340144 – BUG1: Verify signs signed with subkeys fails.

Bug 340144 - BUG1: Verify signs signed with subkeys fails.

Summary: BUG1: Verify signs signed with subkeys fails.

Status:	RESOLVED FIXED

Alias:	None

Product:	kleopatra
Classification:	Applications
Component:	general (show other bugs)
Version:	2.2.0
Platform:	Microsoft Windows Microsoft Windows

Importance:	NOR grave
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-10-20 08:49 UTC by Jordi
Modified:	2017-03-28 15:30 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:	https://commits.kde.org/kleopatra/cf3385489036fe25e258d3f5f4cd61589a207b9f
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Jordi 2014-10-20 08:49:39 UTC

Dear all, to try it you can use a general PGP key with subkeys. I Sign a file using my key that has a subkeys and it seems to be signed correctly using the correct subkey BUT if I ferify it an error appears:
 
Signed on 2014-10-20 10:27 with unknown certificate 0x6E6CFF09AAE35EE3.
The signature is invalid: System error
 
and the 0x6E6CFF09AAE35EE3 is the correct subkey used to Sign it.
Regards,
Jordi

Comment 1 earthsound 2015-03-10 17:57:51 UTC

I can confirm this behavior. I'm using Kleopatra Version 2.2.0-git945878c (2014-11-25) downloaded as part of gpg4win 2.2.3 on Windows 7 64-bit.

When I download https://www.torproject.org/dist/torbrowser/4.5a4/torbrowser-install-4.5a4_en-US.exe and https://www.torproject.org/dist/torbrowser/4.5a4/torbrowser-install-4.5a4_en-US.exe.asc, import the Tor Browser Developers (signing key) [0x4E2C6E8793298290], and attempt to verify it with Kleopatra, I get this message:

Signed on 2015-02-25 01:55 with unknown certificate 0x5242013F02AFC851B1C736B87017ADCEF65C2036.
The validity of the signature cannot be verified.

When I use gpg 2.0.26 (again, obtained as part of gpg4win), I get the following output:

gpg: Signature made 02/25/15 01:55:56 Central Standard Time using RSA key ID F65C2036
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036

Comment 2 Andre Heinecke 2017-03-28 15:30:18 UTC

Git commit cf3385489036fe25e258d3f5f4cd61589a207b9f by Andre Heinecke.
Committed on 28/03/2017 at 09:42.
Pushed by aheinecke into branch 'master'.

Improve decrypt verify result display

This improves the look and information of the result
status display when verifying files.

The keys are now also fetched through GPGME and not
over the keycache to ensure that tofu information is
correct (if this is used). This also fixes a Bug
because previously signings subkeys (like the one
used to sign this commit) were not handled by
kleopatra's sig key lookup.

Although it's a bugfix it should stay in master
because of the string changes.

M  +66   -74   src/crypto/decryptverifytask.cpp
M  +0    -2    src/crypto/decryptverifytask.h
M  +1    -2    src/uiserver/decryptverifycommandemailbase.cpp
M  +1    -2    src/uiserver/decryptverifycommandfilesbase.cpp

https://commits.kde.org/kleopatra/cf3385489036fe25e258d3f5f4cd61589a207b9f