| Summary: | Signature verification shows "certificate validity unknown" if only non-primary UID of signing key is trusted | ||
|---|---|---|---|
| Product: | [Applications] kleopatra | Reporter: | Tilman Blumenbach <tilman> |
| Component: | general | Assignee: | Ingo Klöcker <kloecker> |
| Status: | REPORTED --- | ||
| Severity: | minor | CC: | aheinecke, kdepim-bugs, mutz |
| Priority: | NOR | ||
| Version: | 4.0.0.241200 | ||
| Target Milestone: | --- | ||
| Platform: | Arch Linux | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
Forgot to mention my GnuPG version -- it's 2.4.7. Kleopatra doesn't evaluate anything about trust or validity. It just displays the result of the verification done by gpg. What is the output for `gpg --verify --status-fd 2 ponymix-5.tar.xz.sig`? By the way, the output of `gpg -k` already shows you that gpg doesn't consider the key as valid. The validity is listed as "undefined": ``` pub rsa2048 2011-06-25 [SC] [undefined] ``` (In reply to Ingo Klöcker from comment #2) > Kleopatra doesn't evaluate anything about trust or validity. It just > displays the result of the verification done by gpg. > > What is the output for `gpg --verify --status-fd 2 ponymix-5.tar.xz.sig`? Thanks for the response, and happy holidays! The output is: ------------------- gpg: assuming signed data in 'ponymix-5.tar.xz' [GNUPG:] NEWSIG gpg: Signature made Mo 03 Okt 2016 20:13:57 CEST gpg: using RSA key 1EB2638FF56C0C53 [GNUPG:] KEY_CONSIDERED 487EACC08557AD082088DABA1EB2638FF56C0C53 0 [GNUPG:] SIG_ID AGt7anGLVsxlzpnHuteFJ7qu0mo 2016-10-03 1475518437 [GNUPG:] KEY_CONSIDERED 487EACC08557AD082088DABA1EB2638FF56C0C53 0 [GNUPG:] GOODSIG 1EB2638FF56C0C53 Dave Reisner <d@falconindy.com> gpg: Good signature from "Dave Reisner <d@falconindy.com>" [unknown] gpg: aka "Dave Reisner <dreisner@archlinux.org>" [full] [GNUPG:] VALIDSIG 487EACC08557AD082088DABA1EB2638FF56C0C53 2016-10-03 1475518437 0 4 0 1 8 00 487EACC08557AD082088DABA1EB2638FF56C0C53 [GNUPG:] TRUST_FULLY 0 pgp Primary key fingerprint: 487E ACC0 8557 AD08 2088 DABA 1EB2 638F F56C 0C53 ------------------- Note "TRUST_FULLY 0 pgp" which appears to indicate that the signing key is fully valid. (In reply to Ingo Klöcker from comment #3) > By the way, the output of `gpg -k` already shows you that gpg doesn't > consider the key as valid. The validity is listed as "undefined": > ``` > pub rsa2048 2011-06-25 [SC] [undefined] > ``` That's just the key's ownertrust since I have set "list-options show-ownertrust" in my GPG config (sorry, should've mentioned that). The actual key validity for signature verification is, to my understanding, displayed next to the UID -- and that's "full" for the secondary UID: --------- uid [ unknown] Dave Reisner <d@falconindy.com> uid [ full ] Dave Reisner <dreisner@archlinux.org> --------- 🐛🧹 ⚠️ This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information, then set the bug status to REPORTED. If there is no change for at least 30 days, it will be automatically closed as RESOLVED WORKSFORME. For more information about our bug triaging procedures, please read https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging. Thank you for helping us make KDE software even better for everyone! |
SUMMARY When verifying a signature, and only a non-primary UID of the key that made the signature is trusted, Kleopatra says that the "certificate's validity is unknown". That is, "gpg -k" shows the following for the key in question: -------------------------------------------------------------------- pub rsa2048 2011-06-25 [SC] [undefined] 487E ACC0 8557 AD08 2088 DABA 1EB2 638F F56C 0C53 uid [ unknown] Dave Reisner <d@falconindy.com> uid [ full ] Dave Reisner <dreisner@archlinux.org> sub rsa2048 2011-06-25 [E] -------------------------------------------------------------------- Hence, "gpg --verify" correctly determines that a signature made by that key is fully valid ("good") since I *did* sign one of its non-primary UIDs (even though I did not sign the primary UID): -------------------------------------------------------------------- $ gpg --verify ponymix-5.tar.xz.sig gpg: assuming signed data in 'ponymix-5.tar.xz' gpg: Signature made Mo 03 Okt 2016 20:13:57 CEST gpg: using RSA key 1EB2638FF56C0C53 gpg: Good signature from "Dave Reisner <d@falconindy.com>" [unknown] gpg: aka "Dave Reisner <dreisner@archlinux.org>" [full] Primary key fingerprint: 487E ACC0 8557 AD08 2088 DABA 1EB2 638F F56C 0C53 -------------------------------------------------------------------- But Kleopatra wrongly says that the certificate's validity is unknown: -------------------------------------------------------------------- Verified ‘/home/tilman/tmp/aur/ponymix/ponymix-5.tar.xz’ with signature in ‘/home/tilman/tmp/aur/ponymix/ponymix-5.tar.xz.sig’. Signature created on Montag, 3. Oktober 2016 20:13:57 Mitteleuropäische Sommerzeit with certificate: Dave Reisner <d@falconindy.com> (1EB2 638F F56C 0C53) The signature is valid but the certificate's validity is unknown. -------------------------------------------------------------------- So it seems like Kleopatra requires the primary UID to be trusted, and doesn't check any non-primary UIDs for trust. This is confusing, since one has to check the "Audit log" to figure out that the signature is in fact fully valid. STEPS TO REPRODUCE 1. Sign only a non-primary UID of some key with your own key. 2. Check a signature made by this key with Kleopatra. 3. Also check the signature with "gpg --verify". OBSERVED RESULT "gpg --verify" will show a "good" (fully trusted) signature because even though the primary UID of the signing key is not trusted, a non-primary UID is. Kleopatra will, in contrast, show that the "certificate's validity is unknown" since it seemingly only checks the primary UID of the signing key for trust. EXPECTED RESULT Kleopatra shows that the signature is fully valid/trusted, just like "gpg --verify". Or, it could at least note that while the primary UID of the signing key is untrusted, a non-primary UID is. SOFTWARE/OS VERSIONS KDE Plasma Version: 6.2.4 KDE Frameworks Version: 6.9.0 Qt Version: 6.8.1