Re: [Evolution] GPG Signature verification does not account for multiple UID's

[Ángel <angel 16bits net>]

On 2018-01-15 at 10:44 +0100, Gijs Peskens wrote:
> I have a GPG key containing multiple UID's for a few of my mail
> adresses. 
> In sending some test mails from the various accounts I notice that
> Evolution seems to only regard the first UID for signature verification
> purposes, it seems that the mail is correctly signed as checking with
> another mail client (Thunderbird+Enigmail) does result in a correctly
> verified signature. 
> Is this working as designed?
>
> Gijs Peskens

No, it should take all the ids into account. I am seeing two things here
(although I haven't tested with the latest version):

The first one is that evolution is not taking into account the value of
the from: header (I made a copy of your email changing it to
"spoofer example com", and the GPG signature is shown the same).

The second one is that the bar states who signed it, but only shows the
first UID (you can view the full GPG output, where all of them are
listed, clicking on the button).



I'm unsure how to treat it. On the one hand, it *is* showing you who
signed the message, and that should be enough data if properly taken
into account by the user. On the other hand, it seems wrong to ignore
such mismatch (even though it's not so uncommon that in the field
emailsl end up encrypted with the wrong key, mailing lists change the
From:, etc).

The second issue actually depends on the expected behavior regarding the
first.

I looked at the available documentation for the feature, but it would
need some love:
https://help.gnome.org/users/evolution/stable/mail-encryption-gpg-decrypting.html.en


Regards

PS: you should revoke your 2014 key, that I assume you have replaced
with this one.