Version: 1.5 (using KDE KDE 3.1) Installed from: Mandrake RPMs Compiler: g++ (GCC) 3.2.2 (Mandrake Linux 9.1 3.2.2-3mdk) OS: Linux After refreshing a trusted key (i.e. one I had verified carefully and signed some time before), I noticed that the key owner had revoked that key and had uploaded a new key. GnuPG shows the old key as revoked but emails that were signed by that key don't indicate that the key has now been revoked. KMail does indicate that this is no longer a 'trusted key' (changes from green to yellow highlighting) but if this hadn't been a trusted key in the first place I would not have been any the wiser. Verifying the email with GnuPG correctly warns that the signature is valid but the key has been revoked. KMail does not pass on this warning. I just get: signature is valid but the key is untrusted - just as I would for any one of lots of keys in my keyring. Shouldn't this be indicated by KMail? "The signature is valid but the key has been REVOKED"? A signature made by a revoked key could well be a forgery - KMail is failing to alert the user to a potentially compromised signature.
Since fixing this bug will require string changes this bug can't be fixed anymore for KDE 3.2.