After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 256878 - mailer claims "Invalid signature" for unrecognized keys
mailer claims "Invalid signature" for unrecognized keys
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: Mailer
2.12.x
Other All
: Normal trivial
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
: 266837 300991 (view as bug list)
Depends on:
Blocks: 327508 327510
 
 
Reported: 2004-04-12 20:26 UTC by Dan Winship
Modified: 2013-09-13 00:57 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Untested patch (3.48 KB, patch)
2004-10-01 20:08 UTC, Vincent Untz
none Details | Review
Proposed patch (2.94 KB, patch)
2007-08-23 06:44 UTC, Srinivasa Ragavan
committed Details | Review

Description Dan Winship 2004-04-12 20:26:16 UTC
If you receive a PGP-signed message from someone but don't have their
key, Evolution will tell you "Invalid signature", which is wrong. The
signature is fine. In 1.4, we had a more non-committal message.
Comment 1 Jeffrey Stedfast 2004-04-12 21:03:08 UTC
fixed in CVS
Comment 2 Gerardo Marin 2004-09-30 22:47:57 UTC
*** bug 266837 has been marked as a duplicate of this bug. ***
Comment 3 Sebastien Bacher 2004-09-30 23:03:08 UTC
This details from the dup:

"This bug has been reported here: https://bugzilla.ubuntu.com/1752

"I think evolution should at least tell me that the public key was not
found (in the "Invalid signature" box) if that's why the signature
verification failed.

A missing public key (from someone else..) is a solvable problem --
and if I have the key, verification will most likely succeed."

Perhaps it could be a nice idea to have a button in the signature box
or in the details to download the key from a server ?"

Comment 4 Jeffrey Stedfast 2004-10-01 14:58:37 UTC
uhm. it does.
Comment 5 Vincent Untz 2004-10-01 20:03:54 UTC
I'm not sure the user will think that "Invalid signature" means
"Signature with no corresponding public key" here. He can click on the
button, but I feel the label should be clearer in this case.

I suggest adding a fifth status for the sign validity:

enum _camel_cipher_validity_sign_t {
        CAMEL_CIPHER_VALIDITY_SIGN_NONE,
        CAMEL_CIPHER_VALIDITY_SIGN_GOOD,
        CAMEL_CIPHER_VALIDITY_SIGN_BAD,
        CAMEL_CIPHER_VALIDITY_SIGN_NEED_PUBLIC_KEY,
        CAMEL_CIPHER_VALIDITY_SIGN_UNKNOWN,
};
Comment 6 Vincent Untz 2004-10-01 20:08:24 UTC
Created attachment 44284 [details] [review]
Untested patch
Comment 7 Vincent Untz 2004-10-01 20:40:54 UTC
The patch seems to be working well here. What do you think of this
solution?
Comment 8 Sebastien Bacher 2004-10-01 23:56:30 UTC
it does what ?

Here I've an "Invalid signature" message, and no option on the box or
in the details to import the key -> reopening the bug
Comment 9 Vincent Untz 2004-10-02 07:41:09 UTC
> it does what ?

It changes the message to "Signature but need public key" and the
string in the details too.

> Here I've an "Invalid signature" message, and no option on the box or
> in the details to import the key -> reopening the bug

Currently, you can at least see in the details that there is no public
key. Adding a button to import the key would be great. It could tell
the user to search on the key on keyservers and asks for an URL...
Comment 10 André Klapper 2005-01-26 12:31:39 UTC
adding keywords.
Comment 11 Jeffrey Stedfast 2005-01-26 16:53:43 UTC
this was fixed in cvs a long time ago (before 2.0 even) afaik
Comment 12 Sebastien Bacher 2005-01-26 17:08:08 UTC
this bug is still here with 2.1.4
Comment 13 Vincent Untz 2005-01-26 17:15:10 UTC
fejj: did you look at my patch?
Comment 14 André Klapper 2005-01-30 01:42:49 UTC
fejj: you're wrong, because this is only about changing the current 
string "invalid signature" to "signature exists, but need the key to 
say if it is valid" (because being "invalid" makes users thinking that 
the message has been altered), so that "invlaid" is only shown if the 
message really was altered on its way through the net.
i think it really makes sense because it makes things *much* clearer 
to the normal user.
PLEASE submit this to cvs before string freeze takes place... ;-)
Comment 15 André Klapper 2005-03-23 16:27:50 UTC
i'll target this to 2.3 since here is a patch around. should be
committed before string freeze. ;-)
Comment 16 Jeffrey Stedfast 2005-04-15 19:32:34 UTC
patch isn't needed
Comment 17 Sebastien Bacher 2005-04-15 21:29:01 UTC
is the bug fixed ? in which version ?
Comment 18 André Klapper 2005-07-19 12:39:00 UTC
i contradict - why isn't this needed?
sorry, again: it's a difference to have an invalid signature (means that the
mesage has altered) or to have an unknwon signature. currently it's the same
string. this *IS* a difference, and a pretty huge one.
Comment 19 Not Zed 2005-08-30 02:11:25 UTC
Either the content is known and trusted, or it isn't known or trusted, no matter
what the reason.

The icon is just a hint, thats why you can click on it to get the details, which
explain the reason.
Comment 20 Not Zed 2005-08-30 02:11:36 UTC
*** Bug 300991 has been marked as a duplicate of this bug. ***
Comment 21 Vincent Untz 2005-08-30 05:52:14 UTC
> Either the content is known and trusted, or it isn't known or trusted, no matter
> what the reason.

Indeed. But "not known" does not mean "invalid". That's the bug.
Comment 22 André Klapper 2005-08-30 08:04:06 UTC
retargetting to 2.5 due to string freeze; adding string keyword.

i second vincent. again: a definitely altered message (=invalid) is sth else
then just a message with an unknown key (that *could* be correct or invalid).
Comment 23 Øystein Gisnås 2006-04-05 12:07:36 UTC
This bug has also been reported to the Debian bug tracking system at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=263081
Comment 24 Gilles Dartiguelongue 2007-04-01 22:08:03 UTC
so what's new, will we get a "public key not found" instead of the current "invalid signature" or not ?
Comment 25 Srinivasa Ragavan 2007-08-23 06:42:23 UTC
I think  it makes sense to have public key not found. Unfortunately the patch doesnt apply.
Comment 26 Srinivasa Ragavan 2007-08-23 06:44:49 UTC
Created attachment 94170 [details] [review]
Proposed patch

One patch to apply to evolution and eds (Apply from the top level directory)
Comment 27 Srinivasa Ragavan 2007-08-23 06:50:54 UTC
Im not sure, if the string is better or not.
+       { "stock_signature-bad", N_("Signature but need public key") },

The patch looks fine to commit otherwise.
Comment 28 Srinivasa Ragavan 2007-08-23 06:52:44 UTC
In any case, the string needs to be announced.
Comment 29 Vincent Untz 2007-08-23 08:35:12 UTC
(In reply to comment #28)
> In any case, the string needs to be announced.

No, no, no. No new string. That's all :-) We're string frozen, so don't commit new strings without approval from i18n people.
Comment 30 Vincent Untz 2007-08-23 08:35:47 UTC
Stupid me :-) String freeze starts next monday. Go fast! :-)
Comment 31 Srinivasa Ragavan 2007-08-23 08:44:23 UTC
sure :)

 	CAMEL_CIPHER_VALIDITY_SIGN_BAD,
+	CAMEL_CIPHER_VALIDITY_SIGN_NEED_PUBLIC_KEY,
 	CAMEL_CIPHER_VALIDITY_SIGN_UNKNOWN,

Just another thought, it may be nice to add at the end, just to avoid some future breakages. Ill add it while committing.
Comment 32 André Klapper 2007-08-23 10:36:05 UTC
{ "stock_signature-bad", N_("Signature but need public key") },
{ "stock_signature", N_("Valid signature but cannot verify sender") },
[snip]
{ "stock_signature-bad", N_("Signature, need public key"), N_("This message is signed with a signature, but there is no corresponding public key.") },
{ "stock_signature", N_("Valid signature, cannot verify sender"), N_("This message is signed with a valid signature, but the sender of the message cannot be verified.") },

can "Signature but need public key" and "Signature, need public key" be synced?
also "Valid signature but cannot verify sender" and "Valid signature, cannot verify sender"?
two strings less to translate.

i'd go with "Signature exists, but need public key"
Comment 33 Srinivasa Ragavan 2007-08-23 10:49:03 UTC
Andre, I don't think I rightly get your point in terms of syncing. But I definitely go with the last string :)
Comment 34 André Klapper 2007-08-23 11:30:43 UTC
- "Signature but need public key" and "Signature, need public key"
- "Valid signature but cannot verify sender" and "Valid signature, cannot
verify sender"

the two strings are pretty much the same, they *should* be the same
Comment 35 Srinivasa Ragavan 2007-08-27 05:29:29 UTC
Synced, committed and announced.