Trust model tofu+pgp and User ID in Signer's UID packet

[Wiktor Kwapisiewicz]

Hello,

I think I found an issue with how GnuPG handles signatures with Signer's 
UID field and trust model tofu+pgp.

There was an issue reported to OpenKeychain [0] that messages generated 
by it are not trusted by GnuPG. The problem was that messages produced 
by K-9 mail and OpenKeychain are decrypted by GnuPG with the following 
warning:

gpg: WARNING: We do NOT trust this key!
gpg:          The signature is probably a FORGERY.

Even though the key is marked with "tofu-policy good" and looks fine in 
"gpg --edit-key".

I did run the decryption with "--debug-level guru" and spotted the 
following message:

gpg: DBG: TOFU: only considering user id: 'John Doe <john at example.com>'
gpg: DBG: TOFU: skipping user id 'john at example.com', which does not 
match the signer's email ('John Doe <john at example.com>')
gpg: DBG: no (of 0) valid bindings.  Can't get TOFU validity for this 
set of user ids.

As I've seen previously OpenKeychain embeds full User ID as Signer's UID 
(that is "John Doe <john at example.com>") but GnuPG users only e-mail 
("john at example.com"). It seems when GnuPG encounters Signer's UID in 
full form it cannot get TOFU validity.

"Signer's UID" looks like it could contain full UID so maybe GnuPG 
should support full User IDs there and just extract the e-mail address?

I don't know if I got the issue right that's why I didn't create a 
ticket but if this sounds OK I can do so.

Kind regards,
Wiktor

[0]: https://github.com/open-keychain/open-keychain/issues/2333

-- 
https://metacode.biz/@wiktor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 919 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190425/b77b930c/attachment.sig>