#283 Differentiating Signatures

duplicate
nobody
None
1.6.0
Minor
24.6.0
1.4.11
Linux
---
2015-01-31
2014-07-02
No

Running Enigmail version 1.6 (20131006-1849)
Using gpg executable /usr/bin/gpg to encrypt and decrypt

stephen@SONY ~ $ gpg --version
gpg (GnuPG) 1.4.11
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
stephen@SONY ~ $

Hi,

This may be an enhancement request. Apologies up front if so.

I receive an email from a person. The email is digitally signed. I do not know this person. I forward that email to another person, but I do not sign it. Enigmail says there is a problem.

“Signature verification failed”

It seems that Enigmail is not clever enough to differentiate between the two and alert separately. It would make sense to show signature verification failed that this or that signature verification failed. However, in its GUI the developer has chosen to simplify and condense the message and therefore it only tells you that (some) signature failed without being more detailed about which signature that was.

It seems like the error message should say which signature it is that it cannot verify and
ideally the reason for it - e.g. trust not set/known, key expired, etc. Otherwise, the obscure message will send you in a tail spin trying to find out what is wrong with your own signature.

Does one have to validate the signature that was sent to them, before forwarding the original email? That seems cumbersome.

Kindly,
SHD

Discussion

    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -35,7 +35,7 @@
     It seems like the error message should say which signature it is that it cannot verify and 
     ideally the reason for it - e.g. trust not set/known, key expired, etc. Otherwise, the obscure message will send you in a tail spin trying to find out what is wrong with your own signature.
    
    -Do one have to validate the signature that was sent to them, before forwarding the original email? That seems cumbersome.
    +Does one have to validate the signature that was sent to them, before forwarding the original email? That seems cumbersome.
    
     Kindly,
    
     
  • Which "two" are you talking about? You forward the message, but do not sign it; thus there is only one signature on the message, right?

     
  • Yes, this is correct.

     
  • So what is the precise issue? For inline-PGP messages you can see which part of the text was signed and by whom, and for PGP/MIME messages (which required to forward messages as attachment), you have to open the attached message to get the signature information.

     
  • The error message is vague, but this may be what was intended. Signature error does not mean much, if there is no validation of the signature, because there is no trust of the signature. The assumption seems to be that all signatures must be validated, yes? It seems like there is an easier way to accomplish this step of the process, but I could be incorrect.

     
  • Hi,

    Worked on this with a friend today. Reviewing the message activity, there are indeed two signatures. There is both my signature and the signature of the person that signed the email I forwarded, but I did not validate the signature of the person that sent me the original email.

    I did not sign the email I forwarded, but Thunderbird decided to sign it. Here is the divergence in my activity versus what Thunderbird or Enigmail decided to accomplish.

    Therefore, I get a message telling me that a signature was not validated and I have two signatures in the message envelope - it should also tell me which signature: mine, or the forwarded attachment's signature? It should also give a reason that the validation
    failed.

    Is this the correct understanding of the expected behavior?

     
  • Duplicate to bug 362 [bugs:#362]

     

    Related

    Bugs: #362

    • status: open --> duplicate