10. Luke Le closed this discussion on 14 Mar, 2012 11:48 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac