This is an issue with GpgOL.
When PGP signed messages are sent to mailinglists, there are bounce mechanisms that cause the from: address to be rewritten.
e.g. a message from email@example.com to firstname.lastname@example.org will look like this:
email@example.com on behalf of Info <firstname.lastname@example.org>
Even if the message is PGP signed with a valid key for email@example.com, GpgOL will say that it is insecure (white questionmark on purple background), and list the following:
'The sender address is not trustworthy because:
The used key does not claim the address:
click here for details about the key'
Clicking on it shows the key for firstname.lastname@example.org.
The mailinglist software in this case is mailman.
The RFC5322.From is set to Info <email@example.com>
The RFC5321.MailFrom is set to <firstname.lastname@example.org>
It seems like GpgOL only checks RFC5321.MailFrom in this case.
Can we have it check against RFC5322.From as well?
The other option (the way I see it, you guys may view it differently) - is that it at least clearly state which key it is valid for. Of course there might be issues with emails sent from lookalike-addresses, however that is an issue that is present no matter what (and strictly not what PGP is made to circumvent I would believe)