Version: 1.12.0 (using 4.3.00 (KDE 4.3.0), compiled sources) Compiler: gcc OS: Linux (i686) release 2.6.30.4 Security error. KMail marks valid s/mime certs as yellow/unknown. Thunderbird correctly verifies the same mail. This important security bug is present in all KDE3 releases. Marking yellow correct and valid signed mails renders KMail useless for serious use of mail. Yellow background and message in KMail: Not enough information to check signature. 0x6E397FA948A567BD Status: No status information available. Show Audit Log: * Data verification succeeded Yes * Data available Yes * Signature available Yes * Parsing signature succeeded Yes * Signature 0 Bad * (#0F8155AE522723A99084341BDF7BEB0D/OU=VeriSign Class 2 OnSite Individual CA,O=VeriSign) * Certificate chain available Yes * (root certificate missing) * (#0F8155AE522723A99084341BDF7BEB0D/OU=VeriSign Class 2 OnSite Individual CA,O=VeriSign) * (/1.2.840.113549.1.9.1=#6B6F6E74616B74406D62616E6B2E706C,CN=mBank\, Bankowosc Detaliczna BRE Banku SA,OU=www.verisign.com/repository/CPS Incorp. by Ref.\,LIAB.LTD(c)99,OU=DIN,O=BRE Bank SA,L=Warszawa,ST=mazowieckie,C=PL) * Certificate chain valid No * (Not found) * CRL/OCSP check of certificates - * Included certificates 2 * (#0F8155AE522723A99084341BDF7BEB0D/OU=VeriSign Class 2 OnSite Individual CA,O=VeriSign) * (/1.2.840.113549.1.9.1=#6B6F6E74616B74406D62616E6B2E706C,CN=mBank\, Bankowosc Detaliczna BRE Banku SA,OU=www.verisign.com/repository/CPS Incorp. by Ref.\,LIAB.LTD(c)99,OU=DIN,O=BRE Bank SA,L=Warszawa,ST=mazowieckie,C=PL) * (#60380BA28BC650E209C1B6FF18348FB4/OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US) * (/OU=VeriSign Class 2 OnSite Individual CA,O=VeriSign) * Dirmngr usable Yes
KMail should have root certificates built in or at least when correctly imported recognize root certificates. Or add an option to mark imported root certificate as root certificates for KMail. Now all correctly s/mime signed mail is yellow even if certificate path is complete because: 1. KMail does not have root certificates built in and 2. Does not allow mark as root imported root certificate. Please fix this security bug. This bug is infamous since kde3.
KMail 1.12.4 (KDE 4.3.5) and this bug is still here. Today I got another s/mime signed mail. This time it was Unizeto certificate. KMail as usually failed to validate correct signature and displayed it in yellow complaining: "root certificate missing". Saving signed mail as *.eml file I was able to import it to Mozilla Thunderbird which diplayed it as signed with correct and valid signature. Thunderbird allowed me to display certificate path with option to save full cerrtificate path. Thanks to this I was able to export full certificate path as PEM or PKCS7 files or DER file. Importing this file to Kleopatra allowed KMail to display this signed mail in green saying that this mail is signed correctly and signature is valid. I tried this way to import Verisign root certificate (the one reported in this bug) but failed. Verisign root certificate is imported in Kleopatra but signed mails using Verisign certificate still remains yellow. 1. KMail today still has buggy s/mime: "root certificate missing" bug known since KDE3. Nothing changed since KDE3. 2. I still do not understand why Unizeto root certificate could be correctly imported from Thunderbird and Verisign not. 3. It is sad to see KMail needs Thunderbird help to correctly handle s/mime signed mails and almost always fails even with Thunderbird help. 4. It is sad to see that this bug still gains no interest when phishing, scams and e-frauds appears in mailboxes every day.
Usage of root certiricates import is very strange in kleopatra. I imported Root CA in Kleopatra and it is not marked as trusted. I have not found any way or setting to mark it trusted. My question is: what should I import Root CA into Klepatra for? It does not trust that root CA and consequently, does not trust certificates, signed by this root CA. If I have not imported Root CA at all, I see the same behavior.
(In reply to comment #3) > Usage of root certiricates import is very strange in kleopatra. I imported Root > CA in Kleopatra and it is not marked as trusted. I have not found any way or > setting to mark it trusted. yeah , agree with you, I finally manage trusted CA . check the option "Allow clients to mark keys as 'trusted'" in the 'GPG Agent' tab. and wait for kleopatra download a bunch of certificates and I had said yes to all. I finally I signed my emails. Hope that help .
This is highly annoying.
Right, use "Allow mark trusted" in Kleopatra's config dialog.
(In reply to comment #6) > Right, use "Allow mark trusted" in Kleopatra's config dialog. I may sound stupid, but I can’t find the config dialog. I don’t see any menubar and in a right-click menus don’t see it either.
(In reply to comment #7) > (In reply to comment #6) > > Right, use "Allow mark trusted" in Kleopatra's config dialog. > > I may sound stupid, but I can’t find the config dialog. I don’t see any > menubar and in a right-click menus don’t see it either. Kleopatra 2.1.1 (Gpg4win 2.1.1): Settings > Configure Kleopatra > GnuPG System > Gpg Agent tab > "Disallow clients to mark keys as 'trusted'" (default: disabled)