KMail was not able to correctly verify the GPG signatures of messages that were both encrypted and signed, although it had no problems with signed but non encrypted messages. This has now been fixed and will be part of the upcoming #TDE R14.1.6 release.
More info can be found at https://mirror.git.trinitydesktop.org/gitea/tde/tdepim/issues/187 and https://mirror.git.trinitydesktop.org/gitea/tde/tdepim/issues/190.
Updated PSB/PTB packages are or will soon be available on the #Trinity mirrors.
KMail fails to verify GPG signatures of certain types of encripted messages
I recently started using KMail in conjunction with GPG to encrypt and sign outgoing emails, as well as decrypt and verify signatures of incoming emails. While encryption, decryption, and signing works as expected, verifying signatures does not. Let's say I have a contact whose all public GPG keys are imported into my GPG keyring - this includes the master certifying [C] key, as well as authentication [A], signing [S], and encryption [E] sub-keys. I stress that the certifying key has no signing capability and there is a separate signing sub-key. This differs from GPG defaults, which, when generating a master key, give it both certifying and signing capability [CS]. However, a common practice is to remove the signing capability from the master key and have a dedicated signing key - this setup follows that practice. When I receive email signed with [S] subkey, KMail cannot verify the signature; it claims that while the signature is valid, the key with which the message was signed is unknown. However, the supposedly unknown key is a signing sub-key imported into my keyring. This suggests that when KMail tries to verify a signature, it only looks at master keys present in GPG keyring, but not their sub-keys. I think this is wrong. Other observations: * If email comes from someone, whose master key is both certifying and signing [CS], the signature is verified without problems. * An interesting case is signing of sent emails. Email is signed correctly, but the reported key fingerprint is that of a master key, not the signing key. This is where my GPG knowledge reaches its limit: my master key only has [C] capability, but not [S] - therefore it should not be possible to sign anything with it. I also note, that if I send email to myself, KMail can correctly verify the signature, i.e. based on the fingerprint of a master key it correctly finds the signing subkey. Putting it all together, it seems that KMail assumes that when an email is signed, fingerprint of the master key needs to be provided. Given master key fingerprint, KMail can find a signing sub-key. However, it does not search subkeys by default, so when the signing fingerprint is that of a subkey, KMail cannot find it in the keyring. I note, that most other email clients (or: essentially all signed emails that I receive) provide only the signing subkey fingerprint, and thus their signatures cannot be verified. Please take these conjectures with a grain of salt though: I am not a GPG expert, nor am I knowledgeable about KMail's internals.
