Bad signature (was: Re: GPG support in Mahogany)

Dave Barton bmcs@myrealbox.com
Sat Dec 14 21:59:01 2002 

--=-5KDytmNxtmiEnvcKBFNP
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Sat, 2002-12-14 at 11:47, Ingo Kl=F6cker wrote:
> On Friday 13 December 2002 04:38, Dave Barton wrote:
> > When I asked the Ximian Evolution developers if there was a known
> > problem with PGP/MIME in Evo 1.2 they responded:
> >
> > <Q>
> > In Evolution 1.0.x, we did not treat signed parts as "opaque" because
> > our MIME parser had been written to comply with previous MIME
> > specifications which did not define such a type. It is, in our
> > opinion, broken that rfc2015 requires signed parts to be treated as
> > opaque because it is placing further restrictions which did not
> > previously exist for MIME. This is an absolute no-no when extending
> > standard protocols. Then, of course, the PGP/MIME authors broke
> > things yet again when they released the newer rfc3156 specification
> > which was not fully compatable with rfc2015.
> >
> > So, to answer your question: in Evolution 1.2, we have modified the
> > parser to special-case multipart/signed so that we keep the raw data
> > (this is what opaque means) so that when we go to verify the
> > signature, we feed gpg the raw data as originally found in the mbox
> > file.
>=20
> Hmm, either they didn't read RFC 3156 carefully enough or they did omit=20
> an important detail. RFC 3156 says:
>=20
> "Upon receipt of a signed message, an application MUST:
>=20
>    (1)   Convert line endings to the canonical <CR><LF> sequence before
>          the signature can be verified.  This is necessary since the
>          local MTA may have converted to a local end of line convention.
>    (2)   Pass both the signed data and its associated content headers
>          along with the OpenPGP signature to the signature verification
>          service."
>=20
> Now I wonder whether the developers of Evolution forgot the <CR><LF>=20
> canonicalization or whether they only forgot to tell you about it.

Probably the latter.

> BTW, this message was created after applying a fix to KMail (now KMail=20
> encodes trailing spaces correctly). Is the signature now valid, Dave?
>=20
> Regards,
> Ingo

Yep! Your signature in this message validates without any problem.

Regards
Dave
--=20
Registered Linux User #288562 http://counter.li.org

--=-5KDytmNxtmiEnvcKBFNP
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA9+5vtnA0lCZq/bxQRAhxDAJwKFv3eoDm+DvG/GVnnItwGNDBXMgCgjj+p
RZ1JQBSAw/aK1u3kOAH5v+M=
=zHeg
-----END PGP SIGNATURE-----

--=-5KDytmNxtmiEnvcKBFNP--