Version: 2.1.0 (using KDE 4.7.0) OS: Linux Send a signed e-mail from a new account, and use the old PGP key without adding the new e-mail account to the list. This will show up as "green" at the receiver side, since the signature itself is valid, but there's no check against the e-mail originator. Click on "details" shows only the main e-mail address, so when the key is used for a bunch of different addresses, this is still misleading. Reproducible: Always Steps to Reproduce: Send a signed e-mail from a new account, and use the old PGP key without adding the new e-mail account to the list - or any other PGP key that doesn't correspond to the account. Actual Results: Signature check says "ok", message in green. Expected Results: Signature checks says "ok" for the actual mail content, but should warn about discrepancy between e-mail address and public key - message should be in red. Just imagine a browser would report green on SSL when the site "ebay.com" presents a valid certificate for "3vi1.h4ck0r.com". Haven't checked, but seems to be that this problem has been there for ages. To be honest, Thunderbird/enigmail has the same bug.
4.11.4 shows "Signed by you@example.com." in green so you see one one view who has signed it. In the end you want to be sure that the content is written by the user behind you@example.com, if he uses a different emailaddress to transfer the content is not that important in my eys.
(In reply to comment #1) > 4.11.4 shows "Signed by you@example.com." in green so you see one one view > who has signed it. In the end you want to be sure that the content is > written by the user behind you@example.com, if he uses a different > emailaddress to transfer the content is not that important in my eys. Yes, that seems to good enough.