What happened to this signature?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Sep 12 19:12:20 CEST 2016


On Sun 2016-09-11 23:50:15 +0200, Ingo Klöcker wrote:
> On Sunday 11 September 2016 21:17:31 Moritz Klammler wrote:
>> Today, I've posted a signed message (OpenPGP MIME) to a public
>> mailing list I'm subscribed to.  When it was delivered back to me,
>> the signature was broken.  I investigated the case and found out that
>> some silly MTA had un-escaped a minus-character in the message body
>> (quoted-printable) and added a blank line at the top.  This is
>> annoying but is adequately explained by stupidity so it didn't alarm
>> me.  Similar things have happened to me many times in the past.  What
>> *did* alarm me is that a further investigation reveled that the
>> signature itself was changed, too.
>
> A possible explanation which does not involve any conspiracies would be 
> that Gnus, for whatever reason, signs the copy of the message that is 
> stored in the sent folder (which, I assume, is where you've got the 
> "original, good, signature" from) separately from the copy of the 
> message that it sends.

Indeed, i believe it does.  I use notmuch-emacs, which also uses
mml-mode for composition; and that setup used to be the default
configuration before i switched over to using a native notmuch fcc
approach (see the notmuch mailing list thread starting on Message-Id:
<1465599772-10297-1-git-send-email-markwalters1009 at gmail.com> is a good
example of using notmuch-specific fcc, which removes the risk of
double-signing.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20160912/84baa003/attachment.sig>


More information about the Gnupg-users mailing list