Bug#888025: gpgsm: UI asks insane, unanswerable trust questions
Also noticed a modal messagebox popping up regularly when having kmail running. Below is a workaround that simply always answers the question with no instead of asking. --- gnupg2-2.2.43.orig/agent/trustlist.c +++ gnupg2-2.2.43/agent/trustlist.c @@ -687,6 +687,9 @@ agent_marktrusted (ctrl_t ctrl, const ch if (!nameformatted) return gpg_error_from_syserror (); + // We do not trust this. Do not show that dialog. + return gpg_error (GPG_ERR_NOT_TRUSTED); + /* First a general question whether this is trusted. */ desc = xtryasprintf ( /* TRANSLATORS: This prompt is shown by the Pinentry
Bug#888025: gpgsm: UI asks insane, unanswerable trust questions
I'm using kmail and am getting hit by this. It seems to be someone has sent me an email signed with some weird (internal?) certificate. What can I as a user even do if I *don't* trust the certificate? There is no "No, and please stop asking" option... Best, Brendon
Bug#888025: gpgsm: UI asks insane, unanswerable trust questions
Dear maintainer,
I've recently started to re-experience that bug (#888025), probably because
someone is sending me emails using some "certificate".
It is in the form of a popups when Kmail is opened in the background. Those
popups come randomly without user action.
I understand it would be useless to answer yes to the popup. Additionally, it
doesn't seem legit/safe at all, for someone who doesn't have the necessary
knowledge, to answer yes to "do you ultimately trust XXX to correctly certify
user certificates?"
I've read the explanations/comments in the bug, but I didn't understand
anything, sorry.
The certificate in the popup is the same as this one:
```
$ awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print |
cmd}' < /etc/ssl/certs/ca-certificates.crt | grep 'Manchester.*AAA'
subject=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited,
CN = AAA Certificate Services
```
I've been told to try: `sudo dpkg-reconfigure ca-certificates`, but that didn't
change anything.
It won't crash the system, but it's very very annoying/disruptive for the
user.
Thanks,
Chris
Bug#888025: gpgsm: UI asks insane, unanswerable trust questions
Package: gpgsm Version: 2.2.4-1 Severity: important Someone sending me S/MIME email caused mutt+gpg to open an insane pair of sequential dialogue window asking multiple questions about whether I trust what looked like one of Comodo's CA certificates. The second dialogue included a fingerprint of unspecified sort, that I was supposed to check against something, but the GTK interface didn't support copying and pasting. The useful information would have been: 1. Is this certificate in Debian's ca-certificates package? If so, dont show the dialogue, just accept the certificate. 2. If this certificate *isn't* in Debian's ca-certificates package, that is the single most important thing to tell the user. It's still probably a useless dialogue, but maybe one user in a thousand will want to do the research on where the CA cert came from. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gpgsm depends on: ii gpgconf2.2.4-1 ii libassuan0 2.5.1-1 ii libc6 2.26-4 ii libgcrypt201.8.1-4 ii libgpg-error0 1.27-5 ii libksba8 1.3.5-2 ii libreadline7 7.0-3 Versions of packages gpgsm recommends: ii gnupg 2.2.4-1 gpgsm suggests no packages. -- no debconf information
