Bug 59626

Summary: signed pgp/mime mail with expired key shows bad signature
Product: [Unmaintained] kmail Reporter: Juan F. Codagnone <juan-open>
Component: encryptionAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED DUPLICATE    
Severity: normal CC: dwmw2, juan-open
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Juan F. Codagnone 2003-06-11 00:28:46 UTC
Version:            (using KDE Devel)
Installed from:    Compiled sources

pgp/mime emails signed with a now expired key, are shown as with bad signature.

probably is known (the code to handle this is commented), but i didn't saw anything like that filed.


I see in KMReaderWin::sigStatusToString (kmreaderwin.cpp:1740):

746                switch( status_code ) {
(gdb) p status_code
$6 = 8

and in the source code:

            /* PENDING(khz) Verify exact meaning of the following values:
            case 7: // GPGME_SIG_STAT_GOOD_EXP
                return i18n("Signature certificate is expired");
            break;
            case 8: // GPGME_SIG_STAT_GOOD_EXPKEY
                return i18n("One of the certificate's keys is expired");
            break;
            */

Best wishes,
   Juan.

ps. if you want i can attach test case.
Comment 1 Juan F. Codagnone 2003-06-11 14:56:59 UTC
i forgot to say the most important thing (and yes the code i paste has nothing 
to do with the red mark). Using the inline pgp signature, "i get he signature 
is valid, but the key's validity is unknown." and a yellow mark.
Comment 2 Bernhard E. Reiter 2003-06-12 11:00:29 UTC
The yellow mark is correct behaviour, as far as I can tell from your description. 
Note that what you call "inline" actually is PGP/MIME and thus OpenPGP 
conformant.  
 
Comment 3 Till Adam 2004-07-18 18:30:49 UTC
So is KMail at fault here or isn't it? Can someone with more knowledge of pgp semantics comment, please?
Comment 4 Ingo Klöcker 2006-03-14 15:23:21 UTC
*** Bug 123288 has been marked as a duplicate of this bug. ***
Comment 5 kavol 2007-10-08 12:00:17 UTC
> So is KMail at fault here or isn't it?

I see it as a KMail fault ... the signature is valid - if the email was *sent (and signed) before the expiration date then the signature cannot be invalidated just because time passes; the signature would be invalid if it was *created*, not read, after the expiration date

imagine a real world example - you sign some agreement for a limited time frame, e.g. one year; after some more years things go wrong and the agreement becomes important at court ... could you imagine that the judge says, looking at the paper with your signature, that the signature is invalid, the ink on the paper (and the record at the attorney) cannot be taken as a proof that you signed it, just because the agreement has expired a few years in the past?
Comment 6 Rolf Eike Beer 2007-12-13 13:11:06 UTC
This is basically a request for more types of trust visualisation. Because of this I'll mark this as a duplicate of a newer bug which in fact asks for a superset of features that would also solve this problem.

*** This bug has been marked as a duplicate of 64424 ***