Bug 441209 - signed by a PGP key that doesn't match uid is still "green"
Summary: signed by a PGP key that doesn't match uid is still "green"
Status: REPORTED
Alias: None
Product: kmail2
Classification: Applications
Component: crypto (show other bugs)
Version: unspecified
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: kdepim bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-20 01:18 UTC by Caleb Cushing
Modified: 2021-08-20 01:26 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:


Attachments
screenshot of the green path with sender/receiver (77.69 KB, image/png)
2021-08-20 01:18 UTC, Caleb Cushing
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Caleb Cushing 2021-08-20 01:18:25 UTC
Created attachment 140865 [details]
screenshot of the green path with sender/receiver

SUMMARY

using a trusted key to sign with a UID that it doesn't have shouldn't be green. note: evolution warns about this.

STEPS TO REPRODUCE
1. create 2 sets of full gpg keys
2. use another client to sign sending one of your emails with the other emails key.


I did this with a misconfiguration via fairemail.

OBSERVED RESULT

kmail shows green and all happy


EXPECTED RESULT


kmail should show yellow or red because that key isn't approved for that uid.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION
Kmail: 5.18.0
Operating System: Manjaro Linux
KDE Plasma Version: 5.22.4
KDE Frameworks Version: 5.85.0
Qt Version: 5.15.2
Kernel Version: 5.10.59-1-MANJARO (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i7-10610U CPU @ 1.80GHz
Memory: 15.4 GiB of RAM
Graphics Processor: Mesa Intel® UHD Graphics
Comment 1 Caleb Cushing 2021-08-20 01:26:59 UTC
To me, this should be *red* the problem here is that if your key is compromised but not your email, someone could still send messages as you and people who've already imported your key might not even notice the mismatch.