[Users] [Bug 3314] New: user can't distinct between trustworthy and untrustworthy gpg signatures
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Wed Oct 29 13:34:45 CET 2014
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3314
Bug ID: 3314
Summary: user can't distinct between trustworthy and
untrustworthy gpg signatures
Classification: Unclassified
Product: Claws Mail
Version: other
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P3
Component: Plugins/Privacy
Assignee: users at lists.claws-mail.org
Reporter: hw42-claws-mail at ipsumj.de
Commit fe89b3a7 [0] broke the verification of the trustworthiness of gpg
signatures.
Every "correct" (i.e. key X signed this message correctly) is show as good
signature.
This is a critical security bug since now the user don't see if the UID of the
key which
made this signature is valid. So it's sufficient that someone has imported the
key which
has signed the message - but the UID is never verified.
I think the committer was confused about the meaning of owner-trust and
signature validity
in the context of gpg.
Owner-trust is a user specific setting for a key which determines how much you
trust
signatures made by that key.
Validity say if gpg could verify that the UID of the key is valid. This is done
by checking
the signatures of the key in combination with the according owner-trust (see
also [1]).
To reproduce simply import a key of which you don't now if it's UID is valid.
Now open
a message which is correctly signed this message. This is show as "good
signature" and
you have no indication that you don't now that the UID is valid.
This affects versions >= 3.10.0
[0]:
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=fe89b3a7fbcefc21dcf195929c948bd8be603788;hp=b0a0fd75fb84a8bfffebc945faa241b06feb91bf
[1]:
https://www.gnupg.org/faq/GnuPG-FAQ.html#what-are-trust-validity-and-ownertrust
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Users
mailing list