[imp] Multiple GPG issues in IMP 6.0.4

Laurent Blume laurent at elanor.org
Sun Feb 24 13:05:16 UTC 2013 

Hello all,

I'm trying to set up GPG in Horde 5.0.4 / IMP 6.0.4 (groupware webmail 
edition).

I'm hitting several issues, which surprises me. as some of them are 
quite noticeable, but I don't see what I could be doing wrong.

First, system summary: it's running on Solaris 10 / Apache 2.2.22 / PHP 
5.3.22. I've built Apache and PHP myself.
The Horde/Webmail suite was installed using PEAR, in its own directory. 
IT was reinstalled from scratch and configuration from an older install 
copied over and updated from the interface.
The GPG binary comes from OpenCSW, I tried their 1.4.12 and 2.0.18 
versions, same problems.

Unless specified otherwise, I've been using the en_US locale to test.

Here goes.

  - Sending an encrypted/signed email to myself, the signature is always 
bad: it does decrypt it, it does list show the correct RSA ID, but it 
always say the signature is bad.
I've tried recreating a key from scratch inside IMP to make sure there 
was no interference from an older one, but the issue stays.

  - creating a new key ignores the parameters: I tried to create a key 
2048 bits long, and with a one year expiration. So I set the keylength, 
unchecked "Expiration", made sure the date was right, clicked on "Create 
Keys". But the resulting key is 1024 bits long, and has no expiration date.

  - icons don't match the message.
This looks like http://bugs.horde.org/ticket/10273 but is actually more, 
ie, it happens also using the en_US locale.
Eg, from the above issue, my own signature is always said to be bad.
In en_US, the icon is the right one, error icon:
Error	
gpg: Signature made Sat Feb 23 19:29:14 2013 CET using RSA key ID 9FE86AD4
gpg: BAD signature from "Laurent Blume <laurent À elanor.org>"

In fr_FR, the icon is wrong, it says success, even though the message 
says otherwise:
Succès	
gpg: Signature faite le 23 février 2013 19:39:26 CET avec la clé RSA ID 
9FE86AD4
gpg: MAUVAISE signature de « Laurent Blume <laurent À elanor.org> »

That matches the bug ID above. However, in en_US, with a message from 
another source where the key is not present, the icon still says 
success, even though GPG said it could not check the signature:
Success	
gpg: Signature made Sun Feb 24 12:26:03 2013 CET using RSA key ID 9449EF58
gpg: Can't check signature: public key not found

  - signature verification is not able to use subkeys properly
I imported my work public keys, exported from by PGP Desktop 9.12.0, 
using its Send To: Mail Recipient function.
However, after importing it, IMP still can't check the signature of a 
crypted email.
It seems to be because PGP Desktop uses specific subkeys for crypting 
and signing, with different IDs, and IMP is not able to process them.

Here's what they look like:
$ gpg --list-keys xxx at xxx
pub   2048R/BFE9A6A5 2011-05-18
uid                  Blume, Laurent <xxx at xxx>
sub   2048R/E39D18A6 2011-05-18 [expire: 2013-05-16]
sub   2048R/9449EF58 2011-05-18 [expire: 2013-05-16]

When I click on Details in IMP, it shows only this one:
Key ID:           0xBFE9A6A5

And clicking on a crypted/signed email, it complains:
gpg: Signature made Sun Feb 24 12:26:03 2013 CET using RSA key ID 9449EF58
gpg: Can't check signature: public key not found

Even though 9449EF58 is part of the same public key block.


Any hint welcome on how to fix that.

Thanks,

Laurent

More information about the imp mailing list