Cannot encrypt and sign using S/MIME

If I sign and encrypt a file using OpenPGP signature I’ll get only one .asc file that’s both signed and encrypted.

But if I encrypt and sign using another my S/MIME certificate than I’ll get one .pem file that is NOT signed even if the process tells me that IS signed correctly.

So why I can encrypt and sign correctly only using openPGP certificate and NOT when I use S/MIME certificate?

Please look at screen shot



If I sign and encrypt I get one signed .pem file but then I’m asked to overwrite it with an encryped .pem file that will be NOT SIGNED.

Look at screen shot.


Strange, Kleopatra should not create “.pem” files but a .p7m for the encryped data and a p7s for the signature. Did you change the names of the output files manually?

You can’t combine both as that is a limitation of the S/MIME Protocol. (It’s made for MIME and in MIME you always first sign and then encrypt the signed data)

Fwiw. We are planning to improve the signature suport for S/MIME files ( ) so that it is more automated. But working with S/MIME encrypted / signed files was never really user friendly and in our experience S/MIME is very rarely used for files.

“Did you change the names of the output files manually?”

No, I didn’t.

I just try to sign and encrypt using S/MIME certificate (got by but I see that Kleopatra produce first a signed pem file, then an encrypted one and finally ask to overwrite it on the first one so obviously the final pem file is only encrypted and not signed.

" working with S/MIME encrypted / signed files was never really user friendly and in our experience S/MIME is very rarely used for files."

I understand, so it’s better using OpenPGP only, that’s works fine.



Please look at screen shot


It’s a bug! :-o
I can reproduce it if I turn on “Create signed or encrypted files as text files” in the options (crypto operations).

Will be fixed for the next release. Thanks for noticing and pointing it out.

( Ticket is )

Btw. Would you be so kind as to answer the following two questions:

  1. What is your usecase for S/MIME encrypted / signed files?

  2. What is your communication partner using as a software to decrypt / verify?

I’m asking because I would like to understand the scenario better. E.g. If you and your communication partner are using Gpg4win, what is the reason that you do not use the more flexible OpenPGP?

This would help me for example to decide if it would make sense to create our “own” S/MIME file format which would have a proper structure like:

  • Encrypted .pem file containing both:
    – Data
    – Signature over data

(Maybe call it .smime because it would use MIME internally)

I would love to do this but so far we didn’t do it because other software would not understand it and just mangle the data and the signature together and create a corrupted file.

I started creating and using a S/MIME certificate because Thunderbird use it and Enigmail doesnt work properly.

Then I encrypt files using both OpenPGP and S/MIME but I could drop S/MIME and use only GPG aka OpenPGP