[Pkg-mozext-maintainers] Bug#863273: enigmail cannot certify keys with already-expired certifications

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed May 24 16:58:29 UTC 2017 

Package: enigmail
Version: 2:1.9.7-2
Severity: normal
Tags: upstream patch
Control: forwarded -1 https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2017-May/004445.html

Some people have made expiring certifications on other keys.  After
such a certification expires, they might want to re-certify with the
same key (e.g. if they've checked with the other person that they're
still using the key).

If the user tries to re-certify with enigmail, enigmail fails
obscurely ("signing failed").

The attached patch fixes the issue, and has already been adopted by
enigmail upsteam on its master branch.

    --dkg

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages enigmail depends on:
ii  gnupg                  2.1.21-2
ii  gnupg-agent            2.1.21-2
ii  gnupg2                 2.1.21-2
ii  icedove                1:45.8.0-3
ii  thunderbird [icedove]  1:45.8.0-3

Versions of packages enigmail recommends:
ii  pinentry-gnome3 [pinentry-x11]  1.0.0-2
ii  pinentry-gtk2 [pinentry-x11]    1.0.0-2
ii  pinentry-qt [pinentry-x11]      1.0.0-2

enigmail suggests no packages.

-- no debconf information
-------------- next part --------------
From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon, 15 May 2017 14:46:15 -0400
Subject: Allow re-certifying keys that have expired certifications.

Some people have made expiring certifications on other keys.  After
such a certification expires, they might want to re-certify with the
same key (e.g. if they've checked with the other person that they're
still using the key).

If this happens, enigmail fails obscurely ("signing failed").

In the log is:

2017-05-15 14:41:15.494 [DEBUG] keyManagmenent.jsm: GpgEditorInterface.processLine: '[GNUPG:] GET_BOOL sign_uid.replace_expired_okay'
2017-05-15 14:41:15.494 [ERROR] Unknown command prompt: [GNUPG:] GET_BOOL sign_uid.replace_expired_okay

I believe this patch should resolve the problem.
---
 package/keyEditor.jsm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/keyEditor.jsm b/package/keyEditor.jsm
index f1750ac..615fea4 100644
--- a/package/keyEditor.jsm
+++ b/package/keyEditor.jsm
@@ -616,6 +616,10 @@ function signKeyCallback(inputData, keyEdit, ret) {
   else if (keyEdit.doCheck(GET_BOOL, "sign_uid.local_promote_okay")) {
     ret.exitCode = 0;
     ret.writeTxt = "Y";
+  } 
+  else if (keyEdit.doCheck(GET_BOOL, "sign_uid.replace_expired_okay")) {
+    ret.exitCode = 0;
+    ret.writeTxt = "Y";
   }
   else if (keyEdit.doCheck(GET_LINE, "sign_uid.class")) {
     ret.exitCode = 0;

More information about the Pkg-mozext-maintainers mailing list