Version: 4.7 (using KDE 4.7.3) OS: Linux This is a cut&paste from an old bug 188931 (reported by Raimar Sandner) that is still present in KMail2, so I report it again against the new version. According to http://www.ietf.org/rfc/rfc3156.txt there are two ways to both sign and encrypt an OpenPGP/MIME message. Kmail uses the method described in 6.1 of RFC 3156 (called RFC 1847 Encapsulation), other mail clients like thunderbird/enigmail or mutt use 6.2 (Combined method). Kmail fails to verify the signature, if the message was composed with the combined method 6.2. Verification on the commandline with gpg --decrypt works. Usually, if the verification fails because there really is no key, kmail displays "message was signed with unknown key 0x...", where 0x... is the key ID. Here, it says key 0x... and displays the hex value of the _fingerprint_ of the key (and not the ID). Reproducible: Always Steps to Reproduce: Compose an encrypted and signed message with thunderbird (I use enigmail 0.96) and view it with kmail. Actual Results: Message was signed with unknown key. The validity of the signature cannot be verified. Status: Error: Signature not verified Expected Results: Signature verifies correctly
*** Bug 188931 has been marked as a duplicate of this bug. ***
*** Bug 276813 has been marked as a duplicate of this bug. ***
Hello, A side effect of this bug is that if someone sends me a Thunderbird-signed email that contains attachments, I am unable to save the attachments at all. It seems that KMail does not like the fact that (it thinks that) the signature cannot be verified. Thanks, Tim.
Hello all, Does the KDE project have any kind of sponsorship or bounty program? I'm hoping to see a couple of bugs fixed (especially those associated with PGP integration, such as 286035) and I would be happy in principle to sponsor someone to get the work done. All info most welcome. Thanks, Tim.
*** Bug 289364 has been marked as a duplicate of this bug. ***
i must confirm this, and it's still present in kmail2/KDE 4.8.1
This is a valid and very old bug has been around (forever?) it is also valid for the old Kdepim 3.x versions. gpgme's decrypt and verify job returns a valid signature for the Combined Method but not for the encapsulated method. So i guess somewhere in libkleo / kmail this is not used or overwritten by an additonal check for an encapsulated signature, which would fail in the combined case. Strange from your report is that your status is: Status: Error: Signature not verified For an encrypted/signed mail from mutt I get: The validity of the signature cannot be verified. Status: Good signature
Git commit 3f8f80c195d5a31c3add321940a0a3ba7628781c by Andre Heinecke. Committed on 16/04/2012 at 19:15. Pushed by aheinecke into branch 'master'. Fix parsing of combined encrypted/signed messages In the case that a mime object was encrypted and signed the rendered mail showed an incorrect signature status because the signature was aready checked with the decryptverifyjob and the key object not available in writeOpaqueOrMultipartSignedData. (So only the fingerprint was used). In the case that writeOpaqueOrMultipartSignedData is called to show OpenPGP Encrypted and Signed data with a valid signature, the signature's key is now fetched from the OpenPGP backend using the fingerprint from the signature. The Key is then used as in the other cases to show the details (Name / Trustlevel etc.) This fixes the rendering of openpgp mails signed with the combined method which is used by mutt, gnus etc. M +32 -1 messageviewer/objecttreeparser.cpp http://commits.kde.org/kdepim/3f8f80c195d5a31c3add321940a0a3ba7628781c
I'm not sure if this fixes everything mentioned here in the bug. This was a rendering problem the signature was correctly verified but the key was not used to check the trust level for the signature and no key details were available. I don't think this can have something to do with Comment #3 for example that attachments can't be saved. If this is still the case thats another bug though. I've tested this patch with an encrypted/signed mail from gnus that was previously "rendered yellow" and is now green with the correct details.
Git commit 44a3eb070b74414256f8f8ef58f73fd67678f5e4 by Andre Heinecke. Committed on 16/04/2012 at 19:15. Pushed by aheinecke into branch 'KDE/4.8'. Fix parsing of combined encrypted/signed messages In the case that a mime object was encrypted and signed the rendered mail showed an incorrect signature status because the signature was aready checked with the decryptverifyjob and the key object not available in writeOpaqueOrMultipartSignedData. (So only the fingerprint was used). In the case that writeOpaqueOrMultipartSignedData is called to show OpenPGP Encrypted and Signed data with a valid signature, the signature's key is now fetched from the OpenPGP backend using the fingerprint from the signature. The Key is then used as in the other cases to show the details (Name / Trustlevel etc.) This fixes the rendering of openpgp mails signed with the combined method which is used by mutt, gnus etc. (cherry picked from commit 3f8f80c195d5a31c3add321940a0a3ba7628781c) M +32 -1 messageviewer/objecttreeparser.cpp http://commits.kde.org/kdepim/44a3eb070b74414256f8f8ef58f73fd67678f5e4