Re: [Fed-Talk] Unable to verify message signature
Re: [Fed-Talk] Unable to verify message signature
- Subject: Re: [Fed-Talk] Unable to verify message signature
- From: Michael <email@hidden>
- Date: Mon, 3 Dec 2007 11:16:49 -0500
On Dec 2, 2007, at 4:34 PM, Richard Sperling wrote:
I'm stumped. OS X Mail version 2.1.1 (752.3) under OS X 10.4.11 is
"unable to verify message signature" on all emails I receive with
digital signatures. Apple lists four possible reasons for the unable
to verify message:
1. The sender’s certificate may have expired.
2. You don’t have a root certificate for the authority used to sign
the sender’s message.
3. The message was modified in transit.
4. You are missing one or both of the X509Anchors or
X509Certificates files from /System/Library/Keychains.
None of these issues are true. I'll use Rich Trouton's latest
message as an example (see message subject Re: [Fed-Talk] Secure FTP
Client). I have two certificates from Rich in my login Keychain, two
DST intermediate certificates (DST ACES CA X6 and DST ACES Federal
Employee CA A1) in my login Keychain, and 3 root certificates (DST
RootCA X4, DST RootCA X1, and DST RootCA X2) in my X509Anchors
Keychain.
I do not have problems with digital signatures in Thunderbird.
Any help would be appreciated.
Thanks,
Rich
I saw this problem under OS X 10.4.x and OS X 10.5.x.
It seems that certain certificates can mess up the whole keychain
operation.
An initial step is to purge all expired certificates to a backup and
see if that helps, bare in mind that Keychain can hide expired
certificates but I think that is only under 10.5.
My suggestion is:
1) backup up your login keychain
2) create a new keychain
3) transfer everything from the login keychain into that keychain
4) Now close and delete "references" to the new keychain
5) now your login keychain is empty and no potentially troublesome
certificates are accessible
Now check a signed message in Mail, probably won't quite work, but
then check your login keychain to see what was added and if it is
untrusted check the certificate to see what other certificate is
needed and then open the new keychain and copy that one item out.
At some point you are going to want to grab a bunch of those backed up
items and move them back to your login keychain.
I see no issue with passwords and notes, but after every transfer go
back and check to match sure Mail is still working especially once you
decide to bring back some certificates.
I know lots of people will say they never had a problem, but I've seen
a lot of things that can go wrong, including when I grabbed a full set
of DOD certificates from the local server and tried to import them
into Keychain Access in one shot, complete disaster, in theory it
works, but with the various windows that can come up Keychain Access
can get into a bad state, it's not frozen but you can't do anything,
it seemed like two modal dialogs were up at the same time and you
can't see to get to the one you need to hit because of the other one.
End result was a login keychain messed up so bad that every time I
touched certain certificates Keychain Access would either crash or
freeze.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden