Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: kf5-message...@packages.debian.org, he...@debian.org Control: affects -1 + src:kf5-messagelib
[ Reason ] KMail does can't verify signatures if they are signed with subkeys. [ Impact ] Users will see an invalid signature instead of a valid one. [ Tests ] Same package is on unstable for some days without any issue. I also run KMail on a daily basis. [ Risks ] The patch is quite small and is a direct patch from upstream. It is very unlikly that this has side effects. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in bookworm [*] the issue is verified as fixed in unstable
diff -Nru kf5-messagelib-22.12.3/debian/changelog kf5-messagelib-22.12.3/debian/changelog --- kf5-messagelib-22.12.3/debian/changelog 2023-03-01 21:33:30.000000000 +0100 +++ kf5-messagelib-22.12.3/debian/changelog 2023-07-02 23:21:13.000000000 +0200 @@ -1,3 +1,15 @@ +kf5-messagelib (4:22.12.3-2~deb12u1) bookworm; urgency=medium + + * Rebuilt for bookworm. + + -- Sandro Knauß <he...@debian.org> Sun, 02 Jul 2023 23:21:13 +0200 + +kf5-messagelib (4:22.12.3-2) unstable; urgency=medium + + * Add upstream patch to search also for subkeys (Closes: #1037363). + + -- Sandro Knauß <he...@debian.org> Tue, 27 Jun 2023 14:09:30 +0200 + kf5-messagelib (4:22.12.3-1) unstable; urgency=medium [ Patrick Franz ] diff -Nru kf5-messagelib-22.12.3/debian/patches/series kf5-messagelib-22.12.3/debian/patches/series --- kf5-messagelib-22.12.3/debian/patches/series 2022-12-20 01:37:29.000000000 +0100 +++ kf5-messagelib-22.12.3/debian/patches/series 2023-06-27 13:33:50.000000000 +0200 @@ -1 +1,2 @@ enable_debianabimanager.diff +upstream-Look-for-matching-subkey-if-no-key-was-found-for-fin.patch diff -Nru kf5-messagelib-22.12.3/debian/patches/upstream-Look-for-matching-subkey-if-no-key-was-found-for-fin.patch kf5-messagelib-22.12.3/debian/patches/upstream-Look-for-matching-subkey-if-no-key-was-found-for-fin.patch --- kf5-messagelib-22.12.3/debian/patches/upstream-Look-for-matching-subkey-if-no-key-was-found-for-fin.patch 1970-01-01 01:00:00.000000000 +0100 +++ kf5-messagelib-22.12.3/debian/patches/upstream-Look-for-matching-subkey-if-no-key-was-found-for-fin.patch 2023-06-27 13:34:36.000000000 +0200 @@ -0,0 +1,44 @@ +From 70f39256784280d2034aa7bf1c4765f606c22d56 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <d...@ingo-kloecker.de> +Date: Wed, 3 May 2023 14:51:18 +0200 +Subject: Look for matching subkey if no key was found for fingerprint + +If the message was signed with a signing subkey instead of with the +primary key of an OpenPGP certificate, then we won't find a key with +findByFingerprint(). To look for a matching subkey we need to use +findSubkeysByKeyID(). + +FIXED-IN: 5.23.1 +BUG: 469304 +(cherry picked from commit 606ea1478d2d5b5aacdc6ef3f050655fe0352d87) +--- + mimetreeparser/src/messagepart.cpp | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/mimetreeparser/src/messagepart.cpp b/mimetreeparser/src/messagepart.cpp +index f1489d5e0..3e99e71c8 100644 +--- a/mimetreeparser/src/messagepart.cpp ++++ b/mimetreeparser/src/messagepart.cpp +@@ -848,8 +848,18 @@ void SignedMessagePart::sigStatusToMetaData() + // Search for the key by its fingerprint so that we can check for + // trust etc. + key = Kleo::KeyCache::instance()->findByFingerprint(signature.fingerprint()); ++ if (key.isNull() && signature.fingerprint()) { ++ // try to find a subkey that was used for signing; ++ // assumes that the key ID is the last 16 characters of the fingerprint ++ const auto fpr = std::string_view{signature.fingerprint()}; ++ const auto keyID = std::string{fpr, fpr.size() - 16, 16}; ++ const auto subkeys = Kleo::KeyCache::instance()->findSubkeysByKeyID({keyID}); ++ if (subkeys.size() > 0) { ++ key = subkeys[0].parent(); ++ } ++ } + if (key.isNull()) { +- qCDebug(MIMETREEPARSER_LOG) << "Found no Key for Fingerprint" << signature.fingerprint(); ++ qCDebug(MIMETREEPARSER_LOG) << "Found no key or subkey for fingerprint" << signature.fingerprint(); + } + } + +-- +2.40.1 +