Bug 150875

Summary: KMail says it can "The signature is valid, but the key's validity is unknown." when that's not true
Product: [Applications] kmail Reporter: Albert Astals Cid <aacid>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED NOT A BUG    
Severity: normal CC: aheinecke, arthur, maraval_p
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: Screenshot showing kmail saying it doesn't know the trust of the key and kgpg and gpg --edit-key saying i have full trust on it

Description Albert Astals Cid 2007-10-15 23:17:36 UTC 
Version:           1.9.6 (enterprise 0.20070907.709405) (using KDE 3.5.8, Kubuntu (gutsy) 4:3.5.8-0ubuntu1)
Compiler:          Target: x86_64-linux-gnu
OS:                Linux (x86_64) release 2.6.22-14-generic

A screenshot is worth more than one hundred words, i'm attaching it later. Basically kmail says "The signature is valid, but the key's validity is unknown." when i have full trust on the key.
Comment 1 Albert Astals Cid 2007-10-15 23:20:40 UTC 
Created attachment 21828 [details]
Screenshot showing kmail saying it doesn't know the trust of the key and kgpg and gpg --edit-key saying i have full trust on it
Comment 2 zless 2012-09-17 11:47:16 UTC 
For the first time I've seen this also with kmail2 in KDE 4.9.1.
Comment 3 zless 2012-09-17 16:22:06 UTC 
I found out the problem in my case. The other people keys were certified locally by a key which I later revoked.

Certifying the keys again with a valid key solves the problem.

Not a bug IMO.
Comment 4 Albert Astals Cid 2012-09-17 16:28:05 UTC 
That's your case, not mine
Comment 5 Pierre Maraval 2013-08-14 14:45:56 UTC 
It only means that you didn't sign the key...

I agree it is a bad thing and should be corrected because it incites people to sign each and every key without the "Very careful checking" signing should require... 

You can fully trust a sender and/or his/her key without having done a careful footprint checking and signed his/her key.
Comment 6 Andre Heinecke 2013-08-15 07:49:15 UTC 
Pierre: There is a trust model in place to avoid having to sign every key to trust the owner. http://www.gnupg.org/gph/en/manual/x334.html

Albert: You can see in your screenshot that you have unknown trust in the identitiy ottens@kde.org and thats what KMail says to you (I just takes it's information from gnupg for that matter). If kevin would have sent the mail as ervin@kde.org it would have been green. As you know that the identities ottens@kde.org and ervin@kde.org are the same person (keyholder) i see no reason why you should not sign this and then kmail would show it as valid/trusted again.

But imagine the case that you trust my key aheinecke@intevation.de and then one day I decide to add ottens@kde.org to this identity and send you a mail. You would not want to see that as a valid signature.