Bug 128513

Summary: Non-Kmail GnuPG messages not properly dealt with
Product: [Applications] kmail Reporter: Michael Trausch <fd0man>
Component: encryptionAssignee: kdepim bugs <kdepim-bugs>
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: This is a screenshot of KMail inaccurately showing GnuPG information on a message.
Inline Signature (fails)
OpenPGP/MIME message (works).

Description Michael Trausch 2006-06-02 19:13:31 UTC
Version:           1.9.3 (using KDE KDE 3.5.3)
Installed from:    Ubuntu Packages
OS:                Linux

When viewing messages that have been signed with the GnuPG application in combination with a non-KMail MUA, the information presented with regards to the signature is invalid.  However, if the message is run through GnuPG individually, the proper information is visible for the signature.

One example of this is a message that was sent to the KDE Core Development mailing list by Ralf Habacker.  I am attaching files which demonstrate the case in point.

This happens with other messages as well from other mailing lists, and messages that are not signed on a mailing list, but rather, directly addressed to me.

I am not sure if non-KMail clients are misinterpreting information that is in KMail signed messages, however, I have sent a message to my local LUG list to see if they can verify my message for me with any trouble with various MUAs.

The bug is apparent any time I view a message that was signed using a non-KMail MUA.  I have the OpenPGP plugin running and enabled, and properly configured with my key information.  The behavior that I am expecting is a valid timestamp and signature verification on messages that are signed by other mail clients.
Comment 1 Michael Trausch 2006-06-02 19:17:58 UTC
Created attachment 16434 [details]
This is a screenshot of KMail inaccurately showing GnuPG information on a message.

This shows the bug in KMail's handling of messages signed by other MUAs.  The
MUA in this case was Thunderbird.  I will be attaching the original message
itself, as well, and the output from GnuPG's --verify option to demonstrate the
inaccuracy of KMail's message.
Comment 2 Michael Trausch 2006-06-02 19:18:58 UTC
Created attachment 16435 [details]
Inline Signature (fails)

This is the original message, with full headers.
Comment 3 Michael Trausch 2006-06-02 19:20:49 UTC
The output from GnuPG when run on the saved fulltext message w/ headers is as follows:

fd0man@fd0man-laptop:~$ gpg --verify GnuPG\ Test\ Case\ 1
gpg: Signature made Fri 02 Jun 2006 10:49:11 AM EDT using DSA key ID DF045E77
gpg: Can't check signature: public key not found

That is what I expect to see in KMail, though KMail reports:

Message was signed on 31-Dec-1969 18:59 with unknown key 0xDF045E77.
The validity of the signature cannot be verified.

Fri 02 Jun 2006 @ 10:49:11 EDT is a far cry from the UNIX epoch.  :)
Comment 4 Stefan Gehn 2006-06-02 20:18:01 UTC
Where's the problem? Ok, the date is wrong, but is there anything else?

Btw, I recently fixed a bug that returned wrong error-types for signatures that you don't have the public key for. This fix could very well make kmail output "unknown public key" instead of "cannot verify", I don't know if it's in 3.5.3 though.
Comment 5 Michael Trausch 2006-06-02 22:08:44 UTC

The date being incorrect is a result of something bigger, I am sure.  For example, in these types of messages, it does not say whether or not I have the key or not.  In this example, I do not have the key -- however, KMail doesn't see that I do not have the key to verify the message.  It would appear that KMail stops checking when it notices that there is no associated timestamp.  The date is wrong -- but if you notice, the date is the date of the UNIX Epoch, adjusted for time zone.  That means, of course, that KMail is not getting the proper signature data at all, since the signature itself is what contains the timestamp.  It can be deducted that this could be an indication that KMail is not parsing the output from GPG correctly, or it is otherwise feeding bad information to GPG.

I am not a programmer, so I cannot debug to uncover further things.  I can merely suggest things; I am sorry that I do not have the capacity to perform more investigation for you.  I just know that something is amiss, and that since GPG is known to work, the problem is either with KMail's interface to GnuPG, or with something else internal to KMail.  Since KMail works with other GPG messages that are signed by other people using KMail, I have to conclude that KMail is doing something that only it understands and either there is a bug regarding inline messages (I have not received KMail inline messages, so I cannot verify that theory), or that the bug is that KMail is in some way breaking the OpenPGP standard when sending messages.

One other problem I have noticed- though I do not know if it is related - is that KMail insists that my signature is done with SHA1, however, it should be signed with RIPEMD160, not SHA1.  However, I have not had the time to investigate that, either.
Comment 6 Michael Trausch 2006-06-02 22:30:56 UTC
Created attachment 16437 [details]
OpenPGP/MIME message (works).

A correction to make -- Inline GPG signatures do, in fact, appear to be the
problem.  I just managed to find a message from Thunderbird that came through
as it should have, where KMail gave me the proper messages.  I am attaching a
screenshot that displays what this looks like when it correctly shows up. 
Notice that I get a "Status" line that I did not receive in the message that
claims to be signed on the UNIX epoch.
Comment 7 Michael Trausch 2006-06-02 22:38:35 UTC
It would appear, in light of that finding, that the bug is in the support for inline signatures.  This is odd to me, since most applications have problems the other way around; usually support for inline messages is superb, and the OpenPGP/MIME messages are the ones that are lacking.

In any case, it would appear that the support for inline messages in KMail is what is not functioning correctly, for whatever reason.  The message that I had attached earlier is not an OpenPGP/MIME message.  I am going to relabel the attachments to reflect the findings.
Comment 8 Ingo Klöcker 2006-06-03 02:18:35 UTC
SVN commit 547690 by kloecker:

Fix bug 128513 by properly initializing the creation time of a signature. In case of clear signed messages we can't parse the date, so don't show it.

 M  +6 -1      partmetadata.h  

--- branches/KDE/3.5/kdepim/kmail/partmetadata.h #547689:547690
@@ -35,7 +35,12 @@
         isEncrypted( false ),
         isDecryptable( false ),
         technicalProblem( false ),
-        isEncapsulatedRfc822Message( false ) {}
+        isEncapsulatedRfc822Message( false )
+    {
+      creationTime.tm_year = 0;
+      creationTime.tm_mon  = 1;
+      creationTime.tm_mday = 1;
+    }
     bool isSigned;
     bool isGoodSignature;
     CryptPlugWrapper::SigStatusFlags sigStatusFlags;
Comment 9 Michael Trausch 2006-06-03 21:08:09 UTC
Thank you -- I was able to (after some weird issues) rebuild KMail and verify the fix on the timestamp.  Is it possible to have it output the same "Status" line when the key is not present, as with messages that are signed with OpenPGP/MIME and the key is not present?  For example, a message on the KDE core devel list (the one that RH replied to in the attachment to this bug report) shows:

Message was signed with unknown key 0x33F5F0056EF45358.
The validity of the signature cannot be verified.
Status: No public key to verify the signature

RH's only shows:

Message was signed with unknown key 0xDF045E77.
The validity of the signature cannot be verified.

All the data is present for the information to be displayed, I think, at least according to the debug output.  Is this a separate bug that I need to file?

==== Debug output
kmail: (35144, last 35136) Re: qt-dbus compilation problem Ralf Habacker, readyToShow true
kmail: [const QTextCodec* KMReaderWin::overrideCodec() const]  mOverrideEncoding == ''
kmail: [const QTextCodec* KMReaderWin::overrideCodec() const]  mOverrideEncoding == ''
kmail: parseMsg(KMMessage* aMsg == aMsg )
kmail: + Text/Plain
kmail:       Inserting one item into MimePartTree
kmail:                 Content-Type: Text/Plain
kmail: partNode::findType() is looking at Text/Plain
kmail: [static KMail::SpamScores KMail::SpamHeaderAnalyzer::getSpamScores(const KMMessage*)]
kmail: Multiple / No addressees matched email address; Count is 0
kmail: ObjectTreeParser::parseObjectTree( node OK, showOnlyOneMimePart: FALSE )
kmail:         Sorry: Old style Mailman message but no delimiter found.
kmail: [const QTextCodec* KMReaderWin::overrideCodec() const]  mOverrideEncoding == ''
libkdenetwork: GnuPG exited with exit status 2
libkdenetwork: gpg stderr:
libkdenetwork: libkdenetwork: pgp cmd = LANGUAGE=C gpg --batch --decrypt
gpg: Signature made Sat 03 Jun 2006 05:07:29 AM EDT using DSA key ID DF045E77
gpg: Can't check signature: public key not found
libkdenetwork: Message was signed on 'Sat 03 Jun 2006 05:07:29 AM EDT'
libkdenetwork: Message was signed with key 'DF045E77'
==== End Debug Output
Comment 10 Ingo Klöcker 2006-06-03 23:55:53 UTC
Yes, please file a separate bug report for this.
Comment 11 Michael Trausch 2006-06-07 00:55:26 UTC
On Sat, June 3 2006 17:55, Ingo wrote:
> ------- Additional Comments From kloecker kde org  2006-06-03 23:55
> ------- Yes, please file a separate bug report for this.

I will file a bug report, then, as soon as the DB comes back up.  
(Hopefully, this makes it into the database... it appears to be down at the 

	- Mike