Re: [Evolution] GPG - cannot verify sender

From: Ralf Mardorf <silver bullet zoho com>
To: evolution-list gnome org
Subject: Re: [Evolution] GPG - cannot verify sender
Date: Wed, 15 Aug 2018 13:57:38 +0200

On Wed, 15 Aug 2018 12:18:24 +0100, Pete Biggs wrote:

On Wed, 2018-08-15 at 12:29 +0200, Gary Curtin wrote:

Newbie with Evolution and GPG, so please be patient. :-)

When receiving GPG signed messages I keep getting the yellow error
bar saying "Valid signature, but cannot verify sender (Name <  
email address com>)  

I have the public key in Seahorse, so why is this error showing?


Evolution just calls gpg in the background to do this sort of thing. I
suggest you do something like 

  gpg --list-keys

to verify the key is there and, most importantly, that there is a chain
of trust for the key. After all, the message you are getting means that
they key is recognised as being valid, but there is not sufficient
information to say that the key really belongs to that person. If you
are certain that the key belongs to that person - and only if you have
verified that it does - you can sign the key and the bar will turn
green. But don't sign it unless you are really sure that the key is
correct.


Btw. it is _not_ an error! It's an information, at best a "warning"!

##################################################################
Gary, I'll import your key.



[rocketmouse@archlinux ~]$ gpg --keyserver hkp://pgp.uni-mainz.de
--recv-keys ED5812FC5E09C3EF81E4CA05994BF2AFE4E056EE gpg: key
994BF2AFE4E056EE: public key "Gary Curtin <gary curtin gmx ie>"
imported gpg: Total number processed: 1 gpg:               imported: 1
[rocketmouse@archlinux ~]$ gpg --list-public-keys
ED5812FC5E09C3EF81E4CA05994BF2AFE4E056EE pub   rsa2048 2018-08-13 [SC]
      ED5812FC5E09C3EF81E4CA05994BF2AFE4E056EE
uid           [ unknown] Gary Curtin <gary curtin gmx ie>
uid           [ unknown] [jpeg image of size 3171]
sub   rsa2048 2018-08-13 [E]



##################################################################
As you can see, the validity is unknown.


Now I'll do something stupid, I'll trust the imported key for no reason.



[rocketmouse@archlinux ~]$ gpg --edit-key gary curtin gmx ie
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa2048/994BF2AFE4E056EE
     created: 2018-08-13  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa2048/A8D146D958A552E5
     created: 2018-08-13  expires: never       usage: E   
[ unknown] (1). Gary Curtin <gary curtin gmx ie>
[ unknown] (2)  [jpeg image of size 3171]

gpg> trust
pub  rsa2048/994BF2AFE4E056EE
     created: 2018-08-13  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa2048/A8D146D958A552E5
     created: 2018-08-13  expires: never       usage: E   
[ unknown] (1). Gary Curtin <gary curtin gmx ie>
[ unknown] (2)  [jpeg image of size 3171]

Please decide how far you trust this user to correctly verify other
users' keys (by looking at passports, checking fingerprints from
different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa2048/994BF2AFE4E056EE
     created: 2018-08-13  expires: never       usage: SC  
     trust: ultimate      validity: unknown
sub  rsa2048/A8D146D958A552E5
     created: 2018-08-13  expires: never       usage: E   
[ unknown] (1). Gary Curtin <gary curtin gmx ie>
[ unknown] (2)  [jpeg image of size 3171]
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> q
[rocketmouse@archlinux ~]$ gpg --list-public-keys
ED5812FC5E09C3EF81E4CA05994BF2AFE4E056EE gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa2048 2018-08-13 [SC]
      ED5812FC5E09C3EF81E4CA05994BF2AFE4E056EE
uid           [ultimate] Gary Curtin <gary curtin gmx ie>
uid           [ultimate] [jpeg image of size 3171]
sub   rsa2048 2018-08-13 [E]



##################################################################
Most recently I revoke the trust.



[rocketmouse@archlinux ~]$ gpg --edit-key gary curtin gmx ie
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa2048/994BF2AFE4E056EE
     created: 2018-08-13  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
sub  rsa2048/A8D146D958A552E5
     created: 2018-08-13  expires: never       usage: E   
[ultimate] (1). Gary Curtin <gary curtin gmx ie>
[ultimate] (2)  [jpeg image of size 3171]

gpg> trust
pub  rsa2048/994BF2AFE4E056EE
     created: 2018-08-13  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
sub  rsa2048/A8D146D958A552E5
     created: 2018-08-13  expires: never       usage: E   
[ultimate] (1). Gary Curtin <gary curtin gmx ie>
[ultimate] (2)  [jpeg image of size 3171]

Please decide how far you trust this user to correctly verify other
users' keys (by looking at passports, checking fingerprints from
different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 1

pub  rsa2048/994BF2AFE4E056EE
     created: 2018-08-13  expires: never       usage: SC  
     trust: undefined     validity: ultimate
sub  rsa2048/A8D146D958A552E5
     created: 2018-08-13  expires: never       usage: E   
[ultimate] (1). Gary Curtin <gary curtin gmx ie>
[ultimate] (2)  [jpeg image of size 3171]
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> q
[rocketmouse@archlinux ~]$ gpg --list-public-keys
ED5812FC5E09C3EF81E4CA05994BF2AFE4E056EE pub   rsa2048 2018-08-13 [SC]
      ED5812FC5E09C3EF81E4CA05994BF2AFE4E056EE
uid           [ unknown] Gary Curtin <gary curtin gmx ie>
uid           [ unknown] [jpeg image of size 3171]
sub   rsa2048 2018-08-13 [E]



##################################################################
An important hint
##################################################################

Note, auto-key-retrieve means that any software automatically will
retrieve new keys from the default keyserver. An excerpt from the gpg
mangape, that belongs to auto-key-retrieve:

  $ man gpg | grep '\"web bug\" l' -A1
                Note that this option makes a "web bug" like behavior
  possible.  Keyserver or Web Key Directory operators can see which keys
  you request, so by sending you a message signed by a brand new key
  (which you naturally will not have on your local keyring), the operator
  can tell both your IP address and the time when you verified the
  signature.

I recommend against automatically importing unknown keys used by
received emails. This could be a trick to offend your privacy.

Follow-Ups:
- Re: [Evolution] GPG - cannot verify sender
  - From: Ralf Mardorf

References:
- [Evolution] GPG - cannot verify sender
  - From: Gary Curtin
- Re: [Evolution] GPG - cannot verify sender
  - From: Pete Biggs

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]