3910 – Displaying of problematic short key IDs for GPG messages

Bug 3910 - Displaying of problematic short key IDs for GPG messages

Summary: Displaying of problematic short key IDs for GPG messages

Status:	RESOLVED FIXED

Alias:	None

Product:	Claws Mail (GTK 2)
Classification:	Unclassified
Component:	Plugins/Privacy/PGP (show other bugs)
Version:	other
Hardware:	PC Linux

Importance:	P3 enhancement
Assignee:	users

URL:

Depends on:
Blocks:

Reported:	2017-11-07 09:52 UTC by Hanno Boeck
Modified:	2017-11-29 09:52 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Hanno Boeck 2017-11-07 09:52:08 UTC

The PGP plugin of claws displays key ids in some situations, e.g. when one tries to verify a signature where the key is not on the system it'll display:
"Key 0xFFFFFFFF not available to verify this signature"

The short 8 digit key ids are problematic and should be deprecated. The reason is that it's easy to create collision keys with an identical key id. There are already a bunch of duplicate key ids on the public key servers (however mostly revoked ones, they come from an experiment from the evil32 project [1]).

This can cause confusion and in the worst case can cause people to get a wrong key.

Later versions of GnuPG have moved to use the full fingerprint as a long key id instead, which is unique. E.g. my key id looks like:
FE73757FA60E4E21B937579FA5880072BBB51E42

I think it would be good to use this long key id form everywhere where a key id is displayed.

[1] https://evil32.com/

Comment 1 Andrej Kacian 2017-11-09 00:31:15 UTC

In the particular situation you are describing (trying to verify a signature without having the public key), it seems to be impossible to display the full key ID - the GpgME library only exposes the "long", 20-char ID for signatures (the "fpr" member of gpgme_signature_t). At least the version I have installed does (1.9.0).

But you are right that displaying the short ID is not enough, we should display what we get from the library instead of trimming it down.

Comment 2 users 2017-11-09 00:33:02 UTC

Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2017-11-09 00:33:02.728230601 +0100
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=35280cf63869f0be36e049330fafc6add1af79a3
Merge: f8459b7 9f1c5fe
Author: Colin Leroy <colin@colino.net>
Date:   Thu Nov 9 00:33:02 2017 +0100

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=9f1c5fef1adcdfe9fcda6ee42123123242ab3efd
Author: Andrej Kacian <ticho@claws-mail.org>
Date:   Thu Nov 9 00:31:27 2017 +0100

    Show full key/signature fingerprints.
    
    Closes bug 3910 - Displaying of problematic short key IDs for GPG messages

Note You need to log in before you can comment on or make changes to this bug.