Bug#993546: kmail: KMail sees different signing key on same mail when enabling debian-keyring
On donderdag 16 september 2021 12:53:16 CEST Diederik de Haas wrote: > Control: retitle -1 GPGMe does not take additional keyring into account to > find keys. I retitled the bug as Sandro suggested, but I'm having second thoughts as to whether it's an (entirely) accurate description. Both the main key and the subkey used to sign the message are present in both my local keyring as well as in the debian-keyring.gpg file. It succeeds when *only* my local keyring is enabled, but it fails when both are enabled, while it then has 2 places to find Joost's public key. I'll leave further retitlements to maintainers, but wanted to clarify this. Cheers, Diederik signature.asc Description: This is a digitally signed message part.
Bug#993546: kmail: KMail sees different signing key on same mail when enabling debian-keyring
Control: reassign -1 libqgpgme7 1.16.0-1
Control: retitle -1 GPGMe does not take additional keyring into account to find
keys.
Control: affects -1 kmail
On woensdag 15 september 2021 10:56:59 CEST Sandro Knauß wrote:
> > Thanks for your assistance. I've save the signature as 'signature.asc' and
> > the signed part of the email msg to 'attempt3-dos.txt'
>
> great. Can you now do the same test. commenting/uncommenting the keyring
> line in the gpgconf? And kill gpg-agent in between to make 100% sure, that
> no left overs are taken.
I've rename 'signature.asc' to 'joostvb-signature.asc' and 'attempt3-dos.txt'
to 'joostvb-signed-msg-part-dos.txt' and ran the tests you requested.
=
$ killall gpg-agent
$ ps aux | grep gpg-agent | grep -v grep
$ vim ~/.gnupg/gpg.conf
$ tail -n1 ~/.gnupg/gpg.conf
#keyring /usr/share/keyrings/debian-keyring.gpg
$ ps aux | grep gpg-agent | grep -v grep
diederik 12992 0.0 0.0 154884 3600 ?SLs 12:32 0:00
/usr/bin/gpg-agent --supervised
$ gpg --verify joostvb-signature.asc joostvb-signed-msg-part-dos.txt
gpg: Signature made di 31 aug 2021 16:07:34 CEST
gpg:using RSA key 92AAD901B21B4BC79A47A03054F1A66317486713
gpg: Good signature from "Joost E. van Baal (Nederland, 1970)" [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal-Ilić" [full]
Primary key fingerprint: B8FA C2E2 5047 5B8C E940 A919 5793 0DAB 0B86 B067
Subkey fingerprint: 92AA D901 B21B 4BC7 9A47 A030 54F1 A663 1748 6713
$ killall gpg-agent
$ ps aux | grep gpg-agent | grep -v grep
$ vim ~/.gnupg/gpg.conf
$ tail -n1 ~/.gnupg/gpg.conf
keyring /usr/share/keyrings/debian-keyring.gpg
$ ps aux | grep gpg-agent | grep -v grep
diederik 13025 1.2 0.0 228616 3608 ?SLs 12:33 0:00
/usr/bin/gpg-agent --supervised
$ gpg --verify joostvb-signature.asc joostvb-signed-msg-part-dos.txt
gpg: Signature made di 31 aug 2021 16:07:34 CEST
gpg:using RSA key 92AAD901B21B4BC79A47A03054F1A66317486713
gpg: Good signature from "Joost E. van Baal (Nederland, 1970)" [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal " [full]
gpg: aka "Joost van Baal-Ilić" [full]
Primary key fingerprint: B8FA C2E2 5047 5B8C E940 A919 5793 0DAB 0B86 B067
Subkey fingerprint: 92AA D901 B21B 4BC7 9A47 A030 54F1 A663 1748 6713
=
On woensdag 15 september 2021 13:16:21 CEST you wrote:
> That seems fine, as the gpg-agent has restarted. So I think we are ready to
> move this bug to gpgme. But anyways this all sounds like an upstream bug,
> so properly you have to create a bug at https://dev.gnupg.org/
I'll wait what the gpgme maintainers have to say first, before I('ll have to)
go through the trouble of creating an account there ...
Cheers,
Diederik
signature.asc
Description: This is a digitally signed message part.
Bug#993546: kmail: KMail sees different signing key on same mail when enabling debian-keyring
On zondag 12 september 2021 19:57:17 CEST Sandro Knauß wrote: > But first make sue, that you are really have an valid bug. Please verify the > signature in a konsole via gpg --verify. I expect, that it will fail with > the same error. Thanks for your assistance. I've save the signature as 'signature.asc' and the signed part of the email msg to 'attempt3-dos.txt' $ gpg --verify signature.asc attempt3-dos.txt gpg: Signature made di 31 aug 2021 16:07:34 CEST gpg:using RSA key 92AAD901B21B4BC79A47A03054F1A66317486713 gpg: Good signature from "Joost E. van Baal (Nederland, 1970)" [full] gpg: aka "Joost van Baal " [full] gpg: aka "Joost van Baal " [full] gpg: aka "Joost van Baal " [full] gpg: aka "Joost van Baal " [full] gpg: aka "Joost van Baal " [full] gpg: aka "Joost van Baal " [full] gpg: aka "Joost van Baal-Ilić" [full] Primary key fingerprint: B8FA C2E2 5047 5B8C E940 A919 5793 0DAB 0B86 B067 Subkey fingerprint: 92AA D901 B21B 4BC7 9A47 A030 54F1 A663 1748 6713 Hoping/expecting to validate the message against my keyring with "gpg --verify attempt3-dos.txt" failed as "gpg --verify" wants the signature file as first parameter. Let me know what else I can do. Cheers, Diederik signature.asc Description: This is a digitally signed message part.
Bug#993546: kmail: KMail sees different signing key on same mail when enabling debian-keyring
Hoi, On zondag 12 september 2021 19:57:17 CEST Sandro Knauß wrote: > I'm quite sure, that this is not the issue of Kmail, as Kmail is using the > GPGME to talk to gpg. So it will be an issue of libqgpgme7. Ok. I noticed the issue in KMail, so I reported it against that package. Feel free to reassign to an (more) appropriate package. > But first make sure, that you are really have an valid bug. Please verify the > signature in a konsole via gpg --verify. I expect, that it will fail with > the same error. How can I do that? I've saved the msg as an mbox file and ran 'gpg --verify' on it: gpg --verify Joostvb-orig-signed-msg.mbox gpg: no signed data gpg: can't hash datafile: No data That looks weird as it's certainly a signed msg. Let's try mutt (me = mutt newbie): mutt -f Joostvb-orig-signed-msg.mbox I see "1 Ns " ; to view it and I see: [-- Begin signature information --] Good signature from: Joost E. van Baal (Nederland, 1970) aka: created: [-- End signature information --] After 'i' to Exit, the lowercase 's' turned into a capital 'S'. Which IIUC indicates a valid signature. So mutt seems happy. ~/.gnupg/gpg.conf had the debian-keyring enabled. After disabling debian-keyring: gpg --verify Joostvb-orig-signed-msg.mbox gpg: no signed data gpg: can't hash datafile: No data mutt -f Joostvb-orig-signed-msg.mbox I see "1 s " ; to view it and I see: [-- Begin signature information --] Good signature from: Joost E. van Baal (Nederland, 1970) aka: created: [-- End signature information --] After Exit, the lowercase 's' turned into a capital 'S' again. So with mutt everything _looks_ the same with the debian-keyring enabled or disabled, while there is a difference in KMail. > Keep in mind that Joot's using a subkey to sign ( 0x54F1A66317486713), this > subkey needs to be available also to verify the signature. > > > When doing "gpg --list-keys 0x57930DAB0B86B067" (or long key ID) > > (with "list-options show-keyring=yes" in my gpg.conf) I see the same key > > present in my keyring (pubring.kbx) and in Debian's debian-keyring.gpg. > > As I was told you alsoways have to use --with-colons when using > gpg --list-keys --with-colons to get ideas about the key status. With debian-keyring disabled: $ gpg --with-colons --list-keys 0x57930DAB0B86B067 tru::1:1631360998:1645731991:3:1:5 pub:f:4096:1:57930DAB0B86B067:1129127891:::f:::scESC::23:1630521551:1 http\x3a//keyring.debian.org\x3a11371: fpr:B8FAC2E250475B8CE940A91957930DAB0B86B067: uid:f1129129467::D3568B2F561D7D224C0894CE39E650FC67F0755B::Joost E. van Baal (Nederland, 1970):1630521551:1: uid:f1129129236::404399E9298441B5AFF1F09D9A6314F6D0DF12FF::Joost van Baal :1630521551:1: uid:f1129129331::06AF0BE4F14BBC6BEDF47674B6BCD74AEBBA5FA5::Joost van Baal :1630521551:1: uid:f1129129295::83F7EC80DEAB05929AE4829E7FE6A07468F1B557::Joost van Baal :1630521551:1: uid:f1129129358::ECC854CC7EAFC26121A339FF41A0D1917097C7D7::Joost van Baal :1630521551:1: uid:f1129129385::1857D9EC456DEEE1C4FC2C1207E9C2B9A8F844E2::Joost van Baal :1630521551:1: uid:f1223447825::0BC514AB9B9027517C311BEDC30A59E551EB4D16::Joost van Baal :1630521551:1: uid:f1318359511::9E04CD3B93ECF31B7BAC1315EBAE5D5B987EF556::Joost van Baal-Ilić:1630521551:1: sub:e:4096:1:A96539F624525E9E:1129128272:1223736272:s::23: fpr:C5B85256C175C10CBD0832A4A96539F624525E9E: sub:e:4096:1:F98CBB23C0BC6980:1223447515:1318055515:s::23: fpr:ABB0F0BF85D70496B35D0B7CF98CBB23C0BC6980: sub:e:2048:1:33517A72A5E6B0C8:1318359158:1476039158:s::23: fpr:B9563AB8479744C26035A9F933517A72A5E6B0C8: sub:f:4096:1:54F1A66317486713:1476171990:1728387017:s::23: fpr:92AAD901B21B4BC79A47A03054F1A66317486713: sub:f:4096:1:F4E66A7265F23E7B:1476172439:1728387066:e::23: fpr:A9202D9E6ADD2C7E7301DEE8F4E66A7265F23E7B: sub:e:2048:1:88FEF971404CA6BE:1318359224:1476039224:e::23: fpr:2A3FED2354D9264FBF0184D688FEF971404CA6BE: sub:e:4096:1:5B19798443FF7C14:1129128610:1223736610:e::23: fpr:7C2AB7A44CD6F96538CD88F05B19798443FF7C14: sub:e:4096:1:8A551DB0EC34F0AE:1223447782:1318055782:e::23: fpr:9B60E5A6C3DBCAB264A56F4E8A551DB0EC34F0AE: With debian-keyring enabled: $ gpg --with-colons --list-keys 0x57930DAB0B86B067 tru::1:1631360998:1645731991:3:1:5 pub:f:4096:1:57930DAB0B86B067:1129127891:::f:::scESC::23:1630521551:1 http\x3a//keyring.debian.org\x3a11371: fpr:B8FAC2E250475B8CE940A91957930DAB0B86B067: uid:f1129129467::D3568B2F561D7D224C0894CE39E650FC67F0755B::Joost E. van Baal (Nederland, 1970):1630521551:1: uid:f1129129236::404399E9298441B5AFF1F09D9A6314F6D0DF12FF::Jo
Bug#993546: kmail: KMail sees different signing key on same mail when enabling debian-keyring
Hey, I'm quite sure, that this is not the issue of Kmail, as Kmail is using the GPGME to talk to gpg. So it will be an issue of libqgpgme7. But first make sue, that you are really have an valid bug. Please verify the signature in a konsole via gpg --verify. I expect, that it will fail with the same error. Keep in mind that Joot's using a subkey to sign ( 0x54F1A66317486713), this subkey needs to be available also to verify the signature. > When doing "gpg --list-keys 0x57930DAB0B86B067" (or long key ID) > (with "list-options show-keyring=yes" in my gpg.conf) I see the same key > present in my keyring (pubring.kbx) and in Debian's debian-keyring.gpg. As I was told you alsoways have to use --with-colons when using gpg --list-keys --with-colons to get ideas about the key status. > I have no clue how this can happen or be explained, > but it sounds like a bug to me. So far I know gnupg does want to get rid of multiple keyrings statched together. So maybe you find one of the bugs with statching. But you may get more up-to-date news from gnupg mantainers in Debian. hefee signature.asc Description: This is a digitally signed message part.
Bug#993546: kmail: KMail sees different signing key on same mail when enabling debian-keyring
On donderdag 2 september 2021 23:15:47 CEST Diederik de Haas wrote: > KMail reports (after I signed it) The signing part is irrelevant for reproducing the bug. I experienced the exact same problem before I signed it. signature.asc Description: This is a digitally signed message part.
Bug#993546: kmail: KMail sees different signing key on same mail when enabling debian-keyring
Package: kmail Version: 4:21.08.0-2 Severity: normal Recently I received a signed email from Debian Developer joostvb@d.o. I imported his public key to my keyring as follows: gpg --keyserver keyring.debian.org --recv-keys 0xB8FAC2E250475B8CE940A91957930DAB0B86B067 When selecting that mail, KMail reports (after I signed it): Message was signed by joos...@mdcc.cx (Key ID: 0x57930DAB0B86B067). The signature is valid and the key is fully trusted. Excellent, exactly as I expected. Joost's key is also part of the debian-keyring with the (exact) same fingerprint. I figured it would be useful to have DD's key in gpg's keyring, so I added the following to ~/.gnupg/gpg.conf: keyring /usr/share/keyrings/debian-keyring.gpg But when I then first select an(y) other email and then select Joost's email again, KMail reports the following: Message was signed on with unknown key 0x92AAD901B21B4BC79A47A03054F1A66317486713. The validity of the signature cannot be verified. Status: Good signature When doing "gpg --list-keys 0x57930DAB0B86B067" (or long key ID) (with "list-options show-keyring=yes" in my gpg.conf) I see the same key present in my keyring (pubring.kbx) and in Debian's debian-keyring.gpg. If I then disable the "keyring ... debian-keyring.gpg" line again, all is well again and enabling brings the problem back. I've also started with a completely new ~/.gnupg and could still reproduce the problem. I have no clue how this can happen or be explained, but it sounds like a bug to me. Cheers, Diederik -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: arm64 Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages kmail depends on: ii akonadi-server 4:21.08.0-1 ii kdepim-runtime 4:21.08.0-1 ii kio 5.85.0-2 ii libc62.31-17 ii libgcc-s111.2.0-3 ii libgpgmepp6 1.16.0-1 ii libkf5akonadiagentbase5 [libkf5akonadiagentbase5-21.08] 4:21.08.0-1 ii libkf5akonadicontact5 [libkf5akonadicontact5-21.08] 4:21.08.0-1 ii libkf5akonadicore5abi2 [libkf5akonadicore5-21.08]4:21.08.0-1 ii libkf5akonadimime5 [libkf5akonadimime5-21.08]4:21.08.0-1 ii libkf5akonadisearch-bin 4:21.08.0-1 ii libkf5akonadisearch-plugins 4:21.08.0-1 ii libkf5akonadisearchdebug5 [libkf5akonadisearchdebug5-21.08] 4:21.08.0-1 ii libkf5akonadisearchpim5 [libkf5akonadisearchpim5-21.08] 4:21.08.0-1 ii libkf5akonadiwidgets5abi1 [libkf5akonadiwidgets5-21.08] 4:21.08.0-1 ii libkf5bookmarks5 5.85.0-2 ii libkf5calendarcore5abi2 5:5.85.0-2 ii libkf5calendarutils5 [libkf5calendarutils5-21.08]4:21.08.0-1 ii libkf5codecs55.85.0-2 ii libkf5completion55.85.0-2 ii libkf5configcore55.85.0-2 ii libkf5configgui5 5.85.0-2 ii libkf5configwidgets5 5.85.0-2 ii libkf5contacts5 5:5.85.0-2 ii libkf5coreaddons55.85.0-2 ii libkf5crash5 5.85.0-2 ii libkf5dbusaddons55.85.0-2 ii libkf5grantleetheme-plugins 21.08.0-1 ii libkf5gravatar5abi2 [libkf5gravatar5-21.08] 4:21.08.0-1 ii libkf5guiaddons5 5.85.0-2 ii libkf5i18n5 5.85.0-2 ii libkf5iconthemes55.85.0-2 ii libkf5identitymanagement5 [libkf5identitymanagement5-21.08] 21.08.0-1 ii libkf5itemmodels55.85.0-2 ii libkf5itemviews5 5.85.0-2 ii libkf5jobwidgets55.85.0-2 ii libkf5kcmutils5 5.85.0-2 ii libkf5kiocore5 5.85.0-2 ii libkf5kiofilewidgets5
