Bug 286553

Summary: Kmail signed emails invalid in Thunderbird w/ Enigmail
Product: [Applications] kmail2 Reporter: janow49420
Component: cryptoAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: alunduil+kde, arthur, felixonmars, jc, kde, mail, maystar, me, opensource, sknauss
Priority: NOR    
Version: 4.9.0   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In: 4.11.4
Sentry Crash Report:
Attachments: Mail sent from Kmail
Mail sent from Thunderbird
Screenshot Mail sent from Kmail
Screenshot Mail sent from Thunderbird
An email sent from KMail 4.9 on KDE 4.9
A screenshot of an email signed by Kmail, being viewed in Thunderbird 14
Mail created with kmail 4.10.2 OpenPGP inline
Invalid PGP/MIME message generated by KMail 4.10.2
signature.sig for using gpg --verify
text.txt for using gpg --verify

Description janow49420 2011-11-14 03:35:18 UTC
Version:           unspecified (using KDE 4.7.3) 
OS:                Linux

I've noticed that when I create an email in Thunderbird (and sign it) and send via Thunderbird everything works fine and read correctly in Kmail

When I create an email in Kmail and sign it all my Thunderbird friends complain that of bad signature errors. To clarify I've attached a sample of each email and how it differs.

Reproducible: Always
Comment 1 janow49420 2011-11-14 03:37:52 UTC
Created attachment 65636 [details]
Mail sent from Kmail

This is an email sent from Kmail, Signed with my key.
Comment 2 janow49420 2011-11-14 03:39:32 UTC
Created attachment 65637 [details]
Mail sent from Thunderbird

This is an email sent from Thunderbird, Signed with my key.
Comment 3 janow49420 2011-11-14 03:42:47 UTC
Created attachment 65638 [details]
Screenshot Mail sent from Kmail

Screenshot: This is an email sent from Kmail, Signed with my key.
Comment 4 janow49420 2011-11-14 03:44:24 UTC
Created attachment 65639 [details]
Screenshot Mail sent from Thunderbird

Screenshot: This is an email sent from Thunderbird, Signed with my key.
Comment 5 Stanislav Sidorenko 2011-12-19 17:27:50 UTC
I can confirm this bug. The problem is "-- " line. Here are details: https://www.mozdev.org/bugs/show_bug.cgi?id=24624

Initially I thought that it is enigmail bug, not kmail. I think it could be simply fixed just by forcing base64 encoding for such messages.
Comment 6 janow49420 2012-02-25 11:21:11 UTC
I don't think encoding text emails in base64 is really all that much the best idea, because it will cause those emails to be bigger. As far as I know Thunderbird doesn't do that.

It does seem to be a "standard" and not just something Thunderbird does, if you look at https://tools.ietf.org/html/rfc3676#page-9 or http://lipas.uwasa.fi/~ts/http/signatur.html
Comment 7 janow49420 2012-02-25 11:25:45 UTC
Encoding text emails with base64 will also trigger spam filters on various servers, or at very least increase it's point rating. https://wiki.apache.org/spamassassin/Rules/MIME_BASE64_TEXT
Comment 8 Myriam Schweingruber 2012-08-18 09:16:15 UTC
Which exact Kmail version is this report about and is this reproducible with version 4.8.5 or later? Please set the version field accordingly.
Comment 9 janow49420 2012-08-18 09:21:53 UTC
Ah sorry this was with Kmail 4.7.3. I'll have to test this with the latest version.
Comment 10 janow49420 2012-08-18 16:04:13 UTC
Created attachment 73277 [details]
An email sent from KMail 4.9 on KDE 4.9
Comment 11 janow49420 2012-08-18 16:05:11 UTC
Created attachment 73278 [details]
A screenshot of an email signed by Kmail, being viewed in Thunderbird 14
Comment 12 janow49420 2012-08-18 16:08:13 UTC
It should be noted this bug isn't fixed, in fact it's a lot worse now.

Instead of saying "Error - signature verification failed" it now says "Unverified signature" and when you click on "Details" it says "BAD signature from recipient".

Also I am not able to verify any emails sent by KMail on my Android phone using Kaiten. however emails produced by Kaiten or by Thunderbird with Enigmail work fine in all mail applications.
Comment 13 Alex Brandt 2012-09-14 22:54:56 UTC
Is there any more information needed to get movement on this bug?  Seems Kalidarn did an excellent job of documenting this issue but if there is anything else that would be helpful it would be nice to have it outlined here so we can provide the necessary items.   I understand people are busy and don't intend for this to sound pushy; just want to know if there is anyway we can help.  Otherwise, can we get this bug moved out of NEEDSINFO WAITINGFORINFO and into an open status?
Comment 14 Myriam Schweingruber 2012-09-16 01:07:47 UTC
Thank you for the feedback, setting status correctly.
Comment 15 Rolf Eike Beer 2012-12-30 17:24:09 UTC
I guess this is a violation of RfC 3156, section 3:

   Additionally, implementations MUST make sure that no trailing
   whitespace is present after the MIME encoding has been applied.

Which is violated by the signature delimiter having a trailing whitespace. The simple fix would be to require a qp-recoding for everything that has trailing whitespace.
Comment 16 Felix Yan 2013-02-05 16:50:02 UTC
My test result:

Check "Prepend seperator to signature" and send ASCII-only e-mails: shows as Invalid in Thunderbird w/Enigmail.
Check "Prepend seperator to signature" and send e-mails containing UTF-8 characters: shows as Good in Thunderbird w/Enigmail.
Uncheck "Prepend seperator to signature" and send ASCII-only e-mails: shows as Good in Thunderbird w/Enigmail.

Hope this helps :)
Comment 17 Sandro Knauß 2013-04-12 22:52:03 UTC
You mixed up different crypto standards. kmail normaly sends mails with OpenPGP Mime, and thunderbird uses OpenPGP Inline.

But you can switch kmail to use Inline OpenPGP via Options->Cryptographic Message Format->Inline OpenPGP. 

Please also try kmail 4.10.2, there where some improvments in the crypto stack. I attach a mail created with kmail 4.10.2 with OpenPGP inline - In my eyes it should be correct :)
Comment 18 Sandro Knauß 2013-04-12 22:53:07 UTC
Created attachment 78848 [details]
Mail created with kmail 4.10.2 OpenPGP inline
Comment 19 Vladimir Kulev 2013-04-25 13:39:21 UTC
Created attachment 79440 [details]
Invalid PGP/MIME message generated by KMail 4.10.2
Comment 20 Vladimir Kulev 2013-04-25 13:47:56 UTC
(In reply to comment #17)
> You mixed up different crypto standards. kmail normaly sends mails with
> OpenPGP Mime, and thunderbird uses OpenPGP Inline.

Please check attachment #79440 [details], it's created with KMail 4.10.2 and Enigmail says it's invalid.
When I create simple two-line email without signature and citations, it validates correctly.

Thunderbird uses OpenPGP Inline by default, but it is able to validate both.
Comment 21 Michael Skiba 2013-07-26 10:14:40 UTC
What's the status of this bug?
Are there still more infos needed and if so which ones?
Comment 22 janow49420 2013-11-07 07:41:19 UTC
Tested in KDE 4.11.2 with KMail Version 4.11.2. Still not fixed.
Comment 23 Sandro Knauß 2013-11-08 16:06:03 UTC
Thx for these informations. Now I can reproduce this behaviour and understand, what's going on.
I can confirm also that the signature is correct by using
gpg --verifiy signature.sig text.txt

This bug can be viewed differently.
Either we can say, this is a bug of enigmail (extensions/enigmail/package/mimeVerify.jsm line 184):
this.writeToPipe(data.replace(/^-/gm, "- -"));
They modify the signed message, that should never ever be done. Like RFC 3156 says:
"Multipart/signed and multipart/encrypted are to be treated by agents as opaque, meaning that the data is not to be altered in any way"

The other way we can look atthis bug, is that we ignoring RfC 3156 recommendation:
"It cannot be stressed enough that applications using this standard follow MIME's suggestion that you 'be conservative in what you generate, and liberal in what you accept.' "

To solve this bug kmail has to use Quoted-Printiable or Base64 and escape the signature sequence "--\n", that causes enigmail to change the content of the signed content.t
Comment 24 Sandro Knauß 2013-11-08 16:07:43 UTC
Created attachment 83429 [details]
signature.sig for using gpg --verify
Comment 25 Sandro Knauß 2013-11-08 16:10:18 UTC
Created attachment 83430 [details]
text.txt for using gpg --verify
Comment 26 Sandro Knauß 2013-11-08 16:11:08 UTC
Filed bug at enigmail: https://sourceforge.net/p/enigmail/bugs/209/
Comment 27 Sandro Knauß 2013-11-09 17:36:54 UTC
Git commit 98770957d2a62437159ac3cba1882f75859adb87 by Sandro Knauß.
Committed on 09/11/2013 at 14:37.
Pushed by knauss into branch 'KDE/4.11'.

Fix 286553 - Kmail signed emails invalid in Thunderbird w/ Enigmail
Related: bug 303305
FIXED-IN: 4.11.4
REVIEW: 113750

M  +46   -0    messagecomposer/job/signjob.cpp
M  +35   -0    messagecomposer/tests/signjobtest.cpp
M  +1    -0    messagecomposer/tests/signjobtest.h

http://commits.kde.org/kdepim/98770957d2a62437159ac3cba1882f75859adb87
Comment 28 Felix Yan 2014-10-18 09:00:39 UTC
Hello, I'm still seeing all messages signed by Kmail shown as invalid in Thunderbird with Engimail (but not the other way around). The Kmail version I am using is 4.14.4, and Engimail is 1.7.2, both are after the "fix". Anything I can provide for further debugging?
Comment 29 Felix Yan 2014-10-18 09:02:03 UTC
(In reply to Felix Yan from comment #28)
> The Kmail version I am using is 4.14.4

Sorry, should be 4.14.1
Comment 30 Jean-Christophe Baptiste 2015-01-15 15:35:51 UTC
+1
Same issue here with Kmail 4.13.3, Ubuntu 14.04.

Note that Evolution, as well as Enigmail, also flags sent signatures are invalid.
Comment 31 Felix Yan 2015-03-10 02:11:19 UTC
Looks like the current failure is an Enigmail issue: http://sourceforge.net/p/enigmail/bugs/332/

I've tested their nightly build and it works fine now.
Comment 32 Fabian 2015-03-25 11:10:18 UTC
What's the current state of this bug? I'm using kmail 4.14.6 in openSUSE 13.2. 
My signed mails are not valid in thunderbird (enigmail) and k-9 mail (openkeychain). 
I'm not very familiar with gpg, but mails signed with thunderbird and kmail look quite different, too.  It seems that kmail adds an attachment and thunderbird not. 
Is there any workaround known? It's really annoying if most people can't verify my not encrypted mails.
Comment 33 Sandro Knauß 2015-03-25 15:14:03 UTC
@Fabian: state of the bug is relsoveld/fixed. But there is a bug on enigmail side. The reference is the commandline gpg. If that says that the signature is correct, than the retrieving mail client has a bug. 

>I'm not very familiar with gpg, but mails signed with thunderbird and kmail look quite different, too. It seems that kmail adds an attachment and thunderbird not. 
There are two different implementations for signing: inline and PGP/Mime. Inline shouldn't used these days, but if you say, that thunderbird don't create an attachment, than thunderbird send inline. You can treat kmail via options->encryption->inline to use inline. But I know the thunderbird also understands PGP/Mime. 

I dislike that bugs are captured to talk about different things. If there is a new one, than open an new bug.