failure to verify a message with 1.4.0

[David Shaw]

On Thu, May 19, 2005 at 11:41:37PM +0200, martin f krafft wrote:

> I just stumbled over this problem today and wanted to make sure it's
> known. I received a message over a Debian mailing list which failed
> to verify ("BADSIG") in mutt when verified against the Debian gnupg
> package 1.4.0-2. The same message does verify fine with 1.2.5-3 and
> 1.4.1-1.
> 
> If this is a known bug, I apologise. However, I am still providing
> you with all the information to make sure that it's not a lingering
> Heisenbug or something of that sort in 1.4.x versions.
> 
> *** If this is not known, please let me know ASAP as we might be
> facing a security-grade bug in 1.4.1-1, which is about to go into
> Debian sarge. If possible, also include security at debian.org in such
> a reply ***

This is a known issue, but it's not a bug that was fixed between 1.4.0
and 1.4.1.  It's a bit more complicated than that.

The problem here is actually in the mail message itself - the program
that generated it does not fully follow the PGP/MIME standard.

Around the time of the 1.4.0 release, the OpenPGP specification
clarified a lingering text line-ending encoding incompatibility
between PGP and GnuPG.  1.4.0 made this change (which should have been
invisible to 99.9% of users) but unfortunately some mail programs
didn't exactly follow the PGP/MIME specification about text line
endings (trailing spaces must be escaped).

The reason that it works with 1.4.1 but not 1.4.0 is that 1.4.1 has a
switch (set by default) to use the old behavior.

The whole story is at:
http://lists.gnupg.org/pipermail/gnupg-users/2005-January/024408.html

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 246 bytes
Desc: not available
Url : /pipermail/attachments/20050522/13135cba/attachment.pgp