GNOME Bugzilla – Bug 256878
mailer claims "Invalid signature" for unrecognized keys
Last modified: 2013-09-13 00:57:49 UTC
If you receive a PGP-signed message from someone but don't have their key, Evolution will tell you "Invalid signature", which is wrong. The signature is fine. In 1.4, we had a more non-committal message.
fixed in CVS
*** bug 266837 has been marked as a duplicate of this bug. ***
This details from the dup: "This bug has been reported here: https://bugzilla.ubuntu.com/1752 "I think evolution should at least tell me that the public key was not found (in the "Invalid signature" box) if that's why the signature verification failed. A missing public key (from someone else..) is a solvable problem -- and if I have the key, verification will most likely succeed." Perhaps it could be a nice idea to have a button in the signature box or in the details to download the key from a server ?"
uhm. it does.
I'm not sure the user will think that "Invalid signature" means "Signature with no corresponding public key" here. He can click on the button, but I feel the label should be clearer in this case. I suggest adding a fifth status for the sign validity: enum _camel_cipher_validity_sign_t { CAMEL_CIPHER_VALIDITY_SIGN_NONE, CAMEL_CIPHER_VALIDITY_SIGN_GOOD, CAMEL_CIPHER_VALIDITY_SIGN_BAD, CAMEL_CIPHER_VALIDITY_SIGN_NEED_PUBLIC_KEY, CAMEL_CIPHER_VALIDITY_SIGN_UNKNOWN, };
Created attachment 44284 [details] [review] Untested patch
The patch seems to be working well here. What do you think of this solution?
it does what ? Here I've an "Invalid signature" message, and no option on the box or in the details to import the key -> reopening the bug
> it does what ? It changes the message to "Signature but need public key" and the string in the details too. > Here I've an "Invalid signature" message, and no option on the box or > in the details to import the key -> reopening the bug Currently, you can at least see in the details that there is no public key. Adding a button to import the key would be great. It could tell the user to search on the key on keyservers and asks for an URL...
adding keywords.
this was fixed in cvs a long time ago (before 2.0 even) afaik
this bug is still here with 2.1.4
fejj: did you look at my patch?
fejj: you're wrong, because this is only about changing the current string "invalid signature" to "signature exists, but need the key to say if it is valid" (because being "invalid" makes users thinking that the message has been altered), so that "invlaid" is only shown if the message really was altered on its way through the net. i think it really makes sense because it makes things *much* clearer to the normal user. PLEASE submit this to cvs before string freeze takes place... ;-)
i'll target this to 2.3 since here is a patch around. should be committed before string freeze. ;-)
patch isn't needed
is the bug fixed ? in which version ?
i contradict - why isn't this needed? sorry, again: it's a difference to have an invalid signature (means that the mesage has altered) or to have an unknwon signature. currently it's the same string. this *IS* a difference, and a pretty huge one.
Either the content is known and trusted, or it isn't known or trusted, no matter what the reason. The icon is just a hint, thats why you can click on it to get the details, which explain the reason.
*** Bug 300991 has been marked as a duplicate of this bug. ***
> Either the content is known and trusted, or it isn't known or trusted, no matter > what the reason. Indeed. But "not known" does not mean "invalid". That's the bug.
retargetting to 2.5 due to string freeze; adding string keyword. i second vincent. again: a definitely altered message (=invalid) is sth else then just a message with an unknown key (that *could* be correct or invalid).
This bug has also been reported to the Debian bug tracking system at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=263081
so what's new, will we get a "public key not found" instead of the current "invalid signature" or not ?
I think it makes sense to have public key not found. Unfortunately the patch doesnt apply.
Created attachment 94170 [details] [review] Proposed patch One patch to apply to evolution and eds (Apply from the top level directory)
Im not sure, if the string is better or not. + { "stock_signature-bad", N_("Signature but need public key") }, The patch looks fine to commit otherwise.
In any case, the string needs to be announced.
(In reply to comment #28) > In any case, the string needs to be announced. No, no, no. No new string. That's all :-) We're string frozen, so don't commit new strings without approval from i18n people.
Stupid me :-) String freeze starts next monday. Go fast! :-)
sure :) CAMEL_CIPHER_VALIDITY_SIGN_BAD, + CAMEL_CIPHER_VALIDITY_SIGN_NEED_PUBLIC_KEY, CAMEL_CIPHER_VALIDITY_SIGN_UNKNOWN, Just another thought, it may be nice to add at the end, just to avoid some future breakages. Ill add it while committing.
{ "stock_signature-bad", N_("Signature but need public key") }, { "stock_signature", N_("Valid signature but cannot verify sender") }, [snip] { "stock_signature-bad", N_("Signature, need public key"), N_("This message is signed with a signature, but there is no corresponding public key.") }, { "stock_signature", N_("Valid signature, cannot verify sender"), N_("This message is signed with a valid signature, but the sender of the message cannot be verified.") }, can "Signature but need public key" and "Signature, need public key" be synced? also "Valid signature but cannot verify sender" and "Valid signature, cannot verify sender"? two strings less to translate. i'd go with "Signature exists, but need public key"
Andre, I don't think I rightly get your point in terms of syncing. But I definitely go with the last string :)
- "Signature but need public key" and "Signature, need public key" - "Valid signature but cannot verify sender" and "Valid signature, cannot verify sender" the two strings are pretty much the same, they *should* be the same
Synced, committed and announced.