Summary: | Kmail signed emails invalid in Thunderbird w/ Enigmail | ||
---|---|---|---|
Product: | [Applications] kmail2 | Reporter: | janow49420 |
Component: | crypto | Assignee: | kdepim bugs <kdepim-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alunduil+kde, arthur, felixonmars, jc, kde, mail, maystar, me, opensource, sknauss |
Priority: | NOR | ||
Version: | 4.9.0 | ||
Target Milestone: | --- | ||
Platform: | Ubuntu | ||
OS: | Linux | ||
Latest Commit: | http://commits.kde.org/kdepim/98770957d2a62437159ac3cba1882f75859adb87 | Version Fixed In: | 4.11.4 |
Sentry Crash Report: | |||
Attachments: |
Mail sent from Kmail
Mail sent from Thunderbird Screenshot Mail sent from Kmail Screenshot Mail sent from Thunderbird An email sent from KMail 4.9 on KDE 4.9 A screenshot of an email signed by Kmail, being viewed in Thunderbird 14 Mail created with kmail 4.10.2 OpenPGP inline Invalid PGP/MIME message generated by KMail 4.10.2 signature.sig for using gpg --verify text.txt for using gpg --verify |
Description
janow49420
2011-11-14 03:35:18 UTC
Created attachment 65636 [details]
Mail sent from Kmail
This is an email sent from Kmail, Signed with my key.
Created attachment 65637 [details]
Mail sent from Thunderbird
This is an email sent from Thunderbird, Signed with my key.
Created attachment 65638 [details]
Screenshot Mail sent from Kmail
Screenshot: This is an email sent from Kmail, Signed with my key.
Created attachment 65639 [details]
Screenshot Mail sent from Thunderbird
Screenshot: This is an email sent from Thunderbird, Signed with my key.
I can confirm this bug. The problem is "-- " line. Here are details: https://www.mozdev.org/bugs/show_bug.cgi?id=24624 Initially I thought that it is enigmail bug, not kmail. I think it could be simply fixed just by forcing base64 encoding for such messages. I don't think encoding text emails in base64 is really all that much the best idea, because it will cause those emails to be bigger. As far as I know Thunderbird doesn't do that. It does seem to be a "standard" and not just something Thunderbird does, if you look at https://tools.ietf.org/html/rfc3676#page-9 or http://lipas.uwasa.fi/~ts/http/signatur.html Encoding text emails with base64 will also trigger spam filters on various servers, or at very least increase it's point rating. https://wiki.apache.org/spamassassin/Rules/MIME_BASE64_TEXT Which exact Kmail version is this report about and is this reproducible with version 4.8.5 or later? Please set the version field accordingly. Ah sorry this was with Kmail 4.7.3. I'll have to test this with the latest version. Created attachment 73277 [details]
An email sent from KMail 4.9 on KDE 4.9
Created attachment 73278 [details]
A screenshot of an email signed by Kmail, being viewed in Thunderbird 14
It should be noted this bug isn't fixed, in fact it's a lot worse now. Instead of saying "Error - signature verification failed" it now says "Unverified signature" and when you click on "Details" it says "BAD signature from recipient". Also I am not able to verify any emails sent by KMail on my Android phone using Kaiten. however emails produced by Kaiten or by Thunderbird with Enigmail work fine in all mail applications. Is there any more information needed to get movement on this bug? Seems Kalidarn did an excellent job of documenting this issue but if there is anything else that would be helpful it would be nice to have it outlined here so we can provide the necessary items. I understand people are busy and don't intend for this to sound pushy; just want to know if there is anyway we can help. Otherwise, can we get this bug moved out of NEEDSINFO WAITINGFORINFO and into an open status? Thank you for the feedback, setting status correctly. I guess this is a violation of RfC 3156, section 3: Additionally, implementations MUST make sure that no trailing whitespace is present after the MIME encoding has been applied. Which is violated by the signature delimiter having a trailing whitespace. The simple fix would be to require a qp-recoding for everything that has trailing whitespace. My test result: Check "Prepend seperator to signature" and send ASCII-only e-mails: shows as Invalid in Thunderbird w/Enigmail. Check "Prepend seperator to signature" and send e-mails containing UTF-8 characters: shows as Good in Thunderbird w/Enigmail. Uncheck "Prepend seperator to signature" and send ASCII-only e-mails: shows as Good in Thunderbird w/Enigmail. Hope this helps :) You mixed up different crypto standards. kmail normaly sends mails with OpenPGP Mime, and thunderbird uses OpenPGP Inline. But you can switch kmail to use Inline OpenPGP via Options->Cryptographic Message Format->Inline OpenPGP. Please also try kmail 4.10.2, there where some improvments in the crypto stack. I attach a mail created with kmail 4.10.2 with OpenPGP inline - In my eyes it should be correct :) Created attachment 78848 [details]
Mail created with kmail 4.10.2 OpenPGP inline
Created attachment 79440 [details]
Invalid PGP/MIME message generated by KMail 4.10.2
(In reply to comment #17) > You mixed up different crypto standards. kmail normaly sends mails with > OpenPGP Mime, and thunderbird uses OpenPGP Inline. Please check attachment #79440 [details], it's created with KMail 4.10.2 and Enigmail says it's invalid. When I create simple two-line email without signature and citations, it validates correctly. Thunderbird uses OpenPGP Inline by default, but it is able to validate both. What's the status of this bug? Are there still more infos needed and if so which ones? Tested in KDE 4.11.2 with KMail Version 4.11.2. Still not fixed. Thx for these informations. Now I can reproduce this behaviour and understand, what's going on. I can confirm also that the signature is correct by using gpg --verifiy signature.sig text.txt This bug can be viewed differently. Either we can say, this is a bug of enigmail (extensions/enigmail/package/mimeVerify.jsm line 184): this.writeToPipe(data.replace(/^-/gm, "- -")); They modify the signed message, that should never ever be done. Like RFC 3156 says: "Multipart/signed and multipart/encrypted are to be treated by agents as opaque, meaning that the data is not to be altered in any way" The other way we can look atthis bug, is that we ignoring RfC 3156 recommendation: "It cannot be stressed enough that applications using this standard follow MIME's suggestion that you 'be conservative in what you generate, and liberal in what you accept.' " To solve this bug kmail has to use Quoted-Printiable or Base64 and escape the signature sequence "--\n", that causes enigmail to change the content of the signed content.t Created attachment 83429 [details]
signature.sig for using gpg --verify
Created attachment 83430 [details]
text.txt for using gpg --verify
Filed bug at enigmail: https://sourceforge.net/p/enigmail/bugs/209/ Git commit 98770957d2a62437159ac3cba1882f75859adb87 by Sandro Knauß. Committed on 09/11/2013 at 14:37. Pushed by knauss into branch 'KDE/4.11'. Fix 286553 - Kmail signed emails invalid in Thunderbird w/ Enigmail Related: bug 303305 FIXED-IN: 4.11.4 REVIEW: 113750 M +46 -0 messagecomposer/job/signjob.cpp M +35 -0 messagecomposer/tests/signjobtest.cpp M +1 -0 messagecomposer/tests/signjobtest.h http://commits.kde.org/kdepim/98770957d2a62437159ac3cba1882f75859adb87 Hello, I'm still seeing all messages signed by Kmail shown as invalid in Thunderbird with Engimail (but not the other way around). The Kmail version I am using is 4.14.4, and Engimail is 1.7.2, both are after the "fix". Anything I can provide for further debugging? (In reply to Felix Yan from comment #28) > The Kmail version I am using is 4.14.4 Sorry, should be 4.14.1 +1 Same issue here with Kmail 4.13.3, Ubuntu 14.04. Note that Evolution, as well as Enigmail, also flags sent signatures are invalid. Looks like the current failure is an Enigmail issue: http://sourceforge.net/p/enigmail/bugs/332/ I've tested their nightly build and it works fine now. What's the current state of this bug? I'm using kmail 4.14.6 in openSUSE 13.2. My signed mails are not valid in thunderbird (enigmail) and k-9 mail (openkeychain). I'm not very familiar with gpg, but mails signed with thunderbird and kmail look quite different, too. It seems that kmail adds an attachment and thunderbird not. Is there any workaround known? It's really annoying if most people can't verify my not encrypted mails. @Fabian: state of the bug is relsoveld/fixed. But there is a bug on enigmail side. The reference is the commandline gpg. If that says that the signature is correct, than the retrieving mail client has a bug.
>I'm not very familiar with gpg, but mails signed with thunderbird and kmail look quite different, too. It seems that kmail adds an attachment and thunderbird not.
There are two different implementations for signing: inline and PGP/Mime. Inline shouldn't used these days, but if you say, that thunderbird don't create an attachment, than thunderbird send inline. You can treat kmail via options->encryption->inline to use inline. But I know the thunderbird also understands PGP/Mime.
I dislike that bugs are captured to talk about different things. If there is a new one, than open an new bug.
|