GnuPG 1.4.0 and PGP/MIME signatures

[David Shaw]

Shortly after the release of GnuPG 1.4.0, an unexpected problem was
reported while using it with mail programs that support PGP/MIME.
After some research, it turned out that some mail programs did not
perfectly follow the PGP/MIME specification, RFC-3156.  The end result
was that PGP/MIME signatures made with one of these programs and GnuPG
1.4.0 were not always verifiable on other mail programs that did fully
follow the specification.

The PGP/MIME specification requires that end-of-line whitespace
(generally spaces) be protected against removal by the signing
program.  It turns out that several programs were using GnuPG to
remove the end-of-line whitespace rather than protecting it
themselves.

Most of these mail programs were fixed shortly after the 1.4.0
release.  Nevertheless, to give some time to the mail program
developers who have not yet implemented a fix, GnuPG 1.4.1 will
contain a new option: --rfc2440-text.  This option, which is on by
default, causes GnuPG to use the old text encoding that was used in
the 1.2.x and 1.3.x releases of GnuPG.  At some point in the future,
after there has been sufficient time for the various mail programs to
fix the problem and release an update, this option will be switched
off.

In the meantime, once 1.4.1 is out, an easy way to tell if your
particular mail program correctly implements PGP/MIME signing is to
set --no-rfc2440-text, and send yourself a signed message that has a
number of blank spaces at the end of a line.  Then, set --rfc2440-text
and attempt to verify the signature.  If the signature does not verify
correctly, you may wish to contact the developer of your mail program
for an update.

David