GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior. https://dev.gnupg.org/T4735 https://gitlab.gnome.org/GNOME/evolution/-/issues/299 https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html
Created evolution tracking bugs for this issue: Affects: fedora-all [bug 1923116]
(In reply to Pedro Sampaio from comment #0) > GNOME Evolution through 3.38.3 produces a "Valid signature" message for an > unknown identifier on a previously trusted key because Evolution does not > retrieve enough information from the GnuPG API. NOTE: third parties dispute > the significance of this issue, and dispute whether Evolution is the best > place to change this behavior. > > https://dev.gnupg.org/T4735 > https://gitlab.gnome.org/GNOME/evolution/-/issues/299 > https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html Right, the evolution bug, closed for ~two years, basically agrees the problem is on the gnupg side. I do not know what to do with this bug here (it's currently filled for evolution). Note that Evolution simply asks gnupg to verify the signature and it relies on the result returned from the gnupg binary.
Looking into the gnupg bug [1], the `--sender` option can be harmful, I think. That's in the case when the signature has stored the signer address. This may not match the From address of a message sent by a mailing list, which would render the signature as invalid, even it's otherwise correct. It's how I understand the last example at the [2] at least. Nonetheless, I see Evolution (libcamel from the evolution-data-server) generates signatures without the signer email address, when the key entered in the account Properties is defined by a key ID, instead of by the email address. [1] https://dev.gnupg.org/T4735 [2] https://dev.gnupg.org/T4735#135274
I tried this with a 3.40.4 of the evolution-data-server and evolution and when the From address and the address in the signer key do not match, then Evolution prints: Valid signature, but sender address and signer address do not match (Signer Name <signer>) Thus I consider this fixed in the 3.40.4.