Re: KMail, pgp5 and gpg

To: Pablo de Vicente <pvicentea@wanadoo.es>, debian-kde@lists.debian.org
Cc: kmail@kde.org
Subject: Re: KMail, pgp5 and gpg
From: Ingo Klöcker <kloecker@kde.org>
Date: Wed, 9 Oct 2002 00:49:50 +0200
Message-id: <[🔎] 200210090049.52461@erwin.ingo-kloecker.de>
In-reply-to: <[🔎] 200210081220.13109.pvicentea@wanadoo.es>
References: <[🔎] 200210081149.55848.pvicentea@wanadoo.es> <[🔎] 200210081102.32891.david@davidpashley.com> <[🔎] 200210081220.13109.pvicentea@wanadoo.es>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 08 October 2002 12:20, Pablo de Vicente wrote:
> El Martes 8 de Octubre de 2002 12:02, David Pashley escribió:
> > On Tuesday 08 October 2002 10:49 am, Pablo de Vicente wrote:
> > > Hello,
> > >
> > >   I have run into some trouble with KMail, gpg and pgp5i. I will
> > > expose the case:
> > >
> > > I usually use pgp5i and have exported my public key to a
> > > keyserver. Before doing that I checked that using PGP5i in
> > > different machines and with different identities KMail worked
> > > fine, detecting the validity of signatures.
> > >
> > >  The problem arises when people who only use GnuPG import my
> > > public key from the keyserver. All emails from my address appear
> > > in Red in their Mail folders and with a "Warning: The signature
> > > is bad" message. These people use, under KMail  -> Settings ->
> > > Security -> OpenPGP option "Select encryption tool to use:
> > > GnuPG".
> >
> > I can confirm that this does happen in KDE 3.1beta2.

Unfortunately, it's not possible to fix this incompatibility between 
PGP5i and GnuPG. The problem is that PGP5 doesn't create proper 
clearsigned messages. We work around this problem by creating the 
clearsigned messages in KMail by combining the message text and the 
signature PGP5 returns. This works with all versions of PGP which I 
have tested (2.6, 5, 6.5.8). Unfortunately GnuPG barfs on these 
messages. But PGP5i is anyway very broken and you should really not use 
it anymore. You should consider using GnuPG instead.

> > >  If the previous option is set to: "Autodetect", then the email
> > > will appear in yellow with a "The validity of the signature can't
> > > be verified" message.
> > >
> > > However if one only uses KMail with PGP5 (for which one imports
> > > my public key from the keyserver) the emails appear in green and
> > > with a "The signature is valid and the key is fully trusted"
> > > message.
> > >
> > >  Is there some kind of incompatibilty between GnuPG and PGP5i?.

Yes. See above.

> > > Is this a KMail problem which, when using GnuPG does not
> > > recognize the validity of messages signed with PGP5i?.

See above. ;-)

>  "....PGP 5.0i isn't able to clearsign a message if this message
> contains 8-bit characters (like german umlauts). Therefore the
> developers of KMail programmed a work around. The message is first
> signed with a detached signature and then a clearsigned message is
> composed as follows:...."

Hmm, that's more or less what I wrote above. ;-)

> "... If a mail (or something else) you want to sign contains 8-bit
> characters PGP 5.0i always generates a type 0x00 signature (a
> signature of a binary document). Therefore GnuPG can't handle it
> correctly (and it doesn't have to)...."

Hmm, that sounds familiar. I guess it does because I wrote it. :-)

Regards,
Ingo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9o2EOGnR+RTDgudgRAr8RAKDWK/5zuJEOSn/ouep4wM95x4nDWACfcK6k
E3U8jaIf75UtmdkVanZtIrY=
=zbTT
-----END PGP SIGNATURE-----

Reply to:

References:
- KMail, pgp5 and gpg
  - From: Pablo de Vicente <pvicentea@wanadoo.es>
- Re: KMail, pgp5 and gpg
  - From: David Pashley <david@davidpashley.com>
- Re: KMail, pgp5 and gpg
  - From: Pablo de Vicente <pvicentea@wanadoo.es>

Prev by Date: Re: KDE packages (3.0.4 and 3.1)
Next by Date: KDE3.1 beta2 package conflicts (log included)
Previous by thread: Re: KMail, pgp5 and gpg
Next by thread: Re: KMail, pgp5 and gpg
Index(es):
- Date
- Thread