Hallo, in an effort to understand why one s/mime signed message I received could not be verified by Thunderbird (140.3.0esr (64-bit) on Ubuntu 24.04.3 LTS) (error 1041, "unknown problems with this digital signature"), but by all other clients I and others could check (including cli tools openssl, cmsutil), I did a few tests using my own certificate (using rsaEncryption, SHA256). Inital observation: Messages signed with "openssl smime -sign -in msg.txt -to <email> -from <my-email> -subject test -signer mycert.pem -inkey mykey.pem -out signed.eml" and opened in Thunderbird showed error 1041. Any modifiers like -crlfeol, -text, -binary, ... did not make a difference. Omitting signed attributes (-noattr) however helped. The signature was verified. Looking at the signed attributes, nothing seems wrong: hash in messageDigest is correct, sha256 and rsaEncryption is given. Checking more carefully the signature, the hash of the attribute section is also correct. Manually verifying the DER attribute section with the given signature is also fine. The question is, what is the reason that Thunderbird rejects the signature? I didn't manage to produce a log output of the verification, so this general error 1041 is all I have. Is Thunderbird more strict as openssl? And if so, at what point? The only point I see where there could be a problem in handling the attributes is the header of the DER attribute section. In the full signature this starts with 0xa0, as stand-alone block it should be 0x31 - only then the hash matches. However, that's wild guessing. Any ideas? Already some info on how to access a log output on the verification would help.