Bad signature (was: Re: GPG support in Mahogany)
Sat Dec 14 21:59:01 2002
Content-Type: text/plain; charset=ISO-8859-1
On Sat, 2002-12-14 at 11:47, Ingo Kl=F6cker wrote:
> On Friday 13 December 2002 04:38, Dave Barton wrote:
> > When I asked the Ximian Evolution developers if there was a known
> > problem with PGP/MIME in Evo 1.2 they responded:
> > <Q>
> > In Evolution 1.0.x, we did not treat signed parts as "opaque" because
> > our MIME parser had been written to comply with previous MIME
> > specifications which did not define such a type. It is, in our
> > opinion, broken that rfc2015 requires signed parts to be treated as
> > opaque because it is placing further restrictions which did not
> > previously exist for MIME. This is an absolute no-no when extending
> > standard protocols. Then, of course, the PGP/MIME authors broke
> > things yet again when they released the newer rfc3156 specification
> > which was not fully compatable with rfc2015.
> > So, to answer your question: in Evolution 1.2, we have modified the
> > parser to special-case multipart/signed so that we keep the raw data
> > (this is what opaque means) so that when we go to verify the
> > signature, we feed gpg the raw data as originally found in the mbox
> > file.
> Hmm, either they didn't read RFC 3156 carefully enough or they did omit=20
> an important detail. RFC 3156 says:
> "Upon receipt of a signed message, an application MUST:
> (1) Convert line endings to the canonical <CR><LF> sequence before
> the signature can be verified. This is necessary since the
> local MTA may have converted to a local end of line convention.
> (2) Pass both the signed data and its associated content headers
> along with the OpenPGP signature to the signature verification
> Now I wonder whether the developers of Evolution forgot the <CR><LF>=20
> canonicalization or whether they only forgot to tell you about it.
Probably the latter.
> BTW, this message was created after applying a fix to KMail (now KMail=20
> encodes trailing spaces correctly). Is the signature now valid, Dave?
Yep! Your signature in this message validates without any problem.
Registered Linux User #288562 http://counter.li.org
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----