[kleopatra] [Bug 497886] New: Signature verification shows "certificate validity unknown" if only non-primary UID of signing key is trusted
Tilman Blumenbach
bugzilla_noreply at kde.org
Wed Dec 25 16:07:28 GMT 2024
https://bugs.kde.org/show_bug.cgi?id=497886
Bug ID: 497886
Summary: Signature verification shows "certificate validity
unknown" if only non-primary UID of signing key is
trusted
Classification: Applications
Product: kleopatra
Version: 4.0.0.241200
Platform: Arch Linux
OS: Linux
Status: REPORTED
Severity: minor
Priority: NOR
Component: general
Assignee: kloecker at kde.org
Reporter: tilman at dataoverload.de
CC: aheinecke at gnupg.org, kdepim-bugs at kde.org, mutz at kde.org
Target Milestone: ---
SUMMARY
When verifying a signature, and only a non-primary UID of the key that made the
signature is trusted, Kleopatra says that the "certificate's validity is
unknown".
That is, "gpg -k" shows the following for the key in question:
--------------------------------------------------------------------
pub rsa2048 2011-06-25 [SC] [undefined]
487E ACC0 8557 AD08 2088 DABA 1EB2 638F F56C 0C53
uid [ unknown] Dave Reisner <d at falconindy.com>
uid [ full ] Dave Reisner <dreisner at archlinux.org>
sub rsa2048 2011-06-25 [E]
--------------------------------------------------------------------
Hence, "gpg --verify" correctly determines that a signature made by that key is
fully valid ("good") since I *did* sign one of its non-primary UIDs (even
though I did not sign the primary UID):
--------------------------------------------------------------------
$ gpg --verify ponymix-5.tar.xz.sig
gpg: assuming signed data in 'ponymix-5.tar.xz'
gpg: Signature made Mo 03 Okt 2016 20:13:57 CEST
gpg: using RSA key 1EB2638FF56C0C53
gpg: Good signature from "Dave Reisner <d at falconindy.com>" [unknown]
gpg: aka "Dave Reisner <dreisner at archlinux.org>" [full]
Primary key fingerprint: 487E ACC0 8557 AD08 2088 DABA 1EB2 638F F56C 0C53
--------------------------------------------------------------------
But Kleopatra wrongly says that the certificate's validity is unknown:
--------------------------------------------------------------------
Verified ‘/home/tilman/tmp/aur/ponymix/ponymix-5.tar.xz’ with signature in
‘/home/tilman/tmp/aur/ponymix/ponymix-5.tar.xz.sig’.
Signature created on Montag, 3. Oktober 2016 20:13:57 Mitteleuropäische
Sommerzeit with certificate: Dave Reisner <d at falconindy.com> (1EB2 638F F56C
0C53)
The signature is valid but the certificate's validity is unknown.
--------------------------------------------------------------------
So it seems like Kleopatra requires the primary UID to be trusted, and doesn't
check any non-primary UIDs for trust.
This is confusing, since one has to check the "Audit log" to figure out that
the signature is in fact fully valid.
STEPS TO REPRODUCE
1. Sign only a non-primary UID of some key with your own key.
2. Check a signature made by this key with Kleopatra.
3. Also check the signature with "gpg --verify".
OBSERVED RESULT
"gpg --verify" will show a "good" (fully trusted) signature because even though
the primary UID of the signing key is not trusted, a non-primary UID is.
Kleopatra will, in contrast, show that the "certificate's validity is unknown"
since it seemingly only checks the primary UID of the signing key for trust.
EXPECTED RESULT
Kleopatra shows that the signature is fully valid/trusted, just like "gpg
--verify".
Or, it could at least note that while the primary UID of the signing key is
untrusted, a non-primary UID is.
SOFTWARE/OS VERSIONS
KDE Plasma Version: 6.2.4
KDE Frameworks Version: 6.9.0
Qt Version: 6.8.1
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Kdepim-bugs
mailing list