What happened to this signature?
Moritz Klammler
moritz at klammler.eu
Mon Sep 12 17:06:23 CEST 2016
>> Today, I've posted a signed message (OpenPGP MIME) to a public
>> mailing list I'm subscribed to. When it was delivered back to me,
>> the signature was broken. I investigated the case and found out that
>> some silly MTA had un-escaped a minus-character in the message body
>> (quoted-printable) and added a blank line at the top. This is
>> annoying but is adequately explained by stupidity so it didn't alarm
>> me. Similar things have happened to me many times in the past. What
>> *did* alarm me is that a further investigation reveled that the
>> signature itself was changed, too.
>
> A possible explanation which does not involve any conspiracies would
> be that Gnus, for whatever reason, signs the copy of the message that
> is stored in the sent folder (which, I assume, is where you've got the
> "original, good, signature" from) separately from the copy of the
> message that it sends.
Thank you, I think you are right. The "bad" signature happens to be a
valid signature of the (this time really) good message, too. Isn't it
nice to learn new things about your MUA every day? Quite embarrassing
though, that I didn't realize this behavior earlier.
I would still be interested to understand the meaning of the "begin of
digest" packet in a signature. Apparently, it is not the two leftmost
bytes of the signed hash. But what else is it then?
Moritz
--
OpenPGP:
Public Key: http://openpgp.klammler.eu
Fingerprint: 2732 DA32 C8D0 EEEC A081 BE9D CF6C 5166 F393 A9C0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20160912/2aff06e0/attachment.sig>
More information about the Gnupg-users
mailing list