smimesign v0.1.0 when installed via Homebrew for macOS Big Sur creates invalid/corrupt signatures. Specifically, this happens when smimesign is installed as follows on macOS Big Sur:

brew install smimesign

This causes the following bottle to be used: https://homebrew.bintray.com/bottles/smimesign-0.1.0.big_sur.bottle.tar.gz

Interestingly enough, these invalid signatures (signatures created with the smimesign binary for macOS Big Sur) can be verified successfully by the same smimesign binary that created them, but are (correctly) reported as invalid by all other smimesign binaries as well as the GitHub UI/API.

To workaround this issue, when installing smimesign on macOS Big Sur, you can explicitly request a bottle that does
not suffer from this issue. Specifically, the smimesign-0.1.0.catalina.bottle.tar.gz bottle (compiled for macOS
Catalina) does not suffer from the issue and works on macOS BigSur:

brew install https://homebrew.bintray.com/bottles/smimesign-0.1.0.catalina.bottle.tar.gz

If this workaround is not performed, corrupt git commit signatures will be produced. Any attempt to verify these
commits using a version of smimesign that does not suffer from the issue will result in the following failure:

[~/dev/test-repo]$ git log --show-signature -1
commit 982cca63826ab8e894fc48db2825dd7805d1f9ae (HEAD -> master, origin/master, origin/HEAD)
failed to verify signature: crypto/rsa: verification error
Merge: 59b2361 26ce50c
Author: Redacted User <redacted@redacted.com>
Date:   Fri Sep 18 19:07:50 2020 -0400

    #1: Test Issue
[~/dev/test-repo]$ git verify-commit HEAD
failed to verify signature: crypto/rsa: verification error

Had the exact same issue. Everything exactly as described. Thanks so much for the workaround. Worked great for me. Hopefully whatever is broken in the brew package gets fixed soon.

👋 Thanks for the issue. We've taken note of it so that it gets triaged.

I tracked this issue down to github/ietf-cms#25, a bug that emerges when built on 1.15. AFAICT fixing that issue should suffice to fix the issue here as well.

btw this has been an issue since v0.0.13 - has been driving me and my team crazy! So basically depending on what version of Go smimesign was built with, signatures may or may not be valid. We've been going in circles for months trying to figure out why this works for some of us and not others 😅

@poom @maetolay @theerasan @taninaim @AungThiha

I believe that @bluestealth and I have fixed the underlying issue that causes this in github/ietf-cms#29.

@btoews @vcsjones @lgarron would it be possible to create a new release with this fix? Can't install go 1.14 to build this myself at the moment.

Everything worked for me by cloning the source, updating github/ietf-cms dependency to @main, and rebuilding with Go 1.16.5 on Big Sur.

Waiting for official release.

Thanks @AlekSi, that worked for me as well and commits show as verified here on GitHub 🎉

Same issue applies to the macOS binary available from the releases tab. I didn't even realize all my signed commits were useless up until now...

This was a fun exercise to get a crash course in Go!

I did what @AlekSi did above: update smimesign@v0.1.0 to use ietf-cms@v0.1.1 and rebuild; it worked with go1.16.7 darwin/amd64.

What needs to happen for smimesign to be updated to the newer ietf-cms dependency?

@andrewpong we'll be releasing a new version of smimesign with updated dependencies in the near future. Stay tuned!

Is there an update on when this fix will be released?

v0.1.1 was released which should address this issue. Please give it a try and let us know how it goes.

I haven't tested this new release of smimesign, but it is still using v0.1.0 of ietf-cms, which does not include the fix for what I believe to be the underlying issue causing the invalid signatures:

There needs to be a new release of ietf-cms that includes this merged PR and then smimesign needs to be bumped to pull in that new version.

Indeed, this does not fix the problem described in the title and since bintray has shut down, @christopherincanada solution does not work anymore, do you know if it's still possible to install the old Catalina bottle?

Sorry for the confusion y'all, we'll get a new build with the updated ietf-cms dependency as well out soon.

v0.1.2 is published; please let us know if that works for you!
https://github.com/github/smimesign/releases/tag/v0.1.2

Worked for me, thanks!

brew install smimesign installed the latest 0.1.2 version and now signatures are correctly verified in GitHub. Thanks a lot

Thanks, @patrickbenitez and @adricasti!

I'll take that as confirmation that this is resolved. If anyone is running into issues, please comment here and we can reopen!