After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 222067 - automatically verify gpg signatures
automatically verify gpg signatures
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: Mailer
2.4.x (obsolete)
Other other
: Normal enhancement
: Future
Assigned To: evolution-mail-maintainers
Evolution QA team
: 269371 (view as bug list)
Depends on: 217269
Blocks:
 
 
Reported: 2002-03-18 07:50 UTC by Adrian von Bidder
Modified: 2006-06-07 14:24 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Adrian von Bidder 2002-03-18 07:50:36 UTC 
Hi!

Yet another gpg related user interface wishlist bug...

I'd find it very convenient if evo would allow e-mail signatures to be
verified automatically. As I'm on a permanent internet connection, key
retrievals are not a problem for me (and, of course, for those who are not
on a permanent connection, the option would have to be configurable)

Thanks and greets from Switzerland
-- vbi
Comment 1 Ben Escoto 2002-07-14 00:31:07 UTC 
Even if someone doesn't have a permanent connection they may want to
automatically check signatures.  After all, if you already have the
user's key locally, there seems to be no reason not to check.
Comment 2 Jeffrey Stedfast 2002-07-14 01:33:09 UTC 
the reason signature checking is not auto-matic is because we have no
way of making the user feel comfortable that the "valid sig" is not
spoofed in HTML mail.

with the current way, there can leave no doubt in the user's mind that
the signature is for-real (tm).
Comment 3 Jeffrey Stedfast 2002-07-14 01:35:15 UTC 
I meant to add that this has nothing to do with auto-fecthing keys
from a keyserver.
Comment 4 Adrian von Bidder 2002-07-30 11:52:30 UTC 
> the reason signature checking is not auto-matic is because we have no
> way of making the user feel comfortable that the "valid sig" is not
> spoofed in HTML mail.

How about moving the signature check handling stuff for MIME
signatures up into the header pane? You can't spoof this even in HTML
mails?

cheers
-- vbi
Comment 5 Jeffrey Stedfast 2002-07-30 14:37:12 UTC 
The problem with that idea is that signatures are not limited to being
for the whole message, they can legally be for individual MIME parts.
So theoretically, each attachment could have its own signature as well
as the message body.
Comment 6 Paweł Sakowski 2003-10-17 18:04:28 UTC 
If Evolution supports dynamic HTML pages (which I'm not sure about),
it is still possible to forge Evolution's signature-checking behavior.

Anyway, how about putting the signature information in the header
field (visually: the gray frame atop of the message?) HTML has no
access there, and there's one for which body part that can be signed.
Comment 7 Jeffrey Stedfast 2003-10-17 18:09:10 UTC 
it doesn't support dynamic html, so it cannot be spoofed.

huh? the gray box only ever appears once for each message, not for
each mime part. so no, that idea won't work.
Comment 8 André Klapper 2005-02-06 16:03:51 UTC 
*** bug 269371 has been marked as a duplicate of this bug. ***
Comment 9 André Klapper 2005-02-07 15:13:37 UTC 
NOTXIMIAN security
this has nothing to do with evolution, but with your gpg settings -
there you can add an automatical download of keys from keyservers.
also see bug 261186 for this.

shall this one be closed as NOTXIMIAN?

at least depending on bug 217269 which is about adding a GUI for
gpg/pgp key managing.
Comment 10 Calum Benson 2005-07-28 10:40:35 UTC 
Apologies for any spam... cc'ing usability-maint on all Evolution usability
bugs. Filter on EVO-USABILITY-SPAM to ignore.
Comment 11 Rui Matos 2006-06-07 10:42:48 UTC 
Isn't this feature implemented as of evolution 2.6.1? It (sort of) works to me...
Comment 12 Jeffrey Stedfast 2006-06-07 14:24:53 UTC 
yes, as of like 2.2 or so.