[Users] Signatures don't seem to work

Paul claws at thewildbeast.co.uk
Sun Sep 1 00:14:16 CEST 2019


On Sat, 31 Aug 2019 21:50:46 +0300
mlist <mlist at riseup.net> wrote: 

> I imagine the following scenario:
> 
> 1. One fetches mail using Tor proxy (configured in
> Claws), then goes offline to read the messages. I.e.
> one relies on IP address not being revealed.
> 
> 2. One of the newly fetched messages needs retrieval of
> signature. With --auto-key-retrieve and no system-wide
> Tor proxy configured (for whatever reason or by
> omission) GPG will connect to the key server and
> reveal the info which the man page explains.
> 
> 3. Suppose the attacker who is trying to locate a
> victim through his email address has taken hold of the
> key server or of the ISP of the victim. The victim
> assuming he is hidden by using Tor may not guess about
> all of the above and inadvertently expose himself
> because he thinks he is 'offline'. For the general
> user that may not be so bad but it could be critical
> for investigative journalists or other activists.
> 
> If Claws can prevent that by at least warning the user
> about the implications of checking a signature this
> won't happen.

If you were serious about protecting your privacy like that (tor, etc), then
you would not set auto-key-retrieve in your gpg.conf. Unset that and you can
freely check signatures without caring whether you have the key in your
keyring or not.

with regards

Paul


More information about the Users mailing list