gpg key is signed (with seahorse) but evolution still shows signed messages as not verified

Bug #304539 reported by marco.pallotta on 2008-12-02
This bug affects 5 people
Affects Status Importance Assigned to Milestone
seahorse-plugins (Ubuntu)
Nominated for Karmic by Freddie

Bug Description

I signed a public gpg key imported with seahorse but the signed emails, with the private key of the subject which public key I had previously signed, are seen by evolution as unverifiable: "sign is valid but it's not possible to verify the sender".
That is this isssue is the same as I didn't sign the key.

I'm in Hardy Heron x86_64
evolution is
seahorse is 2.22.2-0ubuntu

Mackenzie Morgan (maco.m) wrote :

I'm pretty sure this is a seahorse-plugins bug since I think that's what Evolution uses to do the verifying.

Changed in evolution:
importance: Undecided → Low
marco.pallotta (marco-pallotta) wrote :

Machenzie, I think you are right as I described in bug #326841. You can verify that it's not an evolution issue using command line tool gpg instead of seahorse.

Mackenzie Morgan (maco.m) wrote :

What about if you use seahorse-tool instead of gpg?

marco.pallotta (marco-pallotta) wrote :

With seahorse-tool I think I cannot verify signed emails but only signed files.

marco.pallotta (marco-pallotta) wrote :

Mackenzie, I'm not so sure that it's a seahorse issue. In fact I made some other tests and I discovered that:
- seahorse only offers 4 options to trust a key while gpg offers 5 options (it adds "ultimately"), and for this I opened a new bug #327571
- if you trust a key with the option "utlimately" via cli using gpg then evolution recognize that a certain email has "valid signature".

I think we have two bugs:
- one for seahorse trust levels. (and I opened it as I sayd before);
- one for either evolution or seahorse-plugins (and I think the issue I posted is related to this) that I think should recognize a "valid signature" also if we don't trust a key with the "ultimately" option.

I also think the importance should be raised as this is a security issue.

"Ultimately" means "it's my own key." Seahorse automatically assigns
this trust level to keys for which you have the secret key.

It says the email address has not been verified, correct? Have you
checked that the email address used is actually in the key?

Though interestingly, I just spotted an email that says "signature
verified" when the key expired nearly a year ago...

Machenzie, I think you are right about the "ultimately" option, in fact my private key is trusted automatically with this option.
About the email address, mine is present in the recipient public key as I signed it.

Not *your* email address, the sender's email address. A GPG key has
email addresses associated with it, but if the email address from which
the message was sent does not match one of the email addresses attached
to the key, it will say the signature is good but that it cannot verify
the sender (which is correct).

Mackenzie, the sender email address matches the email attached to the key. In fact, as I already described, it is sufficient to trust the sender key with "ultimately" to solve the issue (if the sender email hadn't matched the email attached to the key changing trust level shouldn't solve it)

I studied a little the web of trust mechanism and evolution shouldn't mind the way I trust a key. In fact this info is a personal info. If a public key is signed by my personal private key evolution should recognize the user (if the sender email corresponds to the email included in the public key).

benste (benste) wrote :

Hi all, I'm having trouble with the same thing too,
today i added all variants of @gmail @googlemail and co and upper case version to be sure that my sending adress is within the key. But it's still not validated. As Karmic is coming in the next weeks i just wanted to know whether there is something new?

I didn't test karmic in my daily use yet, but I'm still searching for an evo / seahorse solution for 9.04

description: updated

benste, you can simply type, in your comment, that you confirm the issue in 9.04 too instead of modifying the bug description and add this info. Please, modify it only if you have to add useful info to describe the bug.

summary: gpg key is signed (with seahorse) but evolution still shows signed
- messages as not not verified
+ messages as not verified

Confirmed with
ubuntu 9.04_x86
Evolution 2.26.1
seahorse 2.26.1

(txs to benste for these info)

description: updated
Changed in seahorse-plugins (Ubuntu):
status: New → Confirmed

I have confirmed the bug txs to benste info

affects: seahorse-plugins → evolution

I have attached a bug watch to an upstream evolution gnome bug already reported there.
In this bug we have set the affected package to seahorse-plugins but I'm still not sure if it's correct. In Hardy there is no seahorse-plugins package but the problem is present. Maybe in Hardy seahorse-plugins functionalities were included in other packages?

Changed in evolution:
importance: Unknown → Medium
status: Unknown → New
benste (benste) wrote :

Does someone still have this issue - i don't

@ marco, you should consider closing this bug as invalid if no one mentiones something else

I still have the issue also with 10.04 and evolution 2.28.3

lusepuster (thoeger) wrote :

Can confirm this for 10.10, Evolution 2.30.3

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.