Digital Signatures and Encryption in Yosemite Mail

I have the exact same problem in Yosemite 10.10.0 (looking forward to that point 1 release). Puglas, good job noticing the change in behavior with decryption - this clearly shows that it is an Apple bug because clearly the certificate is read correctly when Mail first starts and then gets into a bad state after you try to send.

My co-workers is not having this problem and can successfully use s/mime certs in yosemite. I'm not sure why his works and mine doesn't.

I have tried:

• re-importing my s/mime certificate
• deleting and importing the s/mime from the source
• running first-aid on the keychain

I also have an additional problem where if I attempt to sign an email and fail as described above, I can no longer close the composition window. If I cmd+w the window I get the normal modal dialogue "Save this message as a draft?" When I select "Don't Save" the modal dialogue goes away, but the composition window will not close. The only way I can close the composition window and discard the draft is if I close mail.app entirely, re-open it, and then I'm able to close/discard the composition (Upon re-opening, the signature/encryption buttons are noticably missing).

Same problem for me. This is a Yosemite Mail.app bug.

Another way to troubleshoot your S/MIME certificate trust chain is to open Contacts and doubleclick on the "verified" icon next to your email. This will show your cert with its chain of trust. For me, this shows my valid cert with the correct and case-specific RFC 822 name, a valid Intermediate CA, and a trusted Root CA. Yet Yosemite Mail.app says -- for old emails signed with this cert under Mavericks -- that this Intermediate CA is invalid, and hence believes my cert is invalid.

Mail.app trust is out-of-sync with Contacts.app and Keychain Access.app. I also see the bug of the Mail.app composition window not closing.

I've tried completely blowing away my login keychain and starting from scratch, and also playing around with application-specific (Mail, Keychain Access) Access Control for the private keys of my S/MIME signing and encryption certificates..

I don't see a fix except to hope that Apple addresses this enterprise bug in 10.10.1.

Bug report 18893084. Please submit your own bug reports and encourage Apple to fix this enterprise Mail.app problem.

+1.

Same here.

All of this is still broken in 10.10.1. Time to migrate to Outlook if you're running Yosemite and need S/MIME.

I can confirm the bug still exsts in OS X 10.10.1 and Mail 8.1 (1993). This morning I got an request from Apple bug reports to produce and send in a log file of an unsuccessful attempt. It seems they are looking into this now.

@puglas That is certainly a bizarre failure mode.

I experience this problem on OS X Mail.app, whether wired or on VPN wifi, and on iOS 8 all the time for specific senders.

I believe this bug has something to do with multiple certificates in the keychain, as anyone who uses PKI for a few years and a few accounts necessarily accumulates.

@Puglas I can confirm being able to send a digitally signed message when before starting Mail all network is turned off. The signed message is put in the Outbox and sent after quiting Mail, connecting network and starting Mail.

I cannot confirm the Wifi part since our Wifi is bridged so we have the same network settings. I tried anyway because on Ethernet I have a fixed IP and on Wifi through DHCP but no.

I did notice that switching from my iCloud mailaccount (where the signature setting is greyed out) to the account for which the certificate is valid it would still be grey. I had to quit Mail and start with my mailaccount to have te signature badge icon functional (black) again. Also, the stuck message windows, after trying to 'Don't Save' them don't really disappear after a restart of Mail but are put in the Drafts folder.

Update. I hadn't yet installed a certificate at the home MBPro. In this computer I use what started 7 months ago as a Carbon Copy Clone of my work HD, did the same upgrades etc. since. Ths MBP had already Mail 8.1 (OS X 10.10.1) but no personal mail certificate. So I imported my certificate in Keychain Access and everything just works. I'm on a Wifi network at home. I will try when connected on ethernet tomorrow.

Btw I couldn't install the certificate by doubleclicking the downloaded .p7s certificate file as I could at work, then using Mavericks. I did get a window asking if I wanted to add the certificate(s) to a keychain, but when I clicked 'Add' nothing happened. What worked was in Keychain Access to choose Import Files… and point to the certificate (SMIME.p12).

Btw2 At work under Mavericks signing worked fine but the lock to encrypt was greyed out. Sometimes black for a short while just after starting Mail. I ment to sort that out later. Now when using Mail at home both signature and encryption work.

Here's how to decrypt S/MIME messages by hand until Apple fixes the bugs in Yosemite Mail.app:

1. Mail.app>File>Save As...> Save the smime.p7m message as a .eml file.
2. Keychain Access>Login/My Certificates> Locate your private key for your encryption certificate, the corresp[onding certificate should have the "Key Encipherment" usage as a critical extension. Highlight the private key only, right-click, and Export the key to the secure file smime_key.p12.
3. Run the following openssl commands, which will create an insecure file of your smime private key, decrypt the message, then clean up:

openssl pkcs12 -in smime_key.p12 -out smime_key.key.pem -nocerts -nodes

openssl smime -decrypt -in smime_email.eml -inkey smime_key.key.pem > decrypted_mail.eml

Make sure you securely delete your decrypted private key:

srm smime_key.key.pem decrypted_mail.eml

rm smime_key.p12 smime_email.eml

Apple needs to slow down with the updates if they can't reliably release a version .0 that forces you to decrypt email by hand. A lot of time wasted chasing workarounds for OS X 10.10 and iOS 8 bugs...

Would concur with a problem on the network side of things. From my home network -- all works fine on two separate email account with separate certificates. Bring up the VPN, and signed emails from both accounts fail as described in this thread...

I and others in my group where we use encrypted email have been having similar decryption problems with emails encrypted from Mail (8.1 (1993)) in Yosemite (now 10.10.1) but only when the email includes attachments!? We've tried similar "fixes" to 'puglas' with the same lack of success. We've halted further upgrades from Mavericks to Yosemite in the group but wish Apple would have some way to roll back OS upgrades until THEY SORT OUT THE INCREASING NUMBER OF BUGS in their new systems!

I've the same problem. I just fixit using GPG suite (latest version at http://gpgtools.org) an it works fine with Yosemite.