Bad signature (was: Re: GPG support in Mahogany)
Fri Dec 13 04:37:02 2002
On Fri, 2002-12-13 at 02:16, Anthony E. Greene wrote:=20
> On 12-Dec-2002/12:52 +1100, Dave Barton <email@example.com> wrote:
> >OK but Ingo's attached signature is one of the very few that I cannot
> >verify directly from within Evolution. Is this problem to do with
> >Evolution, Ingo's mail client (KMail/1.5) or something else ?
> Evo has known problems with PGP/MIME.
As I said in my original message Ingo's signature is one of the
_very_few_ that I cannot verify with Evo.
Where is the information about this "known" problem ? I have searched
unsuccessfully for any reports about this.
When I asked the Ximian Evolution developers if there was a known
problem with PGP/MIME in Evo 1.2 they responded:
In Evolution 1.0.x, we did not treat signed parts as "opaque" because
our MIME parser had been written to comply with previous MIME
specifications which did not define such a type. It is, in our opinion,
broken that rfc2015 requires signed parts to be treated as opaque
because it is placing further restrictions which did not previously
exist for MIME. This is an absolute no-no when extending standard
protocols. Then, of course, the PGP/MIME authors broke things yet again
when they released the newer rfc3156 specification which was not fully
compatable with rfc2015.
So, to answer your question: in Evolution 1.2, we have modified the
parser to special-case multipart/signed so that we keep the raw data
(this is what opaque means) so that when we go to verify the signature,
we feed gpg the raw data as originally found in the mbox file.
So, if signatures are failing to verify then it is likely that either:
1) the signature was created according to rfc2015 rules or...
2) the signature is broken (assuming that gpg doesn't have any bugs)
In short, 1.0.x is known to be faulty.
1.2.x should not be faulty.
I had mutt fail on some evolution generated test cases, but in these
cases mutt was at fault (it was truncating the last blank line of quoted
Registered Linux User #288562 http://counter.li.org
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----