combination of text-mode signature (by mutt?) and gpg >= 1.4.8 introduces interoperability problem
bernhard at intevation.de
Tue Jul 8 10:11:52 CEST 2008
Just followed up on an email written with mutt 1.5.18
and signed with gnupg 1.4.9 which I could verify the signature
with gpg2, but not with gpg1 from Debian Sarge and Etch
which is 1.4.1 and 1.4.6 with patches respectively.
My current hypothesis is that the default change
introduced in gnupg 1.4.8 regarding --no-rfc2440-text
causes the interoperability problems. From what I have gathered,
the new setting is --no-rfc2440-text which will not strip
trailing spaces and tabs.
So verification with at least 1.4.1 - 1.4.7 fails with default
settings, if lines with trailing spaces and tabs are left in
unquoted by the MTA.
As the email came from mutt 1.5.18, I could observe that trailing
spaces were left in, in an message/rfc822 part.
(Note that quoted-printable or base64 is forbidden in those parts.)
Mutt could have stripped the spaces in this case before calculating
the hash, but did not and this is hard to decide, because any message/rfc822
part might contain another signature.
Emails send with text-mode signatures to Debian Etch users
will not be verifiable by default settings in some situations.
This is bad of course as Etch is a production system.
a) refrain from using text-mode signatures?
b) Educate Debian Etch users to set --no-rfc2440-text as default?
c) Convince Debian that this is a security problem and have them
update their gpg Etch Package
d) Educate users to get rid of the gnupg 1 package, and use gnupg2?
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1603 bytes
Desc: not available
More information about the Gnupg-devel