Recently somebody asked me about key verification and signing after noting that emails from some sources (in this case, the Debian Security team) contain key signatures for verification, and that by default the Evolution email client was not validating them. The simple answer is that by default Seahorse, the default key manager for Ubuntu Karmic, does not pre-populate public keyservers for lookup of digital signatures. The interesting thing is that even after making some straight forward changes to the Seahorse GUI which is supposed to manage your gpg.conf options, it does not enable the automatic key retrieval. The process would should work in the future, and may be used by other applications via seahorse. Adding the MIT PGP keyserver and the PGP Corporation keyserver is straightforward. First, launch the Passwords and Encryption Keys application from the Accessories menu in Gnome (this is the Seahorse application), and add the following keyservers through the Edit->Preferences dialogue with their respective types:
LDAP:keyserver.pgp.com
HTTP:pgp.mit.edu
A quick search for the work ’security’ in both keyservers should produce some results verifying that they are working correctly. Setting the flag for automatic retrieval of keys from key servers will ensure that keys listed in the servers will be found by the Seahorse engine from that point onwards.
Unfortunately this does not solve the problem of Evolution looking up keys in these servers. Clicking on a recent email from Debian Security still gives the following output.
gpg: armor header: Hash: SHA1
gpg: original file name=''
gpg: armor header: Version: GnuPG v1.4.9 (GNU/Linux)
gpg: Signature made Thu 31 Dec 2009 11:35:23 AM EST using RSA key ID 02D524BE
gpg: Can't check signature: public key not found
The simple solution is to add the following lines to your .gnupg/gpg.conf file manually, noting that the file itself contains only a single line with a comment stating it is updated by Seahorse. Looks like a bug to me. I found this information in the Evolution FAQ. The modified file with two additional keyserver lines appears as follows,
# FILE CREATED BY SEAHORSE
keyserver hkp://pgp.mit.edu ldap://keyserver.pgp.com
keyserver-options auto-key-retrieve
Once complete, evaluation of the same Debian Security email automatically produced a wax seal. The output on initial read was as follows:
gpg: armor header: Hash: SHA1
gpg: original file name=''
gpg: armor header: Version: GnuPG v1.4.9 (GNU/Linux)
gpg: Signature made Thu 31 Dec 2009 11:35:23 AM EST using RSA key ID 02D524BE
gpg: requesting key 02D524BE from hkp server pgp.mit.edu
gpg: armor header: Version: SKS 1.1.0
gpg: pub 2048R/02D524BE 2002-03-19 Florian Weimer (HIGH SECURITY KEY)
gpg: key 02D524BE: removed multiple subkey binding
gpg: using PGP trust model
gpg: key 02D524BE: public key “Florian Weimer (HIGH SECURITY KEY)
gpg: 1 keys cached (70 signatures)
gpg: 0 keys processed (0 validity counts cleared)
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: Good signature from “Florian Weimer (HIGH SECURITY KEY)
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C8D3 D9CF FA9E 7056 3F32 FA54 BF7B FF04 02D5 24BE
gpg: textmode signature, digest algorithm SHA1
In the Seahorse GUI, this key now appears in my Other Keys section as it should too.
I cleared all the existing keys to demonstrate that the update works. After reading a few emails, checking again reveals that more keys have been automatically added.
For each email with a valid signature, the wax seal now appears as well.
