Broken signatures with Thunderbird/Enigmail since 1.4.0?

[David Shaw]

On Sun, Dec 19, 2004 at 09:30:41PM +0100, Kai Raven wrote:
> 
> Hi David,
> 
> On Thu, 16 Dec 2004 21:21:45 -0500 you wrote:
> 
> > Okay, I bet I know what the problem is.  I need to talk to some of the
> > Enigmail folks.  I think they may have a PGP/MIME text
> > canonicalization bug that one of the changes in 1.4 is aggravating.
> 
> Are file signatures affected the same way?
> Today, i downloaded the new spamassassin, checked the signature an got
> a bad signature. I wrote to the spamassassin folks and Theo Van Dinter
> replied:
> ===
> Interestingly, I decided to upgrade to 1.4.0 and try again:
> 
> $ gpg --verify Mail-SpamAssassin-3.0.2.tar.gz.asc
> gpg: Signature made Wed 15 Dec 2004 10:57:53 PM EST using DSA key ID 265FA05B
> gpg: BAD signature from "SpamAssassin Signing Key <release at spamassassin.org>"
> 
> exact same files as I had previously tested with 1.2.4...  Going to 1.2.6 (may
> as well go to the latest 1.2 release):
> 
> gpg: Signature made Wed 15 Dec 2004 10:57:53 PM EST using DSA key ID 265FA05B
> gpg: Good signature from "SpamAssassin Signing Key <release at spamassassin.org>"

1.4.0 is not the problem here.  The problem is that the signer has
made a --textmode signature over a binary object (a gz file).  This
won't work reliably because gpg will try and change the line endings
and there aren't real line endings inside a binary blob.

This signature won't work with PGP either for the same reason.  The
fact that it works with gpg 1.2.6 is mostly luck.

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 250 bytes
Desc: not available
Url : /pipermail/attachments/20041220/917a5afe/attachment.bin