Constant pop up windows asking for CA trust when kmail or kleopatra is running

Why I am running either kmail or kleopatra, I frequently get pop-up windows like this:

gpgsm_message430×376 21.7 KB

There are a number of problems with that pop-up:

1. It is not triggered by anything I do as a user, it seems to just pop up randomly, and it tends to steal focus. The only way to prevent it is to quit kmail and kleopatra. (But I like having kmail open in the background…)
2. It’s asking me whether I want to trust a specific CA, presumably found in the S/MIME signature of one of the emails in my email folders. As an end user, I have no realistic way of knowing that.
3. There is no “no” button, just “Cancel” or “Yes”. (Translated to German in my screenshot.) If I choose “Cancel”, I will just be asked again after some time. If I click “Yes”, I risk poisoning my trust store with an untrustworthy CA.
4. Anybody anywhere can create a new CA at the drop of a hat and sign mail certificates with that. Is this software going to ask me about trusting every single one of those? Because there is no theoretical upper limit to that. I haven’t yet had a spam flood of new spurious CAs, but it’s certainly possible.
5. The window as is does not even contain enough information to know whether that certificate really belongs to whom it says it belongs to. (Although to be fair, the next window would ask you to check a checksum.)

I have recorded the full window title of one of these windows as “[21710]@tolkien (gpgsm --logger-fd 90 --server)” at some point. (Obviously not the exact same occurrence as in the screenshot above. Also, “tolkien” is the hostname of my computer.) I think it’s safe to assume that this window was not generated by any KDE software, but rather by GnuPG itself. This still points to some misuse of the interface by KDE or gpgme, though. GnuPG should not create any windows of its own when used through these interfaces by another application.

Does anyone have any idea what is going here or how I could solve this?

As far as I can tell, this does not seem to happen a lot, or I would have seen more complaints about that.

This is “expected”, it automatically happens when a signed email is processed. It is indeed terrible UX and something that should be improved.

I think if kmail encounters an email signed by an unknown CA, the default behavior should just be to not trust it.

When the email is actually presented to the user, the interface should offer the user (not through focus-stealing pop-up, though), to inspect the trust chain and add the CA if desired.

This bug is so incredible annoying for me. I keep my KMail opened the whole day. I see this pop up every two hours, while playing, programming, watching YouTube or doing anything other completely unrelated to E-Mails. So every time I see this I click “abort“ because I can’t safely say “yes“ with the information fractions provided with this dialog. As a Hacker I would for sure call my certificate something with “Swiss CA” as well to trick people into clicking “yes”.

What’s worse is that just don’t find the E-Mail that is causing the issue in my thousands of E-Mails. I clicked through maybe 100 of my most recent E-Mails but non of them seemed to be signed. So the minimum that this dialog would need would be a “No I don’t trust some arbitrary certificate at the moment. Stop asking me every two hours already” button. Or even better would be to make sure to prevent pop-ups when the user is no actively looking at the problematic E-Mail in Kmail at the moment.

Is there a way to disable signed email processing? Or is there a way to easily find signed E-Mails? I’m sure it is just some “your order has arrived” E-Mail that I would gladly delete instead of letting it continue to annoy me every two hours.