Bug 353317

Summary: kMail 5.0: Wrong signature issuer shown for OpenPGP signed mails (SMIME not tested).
Product: [Applications] kmail2 Reporter: Gunter Ohrner <kdebugs>
Component: cryptoAssignee: kdepim bugs <kdepim-bugs>
Status: CONFIRMED ---    
Severity: major CC: amessina, bugs.kde.org
Priority: NOR    
Version: 5.13.3   
Target Milestone: ---   
Platform: Kubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Gunter Ohrner 2015-09-29 11:34:39 UTC 
Not sure if there might even be security implications:

A friend of mine sends signed messages which are always

* shown as having a valid signature (green display and everything)
* but from a completely wrong sender (!)

******************************************************************
Die Nachricht enthält die Signatur von Klaus@XXXXXXXXX.de (Schlüsselkennung: 0x9F8E2A98D1A4EDE5).
Die Signatur ist gültig, und der Schlüssel ist vertrauenswürdig.
******************************************************************
(translation: The message contains the signature of Klaus@XXXXXXXXX.de (Key-ID: 0x9F8E2A98D1A4EDE5).
The signature is valid and the key is trusted.
******************************************************************

I have this public key in my keyring, but it has nothing to do with the mail that is displayed - if I extract its PGP signature into a separate file and use gpg to display information about it, the following is displayed:

******************************************************************
$ LANG= gpg --verify sigfile /dev/null
gpg: Signature made Tue Sep 29 11:11:08 2015 CEST using RSA key ID 22B2951D
gpg: WARNING: digest algorithm MD5 is deprecated
gpg: please see https://gnupg.org/faq/weak-digest-algos.html for more information
gpg: BAD signature from "Matthias XXXXXXX <matthias@XXXXXXX.de>"
******************************************************************

Neither mail address nor key ID have anything to do with the wrong key that is picked up for display by kMail...

I'm also not sure why the wrong key is displayed as "trusted" in the first place - it does not seem to be considered trusted by gpg:

******************************************************************
gpg: using classic trust model
pub  2048R/D1A4EDE5  created: 2000-02-26  expires: never       usage: SCE 
                     trust: undefined     validity: unknown
******************************************************************

Reproducible: Always
Comment 1 Gunter Ohrner 2015-09-29 11:35:36 UTC 
(eMail addresses anonymized to avoid collection by spam bots.)
Comment 2 m.eik michalke 2020-10-29 12:44:29 UTC 
i can replicate the issue, i.e., i actually just ran into the same thing, using kmail 5.13.3. this should be considered as a security issue, as someone can be tricked into believing an e-mail came from a certain person when it actually did not.

this probably was less of a problem in 2015, but today web key directory support (which is a good thing!) automatically imports available OpenPGP keys into your keyring as soon as you have a fitting mail address in the To: field of the editor (you don't even have to send a mail). even if those addresses aren't signed by you, here's a potential for confusion.

kmail should always verify that the sender address is a valid identity of the OpenPGP key used for signing. i would also add that info to the details.