| Summary: | Non-Kmail GnuPG messages not properly dealt with | ||
|---|---|---|---|
| Product: | [Unmaintained] kmail | Reporter: | Michael Trausch <fd0man> |
| Component: | encryption | Assignee: | kdepim bugs <kdepim-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | NOR | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Ubuntu | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
| Attachments: |
This is a screenshot of KMail inaccurately showing GnuPG information on a message.
Inline Signature (fails) OpenPGP/MIME message (works). |
||
|
Description
Michael Trausch
2006-06-02 19:13:31 UTC
Created attachment 16434 [details]
This is a screenshot of KMail inaccurately showing GnuPG information on a message.
This shows the bug in KMail's handling of messages signed by other MUAs. The
MUA in this case was Thunderbird. I will be attaching the original message
itself, as well, and the output from GnuPG's --verify option to demonstrate the
inaccuracy of KMail's message.
Created attachment 16435 [details]
Inline Signature (fails)
This is the original message, with full headers.
The output from GnuPG when run on the saved fulltext message w/ headers is as follows: fd0man@fd0man-laptop:~$ gpg --verify GnuPG\ Test\ Case\ 1 gpg: Signature made Fri 02 Jun 2006 10:49:11 AM EDT using DSA key ID DF045E77 gpg: Can't check signature: public key not found fd0man@fd0man-laptop:~$ That is what I expect to see in KMail, though KMail reports: Message was signed on 31-Dec-1969 18:59 with unknown key 0xDF045E77. The validity of the signature cannot be verified. Fri 02 Jun 2006 @ 10:49:11 EDT is a far cry from the UNIX epoch. :) Where's the problem? Ok, the date is wrong, but is there anything else? Btw, I recently fixed a bug that returned wrong error-types for signatures that you don't have the public key for. This fix could very well make kmail output "unknown public key" instead of "cannot verify", I don't know if it's in 3.5.3 though. Stefan, The date being incorrect is a result of something bigger, I am sure. For example, in these types of messages, it does not say whether or not I have the key or not. In this example, I do not have the key -- however, KMail doesn't see that I do not have the key to verify the message. It would appear that KMail stops checking when it notices that there is no associated timestamp. The date is wrong -- but if you notice, the date is the date of the UNIX Epoch, adjusted for time zone. That means, of course, that KMail is not getting the proper signature data at all, since the signature itself is what contains the timestamp. It can be deducted that this could be an indication that KMail is not parsing the output from GPG correctly, or it is otherwise feeding bad information to GPG. I am not a programmer, so I cannot debug to uncover further things. I can merely suggest things; I am sorry that I do not have the capacity to perform more investigation for you. I just know that something is amiss, and that since GPG is known to work, the problem is either with KMail's interface to GnuPG, or with something else internal to KMail. Since KMail works with other GPG messages that are signed by other people using KMail, I have to conclude that KMail is doing something that only it understands and either there is a bug regarding inline messages (I have not received KMail inline messages, so I cannot verify that theory), or that the bug is that KMail is in some way breaking the OpenPGP standard when sending messages. One other problem I have noticed- though I do not know if it is related - is that KMail insists that my signature is done with SHA1, however, it should be signed with RIPEMD160, not SHA1. However, I have not had the time to investigate that, either. Created attachment 16437 [details]
OpenPGP/MIME message (works).
A correction to make -- Inline GPG signatures do, in fact, appear to be the
problem. I just managed to find a message from Thunderbird that came through
as it should have, where KMail gave me the proper messages. I am attaching a
screenshot that displays what this looks like when it correctly shows up.
Notice that I get a "Status" line that I did not receive in the message that
claims to be signed on the UNIX epoch.
It would appear, in light of that finding, that the bug is in the support for inline signatures. This is odd to me, since most applications have problems the other way around; usually support for inline messages is superb, and the OpenPGP/MIME messages are the ones that are lacking. In any case, it would appear that the support for inline messages in KMail is what is not functioning correctly, for whatever reason. The message that I had attached earlier is not an OpenPGP/MIME message. I am going to relabel the attachments to reflect the findings. SVN commit 547690 by kloecker: Fix bug 128513 by properly initializing the creation time of a signature. In case of clear signed messages we can't parse the date, so don't show it. BUG:128513 M +6 -1 partmetadata.h --- branches/KDE/3.5/kdepim/kmail/partmetadata.h #547689:547690 @@ -35,7 +35,12 @@ isEncrypted( false ), isDecryptable( false ), technicalProblem( false ), - isEncapsulatedRfc822Message( false ) {} + isEncapsulatedRfc822Message( false ) + { + creationTime.tm_year = 0; + creationTime.tm_mon = 1; + creationTime.tm_mday = 1; + } bool isSigned; bool isGoodSignature; CryptPlugWrapper::SigStatusFlags sigStatusFlags; Thank you -- I was able to (after some weird issues) rebuild KMail and verify the fix on the timestamp. Is it possible to have it output the same "Status" line when the key is not present, as with messages that are signed with OpenPGP/MIME and the key is not present? For example, a message on the KDE core devel list (the one that RH replied to in the attachment to this bug report) shows: Message was signed with unknown key 0x33F5F0056EF45358. The validity of the signature cannot be verified. Status: No public key to verify the signature RH's only shows: Message was signed with unknown key 0xDF045E77. The validity of the signature cannot be verified. All the data is present for the information to be displayed, I think, at least according to the debug output. Is this a separate bug that I need to file? ==== Debug output kmail: (35144, last 35136) Re: qt-dbus compilation problem Ralf Habacker, readyToShow true kmail: [const QTextCodec* KMReaderWin::overrideCodec() const] mOverrideEncoding == '' kmail: [const QTextCodec* KMReaderWin::overrideCodec() const] mOverrideEncoding == '' kmail: parseMsg(KMMessage* aMsg == aMsg ) kmail: + Text/Plain kmail: Inserting one item into MimePartTree kmail: Content-Type: Text/Plain kmail: partNode::findType() is looking at Text/Plain kmail: [static KMail::SpamScores KMail::SpamHeaderAnalyzer::getSpamScores(const KMMessage*)] kmail: Multiple / No addressees matched email address; Count is 0 kmail: ObjectTreeParser::parseObjectTree( node OK, showOnlyOneMimePart: FALSE ) kmail: Sorry: Old style Mailman message but no delimiter found. kmail: [const QTextCodec* KMReaderWin::overrideCodec() const] mOverrideEncoding == '' libkdenetwork: GnuPG exited with exit status 2 libkdenetwork: gpg stderr: libkdenetwork: libkdenetwork: pgp cmd = LANGUAGE=C gpg --batch --decrypt gpg: Signature made Sat 03 Jun 2006 05:07:29 AM EDT using DSA key ID DF045E77 gpg: Can't check signature: public key not found libkdenetwork: libkdenetwork: Message was signed on 'Sat 03 Jun 2006 05:07:29 AM EDT' libkdenetwork: Message was signed with key 'DF045E77' ==== End Debug Output Yes, please file a separate bug report for this. On Sat, June 3 2006 17:55, Ingo wrote:
>
> ------- Additional Comments From kloecker kde org 2006-06-03 23:55
> ------- Yes, please file a separate bug report for this.
>
I will file a bug report, then, as soon as the DB comes back up.
(Hopefully, this makes it into the database... it appears to be down at the
moment.
- Mike
|