Broken Cryptographic Signatures in KMail

Topic: Broken Cryptographic Signatures in KMail (Read 866 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Broken Cryptographic Signatures in KMail

29 July 2021, 18:29:30

Hello! This is my first post in this forum. I'm primarily a Gentoo user now, but I have been using various Linux distributions since 2003. openSUSE at first, and lots of others (Ubuntu, Fedora, Debian, Manjaro, etc.) along the way. I currently have openSUSE LEAP 15.3, openSUSE Tumbleweed, KDE Neon (based on Ubuntu 20.04), two versions of Gentoo Linux (one with OpenRC, one with systemd), and Artix installed on my hard drive. Plus Windows 10, which I rarely use. I've got a DELL XPS8930 with 8 cpu cores and 16 GB of RAM. ~1 Terabyte of hard disk drive space. Also a pretty quick (225 Mbps) internet connection -- fiber optic cable / ethernet.

I'm also involved with KDE as a documentation writer. I'm an old guy (retired) with lots of programming experience on IBM mainframes, mostly in assembly language. I'm trying to learn more about C++ as time permits. I have used a few other DE's, but mostly I stick with the KDE Plasma desktop ... it's familiar, and I've been using it for a long time.

Enough about me. On to the problem at hand. There is a bug in KMail that arose (for me) last November. I have filed bug reports at KDE https://bugs.kde.org/show_bug.cgi?id=439958 and also at Gentoo https://bugs.gentoo.org/800689. This bug showed up in lots of distros, but has generally been absent from ARCH-based distributions. For example, up until a few days ago I had a copy of Manjaro Linux running on my machine (I substituted Artix for Manjaro on Sunday, 25 July). That version of KMail always worked flawlessly. So did the version of KMail I installed from Artix. Until yesterday afternoon. See the screenshots attached. The first one (sent at 11:32 am CDT) has a good signature. The second one (sent at few hours later, at 5:46 pm) has a broken signature. Here was the sequence of events.

1. I booted into Artix Linux at 11:01 am CDT (verified via sddm.log file)

2. I started a couple of applications -- specificaly, KMail and Firefox.

3. I did a full system upgrade (pacman -Syu) starting at 11:03:48

4, I sent a message to my friend Jed (first screenshot, attached). The signature was valid.

5. I logged out of Artix at 11:33:50 am CDT (sddm.log), then logged in again at 5:09 pm.

6. This time, when I sent a message, the signature was broken (second screenshot).

Now it is true that I made some configuration changes to KMail before I sent the second message. But I don't think those configuration tweaks could have posssibly affected the cryptographic signature. I have lots of examples of both valid and broken crypto signatures, both with and without my avatar embeddeed as a "FACE" header, for instance. I think it's much more likely that one or more of the programs that were replaced by "pacman- -Syu" caused the broken signature. Here is some output from the "pacman.log" file (/var/log/pacman.log). I haven't yet checked wich packages came from which repository ... I'll try to get to that soon.

Code: [Select]

[2021-07-28T11:03:48-0500] [PACMAN] Running 'pacman -Syu'
[2021-07-28T11:03:48-0500] [PACMAN] synchronizing package lists
[2021-07-28T11:03:52-0500] [PACMAN] starting full system upgrade
[2021-07-28T11:07:01-0500] [PACMAN] Running 'pacman -Syu'
[2021-07-28T11:07:01-0500] [PACMAN] synchronizing package lists
[2021-07-28T11:07:03-0500] [PACMAN] starting full system upgrade
[2021-07-28T11:07:46-0500] [ALPM] transaction started
[2021-07-28T11:07:53-0500] [ALPM] removed jack (0.125.0-9)
[2021-07-28T11:07:53-0500] [ALPM] upgraded b43-fwcutter (019-3 -> 019-3.1)
[2021-07-28T11:07:53-0500] [ALPM] upgraded libldap (2.4.59-1 -> 2.4.59-2)
[2021-07-28T11:07:53-0500] [ALPM] upgraded llvm-libs (12.0.1-1 -> 12.0.1-2)
[2021-07-28T11:07:53-0500] [ALPM] upgraded libnghttp2 (1.43.0-1 -> 1.44.0-1)
[2021-07-28T11:07:53-0500] [ALPM] upgraded bluedevil (1:5.22.3-1 -> 1:5.22.4-1)
[2021-07-28T11:07:53-0500] [ALPM] upgraded kdecoration (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:53-0500] [ALPM] upgraded breeze (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:53-0500] [ALPM] upgraded breeze-gtk (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded dbus-python (1.2.16-4 -> 1.2.18-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded drkonqi (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded esysusers (249.2-1 -> 249.2-2)
[2021-07-28T11:07:54-0500] [ALPM] upgraded etmpfiles (249.2-1 -> 249.2-2)
[2021-07-28T11:07:54-0500] [ALPM] upgraded ipw2100-fw (1.3-10 -> 1.3-10.1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded ipw2200-fw (3.1-8 -> 3.1-8.1)
[2021-07-28T11:07:54-0500] [ALPM] installed celt (0.11.3-4)
[2021-07-28T11:07:54-0500] [ALPM] upgraded zita-alsa-pcmi (0.3.2-3 -> 0.3.2-3.1)
[2021-07-28T11:07:54-0500] [ALPM] installed jack2 (1.9.19-2)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kactivitymanagerd (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kde-cli-tools (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kde-gtk-config (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded xvidcore (1.3.7-2 -> 1.3.7-2.1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded libksysguard (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded ksystemstats (5.22.2.1-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded milou (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kscreenlocker (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kwayland-server (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kwin (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded plasma-integration (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded libkscreen (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded plasma-workspace (5.22.3-1.1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded systemsettings (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kgamma5 (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded khotkeys (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kinfocenter (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kmenuedit (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kscreen (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded ksshaskpass (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kwallet-pam (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kwayland-integration (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded kwrited (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded libid3tag (0.15.1b-11 -> 0.15.1b-11.1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded man-pages (5.12-1 -> 5.12-2)
[2021-07-28T11:07:54-0500] [ALPM] upgraded perl-xml-namespacesupport (1.12-4 -> 1.12-4.1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded perl-xml-sax-base (1.09-4 -> 1.09-4.1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded perl-xml-sax (1.02-1 -> 1.02-1.1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded poppler (21.07.0-2 -> 21.07.0-3)
[2021-07-28T11:07:54-0500] [ALPM] upgraded poppler-qt5 (21.07.0-2 -> 21.07.0-3)
[2021-07-28T11:07:54-0500] [ALPM] upgraded plasma-browser-integration (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:54-0500] [ALPM] upgraded polkit-kde-agent (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:55-0500] [ALPM] upgraded plasma-desktop (5.22.2.1-1 -> 5.22.4-1)
[2021-07-28T11:07:55-0500] [ALPM] upgraded plasma-nm (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:55-0500] [ALPM] upgraded plasma-pa (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:55-0500] [ALPM] upgraded poppler-glib (21.07.0-2 -> 21.07.0-3)
[2021-07-28T11:07:55-0500] [ALPM] upgraded powerdevil (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:55-0500] [ALPM] upgraded sddm-kcm (5.22.3-1 -> 5.22.4-1)
[2021-07-28T11:07:57-0500] [ALPM] transaction completed
[2021-07-28T11:07:57-0500] [ALPM] running '20-sysusers.hook'...
[2021-07-28T11:07:59-0500] [ALPM] running '30-tmpfiles.hook'...
[2021-07-28T11:07:59-0500] [ALPM] running 'dbus-reload.hook'...
[2021-07-28T11:08:00-0500] [ALPM-SCRIPTLET]  * Reloading D-BUS messagebus config ... [ ok ]
[2021-07-28T11:08:00-0500] [ALPM] running 'gtk-update-icon-cache.hook'...
[2021-07-28T11:08:01-0500] [ALPM] running 'update-desktop-database.hook'...
[2021-07-28T11:08:01-0500] [ALPM] running 'update-mime-database.hook'...

If anybody has an idea which package is most likely the culprit, I'm all ears. Thanks!

Re: Broken Cryptographic Signatures in KMail

Reply #1 – 30 July 2021, 11:54:22

Quote from: davidbryant – on 29 July 2021, 18:29:30

(lots of unnecessary text snipped...)
There is a bug in KMail that arose (for me) last November. I have filed bug reports at KDE https://bugs.kde.org/show_bug.cgi?id=439958 and also at Gentoo https://bugs.gentoo.org/800689. This bug showed up in
[...]
I think it's much more likely that one or more of the programs that were replaced by "pacman- -Syu" caused the broken signature.

If you already filed a bug report on bugs.kde.org, why post here as well? This has nothing to do with Artix, it is probably an issue in KDE and KMail.

The only thing specific about Artix is that it doesn't use systemd but OpenRC, runit, s6 or 66. As far as I know, neither KMail nor GPG interact directly with an init system.

As always when something goes wrong in GNU/Linux, check system logs. If there is a problem with KMail, it should show up in the logs. KDE team should give more detailed instructions on how to debug this.

Re: Broken Cryptographic Signatures in KMail

Reply #2 – 30 July 2021, 15:46:21

As general advice - I suggest something like downgrade all those packages. See if the problem goes away. Upgrade half of them. See if it comes back, and so on. Use pacman -Qi to see what ones look relevant. Then if you find the problem package(s) see if there's a -git version in the AUR which might contain the fix.

Re: Broken Cryptographic Signatures in KMail

Reply #3 – 30 July 2021, 16:01:49

Quote from: strajder – on 30 July 2021, 11:54:22

If you already filed a bug report on bugs.kde.org, why post here as well? This has nothing to do with Artix, it is probably an issue in KDE and KMail.

I was hoping for helpful advice. Apparently that is in short supply. I have been wrestling with this bug for eight months, with no luck at all. I thought that posting it here, where more eyes would see it, might prove useful.

Thank you for your support and encouragement. I appreciate it a whole lot.

Re: Broken Cryptographic Signatures in KMail

Reply #4 – 30 July 2021, 16:04:52

Quote from: ####### – on 30 July 2021, 15:46:21

As general advice - I suggest something like downgrade all those packages. See if the problem goes away. Upgrade half of them. See if it comes back, and so on. Use pacman -Qi to see what ones look relevant. Then if you find the problem package(s) see if there's a -git version in the AUR which might contain the fix.

Thank you for the suggestion. I'm working on a version of that approach. There are fifty-five modules to fiddle with. It will take a while. Maybe I'll get lucky.

Re: Broken Cryptographic Signatures in KMail

Reply #5 – 30 July 2021, 20:16:20

Quote from: davidbryant – on 30 July 2021, 16:01:49

I have been wrestling with this bug for eight months, with no luck at all. I thought that posting it here, where more eyes would see it, might prove useful.

The bug report is dated July 16th, 2021. Why wait for "eight months" to report it? (And your pacman log is from July 28th, by the way.)

If a bug report is made directly to KDE team, it is already made in the best place possible for a KDE program.

Re: Broken Cryptographic Signatures in KMail

Reply #6 – 30 July 2021, 21:11:26

Quote from: strajder – on 30 July 2021, 20:16:20

The bug report is dated July 16th, 2021. Why wait for "eight months" to report it? (And your pacman log is from July 28th, by the way.)

If a bug report is made directly to KDE team, it is already made in the best place possible for a KDE program.

I am part of the "KDE team". Documentation only, so far, but I do make commits to the KDE repositories from time to time. See the "Handbooks" for KMail and for Kaddressbook. I reported this bug on gitlab (the kde repository maintenance system) last December. I got chewed out (mildly) for even mentioning it. and somebody (V.Krause?) told me it had already been fixed at KDE, and I should wait for the next release in Gentoo. So I waited, and when it didn't get fixed with the next release, I reported it to various teams (openSUSE, gentoo), They told me to report it upstream, at KDE. So after six months I've made zero progress.

Just FYI, I tried the suggestion of rolling back to previous versions via pacman. That didn't fix the problem. I couldn't actually roll everything back ... 18 of 55 packages had apparently come from the .iso file (squashfs), because the "old" version mentioned by pacman on the upgrade run was not present in /var/cache/pacman/pkg/. So I started over again with a fresh installation from the .iso image, then reinstalled KMail after doing a full system upgrade. Now the signature problem is fixed in KMail under Artix. But it persists in gentoo Linux, and in openSUSE Tumbleweed.

I have even tried building KMail (and its 105 dependencies) from the KDE repo. When I did that under Manjaro, the signature worked correctly. I haven't tried it with Artix yet. I have some work to do to get cmake / make working coorrectly on Artix. When I compiled the same source code under gentoo, the signature was invalid. From this I conclude that the problrem is probably not in KDE source code per se, but in some common Linux library crypto module somewhere.

If nobody ever helps me solve this problem, I won't exact;y lose sleep over it. But it's prettty mystifying, to me. I used to write os-level assembly language code for IBM mainframes, and problems like this one really ought not arise. But I can live with the problem ... I just don't try to sign my email messages cryptographically any longer. It just bugs me.

Thanks for the help.

Re: Broken Cryptographic Signatures in KMail

Reply #7 – 30 July 2021, 21:42:24

This problem gets weirder by the minute. Here are two screenshots. The first one is from the "drafts" folder in Artix Linux. I composed the message, told KMail to affix a cryptographic signature, then said "save as draft". Then I opened the draft message, said "affix crypto signature", and emailed it to myself. The message I received is the second screenshot.

The "draft" signature is good. The "sent" signature" is bad. I have never seen this behavior before today. In the past, if a "draft" was OK, the "sent" message was always also OK. Very strange. (Oh -- the times displayed differ by an hour. I can't really explain that ... my clock must have been slow in Artix, or something, because I sent the message within a minute r two after saving it as a draft.)

Re: Broken Cryptographic Signatures in KMail

Reply #8 – 30 July 2021, 21:55:19

For old versions you don't have cached, Artix has a package archive, Arch has something similar:
https://archive.artixlinux.org/
55 packages isn't many steps if you can break it into half chunks, same idea as using git bisect where you might start with 1000's of commits, although it certainly takes some patience and time.