I was viewing an unsigned, unencrypted email. The first time I opened it, it was shown with incorrect OpenPGP security information.
The green Enigmail banner said:
"Decrypted message; Good signature from Daira Hopwood (preferred key) firstname.lastname@example.org
Key ID: 0x98CF2762 / Signed on: 17/07/14 10:56"
(There was a short delay before the banner appeared, but that's not unusual.)
The result of "Copy OpenPGP Security Info" was:
"Good signature from Daira Hopwood (preferred key) email@example.com
Key ID: 0x98CF2762 / Signed on: 17/07/14 10:56
Key fingerprint: 3D6A 08E9 1262 3E9A 00B2 1BDC 067F 4920 98CF 2762"
That is my key ID and fingerprint, but I didn't sign that message. Opening the
same message again shows an unsigned, unencrypted email with no OpenPGP banner, as expected.
The claimed signing date (17th July, i.e. the day I viewed it) is also inconsistent with the date the actual message was sent (Mon, 30 Jun 2014 19:59:09 +0000). I suspect that the signature information might have come from verifying a different email.
This implies I can no longer trust Enigmail to show me accurate signature information. :-(
I still have the message window with the incorrect banner open; I can attach a screenshot or interact with it further if needed.
This was using Enigmail version 1.6 (20131006-1849), Thunderbird 24.0, and GnuPG 1.4.14 (from the Debian package on Linux Mint Debian Edition).
Log in to post a comment.