gpgsm unable to extract signers from a valid (?) signature

[Albrecht Dreß]

Am 06.05.25 12:14 schrieb(en) Werner Koch:
[snip]
> This signature is a certificate-only message:
> 
> $ ~/b/libksba/tests/t-cms-parser SIG.bin
> *** checking `SIG.bin' ***
> identified as: signed data
> stop reason: 2
> ContentType: 1.2.840.113549.1.7.2
> stop reason: 3
> EncapsulatedContentType: 1.2.840.113549.1.7.1
> DigestAlgorithms: 2.16.840.1.101.3.4.2.1
> Detached signature
> stop reason: 6
> this is a certs-only message
> *** all checks done
[snip]
> Your signature is missing the part of the signature which is in the
> proper signature from offset 17..47.  Instead it starts off directly
> with the list of certificates indicated by a context tag 0 at offset 15
> which starts in the proper signature at offset 35

Ok, thanks for the detailed explanation!

> What we should do is to print a message that this is a cert-only
> signature in the same way the LibKSBA test tool does it.

Well, this doesn't solve the issue from the user's perspective IMHO.  Apparently Thunderbird (and maybe other MUA's, too?) *is* able to deal with this signature, including a warning if the message has been tampered with, whilst any application using the gpgsm through gpgme or directly isn't which of course is a pity.

I agree that this format seems to be rarely used (I actually saw it in messages from my electric supply company only, probably produced by some kind of crypto gateway; the headers don't give any further indication), but it would be great if gpgsm/libksba could deal with this kind of corner cases.

Thanks,
Albrecht.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250507/49f7725b/attachment.sig>