Bad signature (was: Re: GPG support in Mahogany)

Ingo Klöcker
Sat Dec 14 01:51:14 2002

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Friday 13 December 2002 04:38, Dave Barton wrote:
> When I asked the Ximian Evolution developers if there was a known
> problem with PGP/MIME in Evo 1.2 they responded:
> <Q>
> In Evolution 1.0.x, we did not treat signed parts as "opaque" because
> our MIME parser had been written to comply with previous MIME
> specifications which did not define such a type. It is, in our
> opinion, broken that rfc2015 requires signed parts to be treated as
> opaque because it is placing further restrictions which did not
> previously exist for MIME. This is an absolute no-no when extending
> standard protocols. Then, of course, the PGP/MIME authors broke
> things yet again when they released the newer rfc3156 specification
> which was not fully compatable with rfc2015.
> So, to answer your question: in Evolution 1.2, we have modified the
> parser to special-case multipart/signed so that we keep the raw data
> (this is what opaque means) so that when we go to verify the
> signature, we feed gpg the raw data as originally found in the mbox
> file.

Hmm, either they didn't read RFC 3156 carefully enough or they did omit=20
an important detail. RFC 3156 says:

"Upon receipt of a signed message, an application MUST:

   (1)   Convert line endings to the canonical <CR><LF> sequence before
         the signature can be verified.  This is necessary since the
         local MTA may have converted to a local end of line convention.
   (2)   Pass both the signed data and its associated content headers
         along with the OpenPGP signature to the signature verification

Now I wonder whether the developers of Evolution forgot the <CR><LF>=20
canonicalization or whether they only forgot to tell you about it.

BTW, this message was created after applying a fix to KMail (now KMail=20
encodes trailing spaces correctly). Is the signature now valid, Dave?


Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)