#283 Differentiating Signatures

duplicate
nobody
None
1.6.0
Minor
24.6.0
1.4.11
Linux
---
2015-01-31
2014-07-02
No

Running Enigmail version 1.6 (20131006-1849)
Using gpg executable /usr/bin/gpg to encrypt and decrypt

stephen@SONY ~ $ gpg --version
gpg (GnuPG) 1.4.11
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
stephen@SONY ~ $

Hi,

This may be an enhancement request. Apologies up front if so.

I receive an email from a person. The email is digitally signed. I do not know this person. I forward that email to another person, but I do not sign it. Enigmail says there is a problem.

“Signature verification failed”

It seems that Enigmail is not clever enough to differentiate between the two and alert separately. It would make sense to show signature verification failed that this or that signature verification failed. However, in its GUI the developer has chosen to simplify and condense the message and therefore it only tells you that (some) signature failed without being more detailed about which signature that was.

It seems like the error message should say which signature it is that it cannot verify and
ideally the reason for it - e.g. trust not set/known, key expired, etc. Otherwise, the obscure message will send you in a tail spin trying to find out what is wrong with your own signature.

Does one have to validate the signature that was sent to them, before forwarding the original email? That seems cumbersome.

Kindly,
SHD

Discussion

  • Stephen H. Dawson

    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -35,7 +35,7 @@
     It seems like the error message should say which signature it is that it cannot verify and 
     ideally the reason for it - e.g. trust not set/known, key expired, etc. Otherwise, the obscure message will send you in a tail spin trying to find out what is wrong with your own signature.
    
    -Do one have to validate the signature that was sent to them, before forwarding the original email? That seems cumbersome.
    +Does one have to validate the signature that was sent to them, before forwarding the original email? That seems cumbersome.
    
     Kindly,
    
     
  • Patrick Brunschwig

    Which "two" are you talking about? You forward the message, but do not sign it; thus there is only one signature on the message, right?

     
  • Stephen H. Dawson

    Yes, this is correct.

     
  • Patrick Brunschwig

    So what is the precise issue? For inline-PGP messages you can see which part of the text was signed and by whom, and for PGP/MIME messages (which required to forward messages as attachment), you have to open the attached message to get the signature information.

     
  • Stephen H. Dawson

    The error message is vague, but this may be what was intended. Signature error does not mean much, if there is no validation of the signature, because there is no trust of the signature. The assumption seems to be that all signatures must be validated, yes? It seems like there is an easier way to accomplish this step of the process, but I could be incorrect.

     
  • Stephen H. Dawson

    Hi,

    Worked on this with a friend today. Reviewing the message activity, there are indeed two signatures. There is both my signature and the signature of the person that signed the email I forwarded, but I did not validate the signature of the person that sent me the original email.

    I did not sign the email I forwarded, but Thunderbird decided to sign it. Here is the divergence in my activity versus what Thunderbird or Enigmail decided to accomplish.

    Therefore, I get a message telling me that a signature was not validated and I have two signatures in the message envelope - it should also tell me which signature: mine, or the forwarded attachment's signature? It should also give a reason that the validation
    failed.

    Is this the correct understanding of the expected behavior?

     
  • Patrick Brunschwig

    • status: open --> duplicate
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks