#377 Wrong signaturkey shown on green banner

[webratte2]

OS: Windows 7
Thunderbirdversion:31.3.0
Enigmail Version: 1.8a1pre

possible reproduce:

-I send a signed (with my key - me@examble.com) an encrypted mail to Bob@examble.com
-I send the same mail as BCC to myself.
-the mail is encrypted with both keys (me@examble.com and Bob@examble.com)

-the mail I receive will shown as correct signed from Bob@examble.com

See also this message from the green banner:

Enigmail-Sicherheitsinfo:

Entschlüsselte Nachricht
Korrekte Unterschrift von Bob Examble Bob@examble.com
Schlüssel-ID: 0x90XXXXXX / Unterschrieben am: 28.12.2014 18:18
Schlüssel-Fingerabdruck: 17C2 6EDE 7588 XXXX XXXX XXXX XXXX XXXX XXXX XXXX

Hinweis: Die Nachricht wurde mit folgenden Benutzer-IDs / Schlüsseln verschlüsselt:
0x2E50XXXXXXXXXXXX (Me Examble me@examble.com),
0x436FXXXXXXXXXXXX (Bob Examble Bob@examble.com)

If you need I can send you this mail
Bye
Mike

Sorry for my bad english

[Patrick Brunschwig]

I fully understand. Enigmail will most likely only display the last signature found.

[webratte2]

This can not be.
This mail is the first mail (no reply or something else).
Bob has never signed this mail (I have not Bobs private key).

This mail is only encrypted with Bobs public key. And with my public key of course.
And signed with my private key.
This is the only signature in this mail.

[Patrick Brunschwig]

Please send me the mail. If you don't want to attach it here, then please forward the mail as attachment to <patrick at="" einigmail="" dot="" net=""></patrick>

[webratte2]

I will send you a mail with attachment to your mailadress.

edit:

The mail I have sendet to you shows the same issue (shows: signed with Bobs Key).

[ahzf]

Dear all...

I think I ran into the same bug:

For the following e-mail enigmail shows the recipient instead of the sender in the green box:

Return-Path: robot@offenes-jena.de
Received: from mail.ahzf.de ([unix socket])
by mail (Cyrus v2.4.17-caldav-beta7-Debian-2.4.17+caldav~beta7-2) with LMTPA;
Tue, 20 Jan 2015 15:41:01 +0100
X-Sieve: CMU Sieve 2.4
Received: from quadquantor (ipb2190098.dynamic.kabel-deutschland.de [178.25.0.152])
by mail.ahzf.de (Postfix) with ESMTPSA id 6B06AB203F
for achim@ahzf.de; Tue, 20 Jan 2015 15:41:01 +0100 (CET)
MIME-Version: 1.0
From: Offenes Jena robot@offenes-jena.de
To: achim@ahzf.de
Subject: Deine Anmeldung bei 'Offenes Jena'...
Date: Tue, 20 Jan 2015 14:40:56 GMT
Content-Type: multipart/encrypted; charset=utf-8; boundary="-8<--multipart/encrypted--8<--e742e4a114e5d4dcb9f806e6--8<-"; protocol="application/pgp-encrypted"
Content-Transfer-Encoding: 8bit
Message-Id: e49ed28dd6bb573afde9e17a@mail.ahzf.de

---8<--multipart/encrypted--8<--e742e4a114e5d4dcb9f806e6--8<-
Content-Type: application/pgp-encrypted; charset=utf-8
Content-Description: PGP/MIME version identification
Content-Disposition: attachment; filename="signature.asc"

Version: 1

---8<--multipart/encrypted--8<--e742e4a114e5d4dcb9f806e6--8<-
Content-Type: application/octet-stream; charset=utf-8
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename="encrypted.asc"

-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.8.5498.26536

hQIMA33mX7dvm8SQAQ/+MA7YLyRGakXA3z025iIjVXM7kLaxN6xnocZSDpBuXtx2
vH8Dmtthr6PgVDmzu9O9ygTyjcCMmRJPSEE43bfLH+poKk5Y6ARgn3LgimEwe7Xy
uYpI2LxEy3/hypBGKNZwXB5lId+aGGbYyucjjAZbBFIMn1WnLLFFvDJFDOUyEgYm
ykqzsrOQRf1maUie3fKK3koBBY78VEAaKFok1dHEyxEVvGC5CigqsjJV/yY55yH6
zbY3WYAcHP9Txp7viPFXL6k1GRcquMnS+qGftaGDY60PrctmiwQLWJSnMoZOvW38
QzP+7hIB8b1iE0xp7BVfVmwgHe+sX61mcszp8Ia+9RQ9eXumIIXZ0zxRZaMinZ9z
045kGo/cxBI86gr6mEZgG1iu2bFEp9QtrBmDeh+1eVDB47/ub6OQ9ZYf3mo3Z1mk
gIpFCRxoc719cyRPR9PS3HEc2saNsFV03L/3KJIUEp7ZnkH86sfvRRgnqOroQvS+
Ss3IO6ILF5Up5CW6TbXCqo29uNLlnzB+frO4guCDv9I623zf/14Iyl0D18lx7jVG
zBkudiZwmq4+/G6kXLRg5VLTecwxgqomirHB8e7TCZquNtUJlnNyN3wmNI79Ydqw
BCKjCZ4wo2ZFG0RVFB4sxiGs9oHlOLIYuGj+g+Lw1b3a0T/By++U5CHRR2j2EtTS
wUUBygY6si6wfCwdNUB9XWDVbCJbt7dMSb4nczFmldSCRlPB9iQ45ihqKH+Nuy0p
to7MPGVa1NsmZ/D/UD8Xugl6iyJxuEkU7ek0mNOeo4X3VXdECfdBOkQVAmxSo5lk
Cd2ZlyGCHdOKuAcS2XB9Sv5KAkRadnMQpoQ7JAr1rTKfveDyfjfJoJiQh/wSJfL7
mvDh3kb4WW5UgjKAwlSnjkzXPq6MqTc3UDDyIZKUmi4GXTMz6gdxsVh0b8GWAho/
YgHXM90dSwJfZckb50pAHt4Zf/0w5WNTlFdsDf3ezgKfz3BAqghhPpbnG/JSV0dk
Avzt008SzygTClS51NGEYr5PK1PgUjHa1EPJuMkCr0T01wxvi8j8Oa1lukPShcMT
uIAjwJeLARX+0OG2RlRZ5sMXq9Dj5WuR6J7Cn+Bfj3re2pb2uCjwTm/8U2nv+Kt1
juUoNdWYnThWF8iO2n4y2dCcrli6gVkEwfnVLOMbOkbDi7mvs/atSpLliO75o3vl
6nbNx4YGqDh4xxuylOE5O72uZfAygV4o94JAjE5sOHbTk4zKJTlg8sNNcQQQp7a1
fo++ew4zmXb4/wIb3AdymhCicGZex0bD3ldXtN6Eie9g55TtuPBf2m3/zr8VV38e
jBZPBHalPaudUo/aQ8M3lzW3+yAHZOs5Z5te7xFD36LT+mPW6s0+
=m7S3
-----END PGP MESSAGE-----

---8<--multipart/encrypted--8<--e742e4a114e5d4dcb9f806e6--8<---

Enigmail shows the following incorrect information, e.g. the key id (Schlüssel-ID in German) does no match the fingerprint of the key.

Korrekte Unterschrift von Achim Friedland achim@ahzf.de
Schlüssel-ID: 0x6F9BC490 / Unterschrieben am: 20/01/15 15:41
Schlüssel-Fingerabdruck: 5F2F 183C B8D5 5A97 5BE6 0819 E368 F95C 8CBD E3F7

Hinweis: Die Nachricht wurde mit folgenden Benutzer-IDs / Schlüsseln
verschlüsselt:
0x7DE65FB76F9BC490 (Achim Friedland achim@ahzf.de)

But the GPG-Tool shows the correct information:
(gpg --output decrypt.txt --decrypt encrypted.asc)

user: "Achim Friedland achim@ahzf.de"
4096-bit RSA key, ID 0x7DE65FB76F9BC490, created 2014-08-15

gpg: encrypted with 4096-bit RSA key, ID 0x7DE65FB76F9BC490, created 2014-08-15
"Achim Friedland achim@ahzf.de"
gpg: Signature made Tue Jan 20 15:41:02 2015 CET
gpg: using RSA key 0xE368F95C8CBDE3F7
gpg: Good signature from "Jena Open Data gpgtest@offenes-jena.de"

Best...
Achim

[Ludwig Hügelschäfer]

Which version of Enigmail are you using? Public key 0xE368F95C8CBDE3F7 does not seem to be on the keyservers. Could you please provide it?

[ahzf]

Sorry, here it is:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org

mI0EVINZxwEEAKmmpMp02zXa1ur846Awg0fVjKLTG3yad99zVeQb/o3tlAZXH/4/
5cCC4sQV0kgca9q1w1A3rF4X5IXMEfh3eIej0Z/Xef1Ip3tuP7UJ13DGZQarUWWB
4vrSYeLcbKyzwZQXyt/Z7KhKXqt2S8vXlgM/qdmCgcoldDoCfO/e/owZABEBAAG0
KEplbmEgT3BlbiBEYXRhIDxncGd0ZXN0QG9mZmVuZXMtamVuYS5kZT6IvQQTAQoA
JwUCVINZxwIbAwUJAeEzgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDjaPlc
jL3j97vjA/9bRcWCTS1hLFAzc8BTBIlPyU45BdTH5o1cfHHkU3dL5ypub4D9mKSJ
jiySHvFawpVyE6/ssm1LUKkAl9i99SyHVqWkQKR7qky/c9VrM5Plgf6qZAryN4lj
IhS3S3/aqp1tk6Fx5KWLPpcEIKCnsQNsesDpYxJdOX0Vn6Axs29xV7iNBFSDWccB
BAD08wpLoDXBYtODOQ9D8zkBvzhj9OL0Gc+iuyB0FzWq5g8GdclHaRbPyy1z6O4P
irrF9buOkltp45naxHMionMXorwsAT3jbb6HZNH4ZHt0sCP2nrSGleSqgKQfaMqY
fhi+8VZOkv10jLgerKlAR9LPIJBENSsLGlf1mlBAGrkFrQARAQABiKUEGAEKAA8F
AlSDWccCGwwFCQHhM4AACgkQ42j5XIy94/en7wP/ZDgRaHyPfcKXMKZNLHG/kSQ/
BIRA668rmuIkDOWEXOv4hz6wkeHc2vSREqIOpun8UJE/vn9VgeoFBKLxB8Dd1mPP
87jkMc7vT3SmpFqsA/Q4GrCvD+GgH71nIrKN/QTeE86FjFxXC7KBib+Z8kBo68jW
emJeUHrNTzc0s0sgd2A=
=I381
-----END PGP PUBLIC KEY BLOCK-----

[Ludwig Hügelschäfer]

Thanks for the key. So Enigmail is reporting the wrong user id and key id, but the right fingerprint?

[Nicolas Dietrich]

I also just stumbled over this issue with today's nightly on Linux (gnupg 2.0.25): An encrypted and signed message with a TO and a CC recipient is displayed as if it was signed by the CC recipient.

I tried to recreate a similar situation, but couldn't reproduce it. I don't have time for any more systematic analysis right now and can't provide that very email, sorry.

As displaying a wrong signature is a rather major flaw, I increased severity from minor to major. I also changed OS from Windows to all as this also happens on Linux.

[rsjtdrjgfuzkfg]

The issue persists in Enigmail 1.8, on Debian Wheezy with Icedove 31.6.0.

STR: (Move your current ~/.gnupg before importing keys to keep your keyring clean)

1. Import the attached keyfiles: gpg --import userA.gpg userB.gpg
2. Open the attached file message.eml using Icedove/Thunderbird 31.6.0 with Enigmail 1.8 installed

Actual:
The message is displayed as signed by b@example.com

Expected:
The message should be displayed as signed by a@example.com, as you can easily verify using gpg -d message.eml (while the attached keyfiles are imported).

[Olav Seyfarth]

Please upgrade to the current beta and try to reproduce your issue with it since I think that it was already fixed. If you installed Enigmail from the distro repository, you may need to uninstall it using your package manager - and download it with your browser and install it manually from https://www.enigmail.net/download/beta/ using Thunderbird's AddOn manager.

[rsjtdrjgfuzkfg]

@nursoda

Indeed fixed in 1.8.1. I somehow did not yet get the update. As you grant all users editing rights here I suppose you don't mind me marking this as fixed in 1.8.1; I haven't found any documentation about Enigmail's official bug lifecycle.