[Users] Signatures don't seem to work

mlist mlist at riseup.net
Sat Aug 31 20:50:46 CEST 2019 

On Sat, 31 Aug 2019 16:46:31 -0000 Paul wrote:

> Presumably 'C' activates /Message/Check signature.

Yes.

> This menu item only checks signatures, it does not
> retrieve keys at all.

I understand that too, i.e. that GPG actually
retrieves them.

> I reckon you have 'auto-key-retrieve' in
> ~/.gnupg/gpg.conf.

Yes.

> That is outside of Claws Mail, and is not controlled
> by Claws Mail's 'offline' mode.
> 
> This isn't a problem, or a Claws Mail bug.

I understand that it is not a problem or a bug.
However the general expectation of 'offline' mode is
to be offline = no any connections initiated by the
program (visible or invisible). This normally comes
with an expectation of privacy.

But it is worth considering a so called "web bug" like
behavior mentioned in the man page of gpg2 (right in
the explanation of --no-auto-key-retrieve option):

"
Key-server or Web Key Directory operators can see
which keys you request, so by sending you a message
signed by a brand new key (which you naturally will
not have on your local keyring), the operator can tell
both your IP address and the time when you verified
the signature.
"

If "Automatically check signatures" option is on or
even if one uses "Check signature" the combination
with the above can actually result in reduced privacy.

I imagine the following scenario:

1. One fetches mail using Tor proxy (configured in
Claws), then goes offline to read the messages. I.e.
one relies on IP address not being revealed.

2. One of the newly fetched messages needs retrieval of
signature. With --auto-key-retrieve and no system-wide
Tor proxy configured (for whatever reason or by
omission) GPG will connect to the key server and
reveal the info which the man page explains.

3. Suppose the attacker who is trying to locate a
victim through his email address has taken hold of the
key server or of the ISP of the victim. The victim
assuming he is hidden by using Tor may not guess about
all of the above and inadvertently expose himself
because he thinks he is 'offline'. For the general
user that may not be so bad but it could be critical
for investigative journalists or other activists.

If Claws can prevent that by at least warning the user
about the implications of checking a signature this
won't happen.

More information about the Users mailing list