Bug 61589

Summary: email signatures made by revoked keys are not indicated
Product: [Applications] kmail Reporter: Neil Williams <linux>
Component: encryptionAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED LATER    
Severity: major    
Priority: NOR    
Version: 1.5   
Target Milestone: ---   
Platform: Mandrake RPMs   
OS: Linux   
Latest Commit: Version Fixed In:

Description Neil Williams 2003-07-23 20:52:44 UTC 
Version:           1.5 (using KDE KDE 3.1)
Installed from:    Mandrake RPMs
Compiler:          g++ (GCC) 3.2.2 (Mandrake Linux 9.1 3.2.2-3mdk) 
OS:          Linux

After refreshing a trusted key (i.e. one I had verified carefully and signed some time before), I noticed that the key owner had revoked that key and had uploaded a new key. GnuPG shows the old key as revoked but emails that were signed by that key don't indicate that the key has now been revoked.

KMail does indicate that this is no longer a 'trusted key' (changes from green to yellow highlighting) but if this hadn't been a trusted key in the first place I would not have been any the wiser.

Verifying the email with GnuPG correctly warns that the signature is valid but the key has been revoked. KMail does not pass on this warning. I just get: signature is valid but the key is untrusted - just as I would for any one of lots of keys in my keyring.

Shouldn't this be indicated by KMail? "The signature is valid but the key has been REVOKED"?

A signature made by a revoked key could well be a forgery - KMail is failing to alert the user to a potentially compromised signature.
Comment 1 Ingo Klöcker 2003-11-11 23:47:40 UTC 
Since fixing this bug will require string changes this bug can't be fixed anymore for KDE 3.2.