Hello,
I think I found an issue with how GnuPG handles signatures with Signer's
UID field and trust model tofu+pgp.
There was an issue reported to OpenKeychain [0] that messages generated
by it are not trusted by GnuPG. The problem was that messages produced
by K-9 mail and OpenKeychain are decrypted by GnuPG with the following
warning:
gpg: WARNING: We do NOT trust this key!
gpg: The signature is probably a FORGERY.
Even though the key is marked with "tofu-policy good" and looks fine in
"gpg --edit-key".
I did run the decryption with "--debug-level guru" and spotted the
following message:
gpg: DBG: TOFU: only considering user id: 'John Doe <john@example.com>'
gpg: DBG: TOFU: skipping user id 'john@example.com', which does not
match the signer's email ('John Doe <john@example.com>')
gpg: DBG: no (of 0) valid bindings. Can't get TOFU validity for this
set of user ids.
As I've seen previously OpenKeychain embeds full User ID as Signer's UID
(that is "John Doe <john@example.com>") but GnuPG users only e-mail
("john@example.com"). It seems when GnuPG encounters Signer's UID in
full form it cannot get TOFU validity.
"Signer's UID" looks like it could contain full UID so maybe GnuPG
should support full User IDs there and just extract the e-mail address?
I don't know if I got the issue right that's why I didn't create a
ticket but if this sounds OK I can do so.
Kind regards,
Wiktor
[0]: https://github.com/open-keychain/open-keychain/issues/2333
--
https://metacode.biz/@wiktor
I think I found an issue with how GnuPG handles signatures with Signer's
UID field and trust model tofu+pgp.
There was an issue reported to OpenKeychain [0] that messages generated
by it are not trusted by GnuPG. The problem was that messages produced
by K-9 mail and OpenKeychain are decrypted by GnuPG with the following
warning:
gpg: WARNING: We do NOT trust this key!
gpg: The signature is probably a FORGERY.
Even though the key is marked with "tofu-policy good" and looks fine in
"gpg --edit-key".
I did run the decryption with "--debug-level guru" and spotted the
following message:
gpg: DBG: TOFU: only considering user id: 'John Doe <john@example.com>'
gpg: DBG: TOFU: skipping user id 'john@example.com', which does not
match the signer's email ('John Doe <john@example.com>')
gpg: DBG: no (of 0) valid bindings. Can't get TOFU validity for this
set of user ids.
As I've seen previously OpenKeychain embeds full User ID as Signer's UID
(that is "John Doe <john@example.com>") but GnuPG users only e-mail
("john@example.com"). It seems when GnuPG encounters Signer's UID in
full form it cannot get TOFU validity.
"Signer's UID" looks like it could contain full UID so maybe GnuPG
should support full User IDs there and just extract the e-mail address?
I don't know if I got the issue right that's why I didn't create a
ticket but if this sounds OK I can do so.
Kind regards,
Wiktor
[0]: https://github.com/open-keychain/open-keychain/issues/2333
--
https://metacode.biz/@wiktor
Attached Files:
-
signature.asc (0.90 KB)
