[kmail2] [Bug 353317] New: kMail 5.0: Wrong signature issuer shown for OpenPGP signed mails (SMIME not tested).

Gunter Ohrner kdebugs at CustomCDROM.de
Tue Sep 29 12:34:39 BST 2015 

https://bugs.kde.org/show_bug.cgi?id=353317

            Bug ID: 353317
           Summary: kMail 5.0: Wrong signature issuer shown for OpenPGP
                    signed mails (SMIME not tested).
           Product: kmail2
           Version: unspecified
          Platform: Kubuntu Packages
                OS: Linux
            Status: UNCONFIRMED
          Severity: major
          Priority: NOR
         Component: general
          Assignee: kdepim-bugs at kde.org
          Reporter: kdebugs at CustomCDROM.de

Not sure if there might even be security implications:

A friend of mine sends signed messages which are always

* shown as having a valid signature (green display and everything)
* but from a completely wrong sender (!)

******************************************************************
Die Nachricht enthält die Signatur von Klaus at XXXXXXXXX.de (Schlüsselkennung:
0x9F8E2A98D1A4EDE5).
Die Signatur ist gültig, und der Schlüssel ist vertrauenswürdig.
******************************************************************
(translation: The message contains the signature of Klaus at XXXXXXXXX.de (Key-ID:
0x9F8E2A98D1A4EDE5).
The signature is valid and the key is trusted.
******************************************************************

I have this public key in my keyring, but it has nothing to do with the mail
that is displayed - if I extract its PGP signature into a separate file and use
gpg to display information about it, the following is displayed:

******************************************************************
$ LANG= gpg --verify sigfile /dev/null
gpg: Signature made Tue Sep 29 11:11:08 2015 CEST using RSA key ID 22B2951D
gpg: WARNING: digest algorithm MD5 is deprecated
gpg: please see https://gnupg.org/faq/weak-digest-algos.html for more
information
gpg: BAD signature from "Matthias XXXXXXX <matthias at XXXXXXX.de>"
******************************************************************

Neither mail address nor key ID have anything to do with the wrong key that is
picked up for display by kMail...

I'm also not sure why the wrong key is displayed as "trusted" in the first
place - it does not seem to be considered trusted by gpg:

******************************************************************
gpg: using classic trust model
pub  2048R/D1A4EDE5  created: 2000-02-26  expires: never       usage: SCE 
                     trust: undefined     validity: unknown
******************************************************************

Reproducible: Always

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list