Your message dated Sun, 29 Jan 2012 19:08:57 +0100
with message-id <[email protected]>
and subject line Re: psi: does not verify the signature of an encrypted message
has caused the Debian Bug report #381964,
regarding psi: does not verify the signature of an encrypted message
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
381964: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=381964
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: psi
Version: 0.10-2
Severity: normal
PSI does not verify the signature of an incoming encrypted message.
reproduce:
- right click on a contact A
- select "Assign OpenPGP key"
- choose one of the possibilities (B)
- Now chat with the contact (double click on contact A)
- toggle encryption on
- when you send a message to contact A the message is encrypted with the
chosen key (B)
- but when contact A sends you an encrypted message with another
signature than (B) the message is accepted with no alert
Important to know:
ii gnupg 1.4.3-2 GNU privacy guard - a free PGP replac
ii gnupg-agent 1.9.20-1.1 GNU privacy guard - password agent
ii gnupg2 1.9.20-1.1 GNU privacy guard - a free PGP replac
ii libgnupg-interface-perl 0.33-6 Perl interface to GnuPG
ii libgpgme11 1.1.2-2 GPGME - GnuPG Made Easy
ii pgpgpg 0.13-8 Wrapper for using GnuPG in programs
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.7
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages psi depends on:
ii libc6 2.3.6-15 GNU C Library: Shared libraries
ii libgcc1 1:4.1.1-5 GCC support library
ii libqca1c2 1.0-8 Qt Cryptographic Architecture - sh
ii libqt3-mt 3:3.3.6-2 Qt GUI Library (Threaded runtime v
ii libstdc++6 4.1.1-5 The GNU Standard C++ Library v3
ii libx11-6 2:1.0.0-7 X11 client-side library
ii libxext6 1:1.0.0-4 X11 miscellaneous extension librar
ii libxss1 1:1.0.1-4 X11 Screen Saver extension library
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages psi recommends:
ii qca-tls 1.0-3 TLS plugin for the Qt Cryptographi
ii sox 12.17.9-1 A universal sound sample translato
-- no debconf information
--- End Message ---
--- Begin Message ---
After a little more than 5 years, I thought it would be a good idea to
finally fix this bug. :-)
But while trying to find the offending code, I noticed that this is just
a misconception: Psi just doesn't support signed messages at all.
And this is probably not unusual, as XEP-27 reads:
"In Jabber, signing uses the 'jabber:x:signed' namespace, and is
primarily used with <presence/>, but may also be used with <message/>."
(http://xmpp.org/extensions/xep-0027.html#schemas-encrypted)
While signing a message is technically possible, the main use case of
the signing feature seems to be signing presence information.
What psi does support is encrypting messages - but that's a completely
different story. As a message is only encrypted with the recipient's
public key, it doesn't contain any reference to the sender's key.
Therefore, it's just not possible to detect if the sender's private key
changed.
So this is not a bug, but just a missing feature. Therefore, I close
this bug report.
Regards,
Jan
--- End Message ---
