[kleopatra] [Bug 497886] New: Signature verification shows "certificate validity unknown" if only non-primary UID of signing key is trusted

Tilman Blumenbach bugzilla_noreply at kde.org
Wed Dec 25 16:07:28 GMT 2024


https://bugs.kde.org/show_bug.cgi?id=497886

            Bug ID: 497886
           Summary: Signature verification shows "certificate validity
                    unknown" if only non-primary UID of signing key is
                    trusted
    Classification: Applications
           Product: kleopatra
           Version: 4.0.0.241200
          Platform: Arch Linux
                OS: Linux
            Status: REPORTED
          Severity: minor
          Priority: NOR
         Component: general
          Assignee: kloecker at kde.org
          Reporter: tilman at dataoverload.de
                CC: aheinecke at gnupg.org, kdepim-bugs at kde.org, mutz at kde.org
  Target Milestone: ---

SUMMARY

When verifying a signature, and only a non-primary UID of the key that made the
signature is trusted, Kleopatra says that the "certificate's validity is
unknown".

That is, "gpg -k" shows the following for the key in question:

--------------------------------------------------------------------
pub   rsa2048 2011-06-25 [SC] [undefined]
      487E ACC0 8557 AD08 2088  DABA 1EB2 638F F56C 0C53
uid           [ unknown] Dave Reisner <d at falconindy.com>
uid           [  full  ] Dave Reisner <dreisner at archlinux.org>
sub   rsa2048 2011-06-25 [E]
--------------------------------------------------------------------

Hence, "gpg --verify" correctly determines that a signature made by that key is
fully valid ("good") since I *did* sign one of its non-primary UIDs (even
though I did not sign the primary UID):

--------------------------------------------------------------------
$ gpg --verify ponymix-5.tar.xz.sig
gpg: assuming signed data in 'ponymix-5.tar.xz'
gpg: Signature made Mo 03 Okt 2016 20:13:57 CEST
gpg:                using RSA key 1EB2638FF56C0C53
gpg: Good signature from "Dave Reisner <d at falconindy.com>" [unknown]
gpg:                 aka "Dave Reisner <dreisner at archlinux.org>" [full]
Primary key fingerprint: 487E ACC0 8557 AD08 2088  DABA 1EB2 638F F56C 0C53
--------------------------------------------------------------------

But Kleopatra wrongly says that the certificate's validity is unknown:

--------------------------------------------------------------------
Verified ‘/home/tilman/tmp/aur/ponymix/ponymix-5.tar.xz’ with signature in
‘/home/tilman/tmp/aur/ponymix/ponymix-5.tar.xz.sig’.

Signature created on Montag, 3. Oktober 2016 20:13:57 Mitteleuropäische
Sommerzeit with certificate: Dave Reisner <d at falconindy.com> (1EB2 638F F56C
0C53)
The signature is valid but the certificate's validity is unknown.
--------------------------------------------------------------------

So it seems like Kleopatra requires the primary UID to be trusted, and doesn't
check any non-primary UIDs for trust.

This is confusing, since one has to check the "Audit log" to figure out that
the signature is in fact fully valid.


STEPS TO REPRODUCE
1. Sign only a non-primary UID of some key with your own key.
2. Check a signature made by this key with Kleopatra.
3. Also check the signature with "gpg --verify".

OBSERVED RESULT

"gpg --verify" will show a "good" (fully trusted) signature because even though
the primary UID of the signing key is not trusted, a non-primary UID is.

Kleopatra will, in contrast, show that the "certificate's validity is unknown"
since it seemingly only checks the primary UID of the signing key for trust.

EXPECTED RESULT

Kleopatra shows that the signature is fully valid/trusted, just like "gpg
--verify".

Or, it could at least note that while the primary UID of the signing key is
untrusted, a non-primary UID is.


SOFTWARE/OS VERSIONS

KDE Plasma Version: 6.2.4
KDE Frameworks Version: 6.9.0
Qt Version: 6.8.1

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Kdepim-bugs mailing list