[MlMt] S/MIME and OpenPGP issues

Sebastian Hagedorn Hagedorn at uni-koeln.de
Fri Jan 8 11:03:07 EST 2021

On 7 Jan 2021, at 16:32, Sebastian Hagedorn wrote:

> On 7 Jan 2021, at 14:49, Benny Kjær Nielsen wrote:
> 2021-01-07 13:07:17.274425+0100  localhost MailMate[39607]: (Security) Created Activity ID: 0x8641c, Description: SecKeychainSearchCreateFromAttributes
> 2021-01-07 13:07:17.275346+0100  localhost MailMate[39607]: (Security) Created Activity ID: 0x8641d, Description: SecKeychainSearchCopyNext
> 2021-01-07 13:07:17.275713+0100  localhost MailMate[39607]: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147413737 CSSMERR_DL_DATASTORE_DOESNOT_EXIST
> 2021-01-07 13:07:17.275826+0100  localhost MailMate[39607]: (Security) [com.apple.securityd:integrity] dbBlobVersion() failed for a non-existent database
> 2021-01-07 13:07:17.276234+0100  localhost MailMate[39607]: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147413737 CSSMERR_DL_DATASTORE_DOESNOT_EXIST
> But I have no idea what `CSSMERR_DL_DATASTORE_DOESNOT_EXIST` means. Googling seems to indicate that it might be related to an empty/faulty keychain. Maybe see if anything in Keychain Access seems out of the ordinary.
> Thanks, I already did. There was an empty keychain called Microsoft_Intermediate_Certificates that I removed. There is another empty one that’s called accountsKeychainExport, but apparently that one cannot be deleted.
> But it’s clearly a local issue on that specific Mac, because I copied all settings to a different Mac. S/MIME signing works there, but there’s a different issue: MailMate picks an expired certificate. The problem is that you need to keep expired certificates around if you want to be able to decrypt older mails. I verified that the current certificate is in the keychain. For some reason MailMate picks the wrong one.
> I tried to set the certificate using Security.plist. This line looks as if that worked:
> Setup (S/MIME) mapping of address “Hagedorn at uni-koeln.de” to serial: “2379AD18EB0F7DADF38A62DF”
> … and it did! I will experiment some more and let you know if U can get this resolved.

For the archive, I managed to solve the problem. The root cause was that the private key for my certificate was in the System keychain as a duplicate. I had noticed a duplicate of my certificate there before and had already deleted that, but the key remained. Before I realized that I had deployed the nuclear option and completely reset my user keychain. After I added my certificate and key, S/MIME worked again, but the “macOS wants to make changes” dialogs were back.
Fortunately I noticed that the System keychain was referenced, and that led me to that stray private key. I still see the error CSSMERR_DL_DATASTORE_DOESNOT_EXIST, but apparently that’s not related.
   .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
                .:.Regionales Rechenzentrum (RRZK).:.
  .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4924 bytes
Desc: S/MIME digital signature
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20210108/27b75aa0/attachment.bin>

More information about the mailmate mailing list