[Evolution] Encrypting with GnuPG: `no imported public key` if key is not valid (not ultimate trusted)

From: Tim Rausch <mail.gnome.org@tim.rausch.family>
To: evolution-list gnome org
Subject: [Evolution] Encrypting with GnuPG: `no imported public key` if key is not valid (not ultimate trusted)
Date: Sat, 04 Nov 2017 13:06:30 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

I'm running Evolution 3.26.1-1 on Debian stretch (amd64) and would like
to use GnuPG to secure my mails. My GPG private key is stored on a
YubiKey (but that shouldn't matter).

I imported my own key and the public keys of the people I want to write
to GPG and selected my key in the preferences of Evolution. Now,
decrypting mails sent to me works as well as sending signed (not
encrypted messages). Sending encrypted messages to myself also works as
the ownertrust of my own key is set to "ultimate".

The issues now is that I can not send mails to people whos keys are not
valid, that means they don't have ultimate ownertrust and are not
signed by me. Sending an encrypted mail to such a key fails with
Evolution showing the following error:

    Could not create message.
    You may need to select different mail options.

    Detailed error: Failed to encrypt: Invalid recipient 
    <recipients@mail.address>  specified. A common issue is that the
    gpg2 doesn’t have imported public key for this recipient. 

But GPG really has the recipient's key imported (`echo "foobar" | gpg
--encrypt -r recipients@mail.address` works). 

The output of `strace -p $(pidof evolution) -f -e trace=execve` shows
the command executed by Evolution to encrypt a mail:

    [pid  4537] execve("/usr/bin/gpg2", ["gpg2", "--verbose",
    "--no-secmem-warning", "--no-greeting", "--no-tty", "--batch",
    "--yes", "--status-fd=67", "--encrypt", "--armor", "-u",
    "my@mail.address", "-r", "<recipients@mail.address>", "--output",
    "-"], [/* 34 vars */]) = 0

When I try to run this command manually on shell (replacing "--status-
fd=67" with "--status-fd=1"), I get the following:

    [GNUPG:] KEY_CONSIDERED <recipient's key fingerprint> 0
    gpg: using pgp trust model
    gpg: using subkey <recipient's encryption subkey id> instead of
    primary key <recipient's primary key id>
    [GNUPG:] KEY_CONSIDERED <recipient's key fingerprint> 0
    gpg: automatically retrieved 'recipients@mail.address' via Local
    gpg: <recipient's encryption subkey id>: There is no assurance
    this key belongs to the named user
    [GNUPG:] INV_RECP 10 recipients@mail.address
    [GNUPG:] FAILURE encrypt 53
    gpg: [stdin]: encryption failed: Unusable public key

I think the issue is that the recipient's public key is listed as:

    [ unknown] (1). Pecipient's Name <recipients@mail.address>

in `gpg -k`. `[ unknown]` is AFAIK the key's validity. If it is `[
unkonwn]` this causes GPG to ask interactively whether you really want
to use this key:

    ➜  ~ echo "foo" | gpg --encrypt -r recipients@mail.address --armor
    gpg: automatically retrieved 'recipients@mail.address' via Local
    gpg: <recipient's encryption subkey id>: There is no assurance
    this key belongs to the named user
    sub  rsa4096/<recipient's encryption subkey id> 2015-10-14
    Recipient's Name <recipients@mail.address>
     Primary key fingerprint: <recipient's key fingerprint>
          Subkey fingerprint: <recipient's encryption subkey
                               fingerprint>

    It is NOT certain that the key belongs to the person named
    in the user ID.  If you *really* know what you are doing,
    you may answer the next question with yes.

    Use this key anyway? (y/N) y
    -----BEGIN PGP MESSAGE-----
    [...]
    -----END PGP MESSAGE-----

I think this behaviour of GPG causes the encryption in Evolution to
fail. 

Resetting Evolution and GnuPG didn't fix the problem. When running
Evolution as another user, the issue also appeared.

Is this issue already known or could this problem also be caused by
something "on my side"? What can I do to fix this problem?

Thank you very much and best regards,
Tim Rausch

P.S. I asked that question on StackExchange (https://unix.stackexchange
.com/questions/401920/), there might be some further details.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEjokubpXJvodYRWI9h4qm5jlbG+AFAln9rMAACgkQh4qm5jlb
G+CF4Q//YV4hdRtSLB9DrUkxTTl/OBIhtePV4NPPUlcSL5WxH7bV4OoDbD+oE9hA
ciX9OjFEWhta471hzk2zOVLTP3UeBUE5upVPKempax89+DzYEOJLfEG0q0tmoX0h
Fl8VVoVVJWItk7Qbs0XkNS0u2uyXOxwS7VVpg0nXCkCFEG94D+Xk8NM0qT1ymqiQ
7jqipQY4dxaJvOlUbsd9NenlZ78dqqWPyW9TNPPfmDU4vO79/K1i3Yd4kle4GGJv
2iOa4Eg563APNR1IjWLhRV6NdXZlAwkRumJXCo5eQeYmM7JbiH/n6mHZQsSBmOar
uTGaTIT1upnyZcMcFg8N0/d6ZsW1EikaC6FFhYnsoTGcpmksmDpr/U33aLE2XJt1
f3FTa28LK36s+b899KxRTxOwzOqjihxX1Pez33pIthaLSDoVhNLjv5FLUMFmaLNm
gjKCa4fM7tIZbjdugHcB7Wu84o+4gWeFkr5odw+7qykuB6gD0RGnuWgPWyhTDRhO
gKb3fv8XvM6dhpAo3icL3j2q59tOM29jUZVpOSJo9S36ShvfjwmMZOE8nDZgDXn3
Caox/c9Mky1vXOoXyDX4gLySRxNNBEceKOIlIitRhibfw4cd+s5HTzKFbKZs7Ftg
iJ7FKGYSIh1Ouuh8dI+cO+JDfFyW+WAZbWF0LQCpEm+Zqn5qv80=
=eI0I
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: [Evolution] Encrypting with GnuPG: `no imported public key` if key is not valid (not ultimate trusted)
  - From: Tim Rausch
- Re: [Evolution] Encrypting with GnuPG: `no imported public key` if key is not valid (not ultimate trusted)
  - From: Tim Rausch
- Re: [Evolution] Encrypting with GnuPG: `no imported public key` if key is not valid (not ultimate trusted)
  - From: Ángel

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]