If an ultimately trusted pgp certificate has a revoked userid, signed mails will display the security level 2 instead of 4.
To reproduce:
gpgol.log (preview mail):
Do you mean one of the user-ids has been revoked or the one matching the mail sender?
I rechecked: the revoked userid has to match the email address of the sender. Still there's another non revoked userid with the same email address:
Good catch. My guess is that get_uid_for_sender returns the last matching UID without checking for revocations. The matching was done on the mailbox part only. For reference:
for (const auto &uid: k.userIDs())
{
if (!uid.email() || !*(uid.email()))
{
/* This happens for S/MIME a lot */
log_debug ("%s:%s: skipping uid without email.",
SRCNAME, __func__);
continue;
}
auto normalized_uid = uid.addrSpec();
auto normalized_sender = UserID::addrSpecFromString(sender);
if (normalized_sender.empty() || normalized_uid.empty())
{
log_error ("%s:%s: normalizing '%s' or '%s' failed.",
SRCNAME, __func__, anonstr (uid.email()),
anonstr (sender));
continue;
}
if (normalized_sender == normalized_uid)
{
ret = uid;
}
}
TRETURN ret;