Bug 441209

Summary: signed by a PGP key that doesn't match uid is still "green"
Product: [Applications] kmail2 Reporter: Caleb Cushing <xenoterracide>
Component: cryptoAssignee: kdepim bugs <kdepim-bugs>
Status: REPORTED ---    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: screenshot of the green path with sender/receiver

Description Caleb Cushing 2021-08-20 01:18:25 UTC
Created attachment 140865 [details]
screenshot of the green path with sender/receiver

SUMMARY

using a trusted key to sign with a UID that it doesn't have shouldn't be green. note: evolution warns about this.

STEPS TO REPRODUCE
1. create 2 sets of full gpg keys
2. use another client to sign sending one of your emails with the other emails key.


I did this with a misconfiguration via fairemail.

OBSERVED RESULT

kmail shows green and all happy


EXPECTED RESULT


kmail should show yellow or red because that key isn't approved for that uid.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION
Kmail: 5.18.0
Operating System: Manjaro Linux
KDE Plasma Version: 5.22.4
KDE Frameworks Version: 5.85.0
Qt Version: 5.15.2
Kernel Version: 5.10.59-1-MANJARO (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i7-10610U CPU @ 1.80GHz
Memory: 15.4 GiB of RAM
Graphics Processor: Mesa Intel® UHD Graphics
Comment 1 Caleb Cushing 2021-08-20 01:26:59 UTC
To me, this should be *red* the problem here is that if your key is compromised but not your email, someone could still send messages as you and people who've already imported your key might not even notice the mismatch.