https://bugs.kde.org/show_bug.cgi?id=399050
--- Comment #7 from Jan Kundrát <j...@kde.org> --- Jens, I've now fetched the keys from keyservers (it took them a few days to be reachable from any keyserver I tried, and then later I was AFK). Note that Trojita extracts From/Sender/etc fields via the IMAP server's BODYSTRUCTURE command. You might see different results from what I see because different servers parse garbage input in a different way. (As a side note, I do not think that *that* would be a security issue because e-mail headers are forgeable, anyway.) I locally signed the pubkey to make it "valid". After that, the first two test cases started showing a green marker for "valid signature". The remaining three show a warning about "signed by stranger" (probably due to the way how my IMAP server parses these headers). The green tick is shown for the first two test cases: 1) First one: To: brucewayn...@web.de From: The President <brucewayn...@web.de> Reply-to: The President <presid...@whitehouse.gov> Subject: Testcase 'trojita' 2) Second: To: brucewayn...@web.de From: presid...@whitehouse.gov Return-Path: brucewayne...@web.de Sender: iPhone <brucewayn...@web.de> Reply-to: presid...@whitehouse.gov Subject: Testcase #11 'from sender, others: signer' In other words, it only shows a green tick if any address in either the "From" or "Sender" fields match the e-mail in the signature. I think that the code is working as designed. It is designed that way to support workflows involving mailing lists and message bouncing. Trojita always unconditionally shows both Sender and From fields if they are present. Do you see a secutiry problem in here? What we could do is to always show the e-mail address which was matched. Would that make sense from your point of view? -- You are receiving this mail because: You are watching all bug changes.
