🔒 Patreon Special

IT Pros: exclusive shows await you on Patreon, focusing on the more challenging aspects of running your practice and working with clients and employees.

Unable to Verify Message Signature in Mail.app

/

Fact #1: When you send an email from Mail.app, if you have a certificate in your keychain that matches the “from” email address, that certificate is used to sign the message.

Fact #2: When Mail.app receives a signed email message, it adds the sender’s attached certificate to the user’s keychain.

So far so good. But there’s an issue that can manifest as a result of those two facts.

If you send yourself a signed email from Mail.app, Mail treats the incoming message just like any received email in Fact #2 above.

That becomes an issue if the message in question was improperly signed with an invalid certificate. Mail sees the received email’s certificate and adds it to your keychain. Then, when you go to send the next email, Mail sees the certificate in your keychain and uses it to sign the new outgoing email.

If the signature is invalid, the recipient sees a banner at the top of the received message:

The solution is much trickier than one might think…

Sure, you could go into the keychain, locate the problematic certificate, and remove it. Problem solved – until you quit and reopen Mail.app. This is because Fact #2 above is actually a bit more subtle. Mail doesn’t just add the certificate to the keychain upon receipt of the signed message, it seems to do this when Mail is launched: it adds the certificate from any previously-received messages to the keychain.

So the troublesome certificate comes back!

Manual Fix

One solution I’ve found is to locate every single email in any mailbox – excluding Sent – that’s from the email address in question (your address) and has the bad certificate attached, and delete those emails from Mail.app after backing them up outside of Mail.

You can use a carefully crafted search like “to:myemail@example.com” and “from:myemail@example.com” and search mailboxes other than Sent. Look at each email one at a time, and if you see the Unable to verify message signature banner, export and delete the message.

After you think you’ve found and removed all of the problematic messages, test:

  1. Quit Mail

  2. Open Keychain Access and remove the problematic certificate from the keychain

  3. Reopen Mail

  4. Check Keychain Access and see if the certificate has reappeared.

If the problematic certificate has reappeared, then you haven’t found all the problematic emails yet. Keep searching…

This manual resolution is incredibly tedious when the user has a lot of email. It can take hours, and if you miss even just one email the problem is 0% solved.

Automated Fix

After manually solving this for a few clients, I knew there should be a way to script it. But my AppleScript skills are intermediate at best, and I knew it would take hours just to find out if I could even get a very basic script working.

That’s when Shawn Maddock proposed a one-paragraph spec for an AppleScript, and Adam Rice fed it into ChatGPT-4o and did the requisite initial coaxing to get a proof of concept. I took that and ran with it, debugging some edge cases (e.g. excluding the Notes folder), and adding better error handling for large mailboxes, logging, and reporting.

It still took hours upon hours, but the result is the AppleScript attached here:

📄 Clean up messages with certificates.scpt

Instructions

  1. Download the AppleScript and open it in Script Editor.

    ℹ️ Running the script in Script Editor allows you to see each step logged to the Messages section in the Log at the bottom of the Script Editor window.

  2. Define the email address to filter by:

    📝 set targetEmailAddress to "email@example.com"

  3. Change batchLimit to a low number if you want to test the basic functionality without waiting for the script to check every email.

  4. For testing, you can send yourself an email with an attachment that has this filename extension: .fakeFilenameExtension. This email should be processed just like the ones with a certificate attached.

  5. When you’re ready to have the messages be moved to a mailbox in addition to being exported, change this setting to true:

    📝 set moveMessages to true

    ℹ️ Look for the moved messages in the Email with certificates [date & time] mailbox.

For troubleshooting, you can increase the timeout duration:

📝 set timeoutDuration to 60 -- 60 seconds timeout

I’d recommend running it first with moveMessages set to false, and then reviewing the results by checking the exported messages and the certificate_email_export_log.txt.

When you’re satisfied that the script is working properly, change moveMessages to true and run it again. When it finishes, check the Email with certificates [date & time] mailbox for the moved email.

To fix the original issue, there are a few more steps:

  1. Delete the moved messages from the Email with certificates [date & time] mailbox.

  2. Delete those problematic emails from the Trash.

  3. Quit Mail.

  4. Open Keychain Access and remove the problematic certificate from the keychain.

  5. Reopen Mail.

  6. Check Keychain Access and confirm the certificate has not reappeared.

If it’s still not resolved, run the script again and see if it finds any more email messages that it missed the first time.

Conclusion

I’m not sure how prevalent this issue is, but I’ve seen it at least four times in the past 18 months, and a few colleagues have seen it too as reported in the Mac Admins Slack.

I think the issue probably originates with clients who search for something like “how to sign email” and follow whatever instructions they find with incomplete results. I’m sure they were using the common sense meaning of the word “sign” i.e. to sign their name, but were shown results for the technical use of the word “sign” in the scope of email.

My theory is based on the fact that my clients who’ve had this issue were not technically savvy enough to want to send signed email using a certificate.

The first time I saw the issue, the certificate actually showed the client’s daughter’s name (with a typo) associated with the client’s own email address. I inquired further and the client said the only thing she could think of was that she had been trying to send her daughter’s college applications a few months ago and maybe wanted to sign those emails (in the sense of signing her name). Looking at the certificate’s expiration date, I inferred that the date the certificate was created was during the college admission timeframe.

Thanks

If this helps you, I’d love to know. To say thanks, please consider listening to and becoming a Patron of Command Control Power.

You might even learn some useful troubleshoot techniques by listening to the show. In fact, we first discussed this topic on the podcast back in 2023.