https://bugs.kde.org/show_bug.cgi?id=353317
Bug ID: 353317 Summary: kMail 5.0: Wrong signature issuer shown for OpenPGP signed mails (SMIME not tested). Product: kmail2 Version: unspecified Platform: Kubuntu Packages OS: Linux Status: UNCONFIRMED Severity: major Priority: NOR Component: general Assignee: kdepim-bugs@kde.org Reporter: kdeb...@customcdrom.de Not sure if there might even be security implications: A friend of mine sends signed messages which are always * shown as having a valid signature (green display and everything) * but from a completely wrong sender (!) ****************************************************************** Die Nachricht enthält die Signatur von kl...@xxxxxxxxx.de (Schlüsselkennung: 0x9F8E2A98D1A4EDE5). Die Signatur ist gültig, und der Schlüssel ist vertrauenswürdig. ****************************************************************** (translation: The message contains the signature of kl...@xxxxxxxxx.de (Key-ID: 0x9F8E2A98D1A4EDE5). The signature is valid and the key is trusted. ****************************************************************** I have this public key in my keyring, but it has nothing to do with the mail that is displayed - if I extract its PGP signature into a separate file and use gpg to display information about it, the following is displayed: ****************************************************************** $ LANG= gpg --verify sigfile /dev/null gpg: Signature made Tue Sep 29 11:11:08 2015 CEST using RSA key ID 22B2951D gpg: WARNING: digest algorithm MD5 is deprecated gpg: please see https://gnupg.org/faq/weak-digest-algos.html for more information gpg: BAD signature from "Matthias XXXXXXX <matth...@xxxxxxx.de>" ****************************************************************** Neither mail address nor key ID have anything to do with the wrong key that is picked up for display by kMail... I'm also not sure why the wrong key is displayed as "trusted" in the first place - it does not seem to be considered trusted by gpg: ****************************************************************** gpg: using classic trust model pub 2048R/D1A4EDE5 created: 2000-02-26 expires: never usage: SCE trust: undefined validity: unknown ****************************************************************** Reproducible: Always -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs