Bug 331991

Created attachment 85516 [details]
Attached is a sample mail which a valid signature which will be damaged when using "Pipe Through".

Notice the user agent of the mail: It's KMail, so KMail even damages its own mails.

Downstream bug report at Ubuntu: https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1290506

I can confirm with kmail 4.13rc.

It can be tracked down to the mark as action (mailcommon/filter/filteractionsetstatus.cpp).

So all mark as Ham, Spam or Important via Filter are affected.

The bug lies in the mailmodifyjob, that modifies the mail in a way that it breaks:
agents/mailfilteragent/filtermanager.cpp (line 467):
      if ( context.needsPayloadStore() || context.needsFlagStore() ) {
          Akonadi::Item item = context.item();
          //the item might be in a new collection with a different remote id, so don't try to force on it
          //the previous remote id. Example: move to another collection on another resource => new remoteId, but our context.item()
          //remoteid still holds the old one. Without clearing it, we try to enforce that on the new location, which is
          //anything but good (and the server replies with "NO Only resources can modify remote identifiers"
          item.setRemoteId(QString());
          Akonadi::ItemModifyJob *modifyJob = new Akonadi::ItemModifyJob( item, this );
          modifyJob->disableRevisionCheck(); //no conflict handling for mails as no other process could change the mail body and we don't care about flag conflicts
          //The below is a safety check to ignore modifying payloads if it was not requested,
          //as in that case we might change the payload to an invalid one
          modifyJob->setIgnorePayload( !context.needsFullPayload() );
          connect( modifyJob, SIGNAL(result(KJob*)), SLOT(modifyJobResult(KJob*)));
      }


Using the Menu (Message->Mark Message) the signatuer is not getting broken.

It is also important to mention that this NOT only applies to pressing the buttons. It also happens upon the *automatic* filtering at arrival of the mail.

So effectively, this makes spam detection unusable for people who need GnuPG, or vice versa.

Given that we live in the age of the NSA scandal, I would be really glad if you could fix this soon. 

As developers, I think we can all agree tahat the whole open source world relies upon GPG for mail signatures, and it is really annoying to get lots of broken signatures on development mailing lists. I ought to NOT trust mails of other developers with broken signatures - how am I supposed to work like that? :(

Still happens with kmail Version: 4:4.13.3-0ubuntu0.1

I am now offering a bounty of $ 20, paid in Bitcoin, to whoever gets a fix merged. 
To claim the bounty:
- Use signed Git commits (git commit --gpg-sign) on the fixes.
- Post an URL which shows that the commits are merged into the main repository.
- Post your Bitcoin address GPG-signed with the same key as the commits.

Thank you.

Hey,

well I just answer you, 'cause I'm the dev that was/is fixing gpg bugs in 
kmail:) I would have fixed it in the past, if I had time to fix it... but as I 
wrote before, the problem live in the modifyitemjobs. Till november I won't 
find time to fix this bug but after I can focus again at upstream bugs :)

Regads,

sandro

--

Am Freitag, 3. Oktober 2014, 22:04:59 schrieben Sie:
> https://bugs.kde.org/show_bug.cgi?id=331991
> 
> --- Comment #8 from xor <xor@gmx.li> ---
> I am now offering a bounty of $ 20, paid in Bitcoin, to whoever gets a fix
> merged.
> To claim the bounty:
> - Use signed Git commits (git commit --gpg-sign) on the fixes.
> - Post an URL which shows that the commits are merged into the main
> repository. - Post your Bitcoin address GPG-signed with the same key as the
> commits.
> 
> Thank you.

I am rasing the bounty to fix this from $ 20 to $ 30, paid in Bitcoin, to whoever gets a fix merged. To claim the bounty:
- Use signed Git commits (git commit --gpg-sign) on the fixes.
- Post an URL which shows that the commits are merged into the main repository.
- Post your Bitcoin address GPG-signed with the same key as the commits. Thank you.

I have now two review requests, that fixes the problem together:
https://git.reviewboard.kde.org/r/122961
https://git.reviewboard.kde.org/r/122933

Btw. the key of the mail is expired in meanwhile:

GpgME::VerificationResult(
 error:      GpgME::Error(0 (Erfolg))
 fileName:   
 signatures:
GpgME::Signature(
 Summary:                   GpgME::Signature::Summary(KeyExpired )
 Fingerprint:               285BD3152424E17EC4E2FB8A61435B7375941D88
 Status:                    GpgME::Error(117440665 (Schlüssel abgelaufen))
 creationTime:              1347385792
 expirationTime:            0
 isWrongKeyUsage:           0
 isVerifiedUsingChainModel: 0
 pkaStatus:                 GpgME::Signature::PKAStatus()
 pkaAddress:                <null>
 validity:                  ?
 nonValidityReason:         GpgME::Error(0 (Erfolg))
 publicKeyAlgorithm:        DSA
 hashAlgorithm:             SHA256
 policyURL:                 <null>
 notations:
)

Git commit 02fc4cfd8f3e976a26d7748fd612fce398051b4c by Sandro Knauß.
Committed on 14/03/2015 at 20:14.
Pushed by knauss into branch 'KDE/4.14'.

Do not change mails, if use pipe through filter.

For signed mails the body of the mail has not to change not even slightly.
FIXED-IN: 4.16.7
REVIEW: 122961

M  +17   -0    mailcommon/filter/autotests/CMakeLists.txt
A  +343  -0    mailcommon/filter/autotests/actionpipethrough.cpp     [License: LGPL (v2+)]
A  +47   -0    mailcommon/filter/autotests/actionpipethrough.h     [License: LGPL (v2+)]
M  +9    -3    mailcommon/filter/filteractions/filteractionwithcommand.cpp

http://commits.kde.org/kdepim/02fc4cfd8f3e976a26d7748fd612fce398051b4c

*** Bug 322932 has been marked as a duplicate of this bug. ***