[Users] [Bug 3314] user can't see validity of gpg signatures

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Wed Oct 29 17:12:48 CET 2014


http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3314

--- Comment #5 from Paul <paul at claws-mail.org> ---
(In reply to comment #4)
> At least the gpg versions I have tested (1.4.18, 2.0.26, 2.1.0-beta895)
> does very clearly show if the validity of the signature can't be
> verified (they also use "trusted" here):
> 
> [...]
> gpg: Good signature from "Some UID <mail at example.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> [...]
> 
> I think it's very critical to display the validity of the signature
> since else you have to click every time to the "full information".

It's not the validity of the signature that you're seeing, it's the validity of
the UID. A signature is either good or bad, a UID has validity. The owner has
"trust". You are confusing the terms and using them as if they are
interchangeable. They are not.

How is this "critical"? If you're verifying a downloaded software package, e.g.
the Claws Mail tarballs, or verifying a signature on a message, e.g. the Claws
Mail release announcements, would you not trust them? Do you never trust a
signature unless you've signed the key?

-- 
You are receiving this mail because:
You are the assignee for the bug.



More information about the Users mailing list