Skip to content

Update signed flag

Tulio Casagrande requested to merge (removed):update-signed-flag into master

This is something we noticed while working at https://github.com/pixelated/pixelated-user-agent/issues/894.

The main consideration is when an incoming email is signed using a key that was also sent attached, but this key isn't preliminarily available to the receiver. Essentially, the signed flag was being set before extracting the attached key.

Known cases:

  • users of different providers exchange emails for the first time (and the keys aren't published to a keyserver)
  • user changed his/her keys (and the receiver client still thinks the sender key is valid)

Solution:

Since the decrypt/verify operation is done in one GPG call, this PR proposes to make a second decrypt/verify call when the signature couldn't be previously verified and a key was imported via attachment or OpenPGP header.

This solution covers both reported cases.

Merge request reports

Loading