(*** This bug was imported into bugs.kde.org ***) Package: kmail Version: 1.3.2 (using KDE 2.2.2 ) Severity: normal Installed from: compiled sources Compiler: gcc version 2.95.3 20010315 (release) [FreeBSD] OS: FreeBSD (i386) release 4.5-PRERELEASE OS/Compiler notes: Two dashes above signature impacts on wrong PGP signature calculation - everybody who receives and checks that message gets wrong signature report. My personal guess is that KMail doesn't take into account those two dashes when signing message probably because dashes are added by default not typed in in message. (Submitted via bugs.kde.org) (Called from KBugReport dialog)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 06 March 2002 15:19 active@is.lt wrote: > Two dashes above signature impacts on wrong PGP signature calculation > - everybody who receives and checks that message gets wrong > signature report. > > My personal guess is that KMail doesn't take into account those two > dashes when signing message probably because dashes are added by > default not typed in in message. As nobody I know of has problems with sigs in OpenPGP signed messages=20 (me included) the problem must be something else. Please provide an=20 example message which exhibits this bug. Regards Ingo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hnuAGnR+RTDgudgRAlBPAJ911xh5ggKcqQB5mt+JoCPJfimR4gCggRGR mPbNlK+mxWYwnICQAC1YeBc=3D =3DHKWR -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [please keep cc:29029@bugs.kde.org] On Thursday 07 March 2002 18:37 Andrius Adomaitis wrote: > On Thursday 07 March 2002 12:00 Marc Mutz wrote: > <snip> > > > OK this was a mail sent with KDE3's KMail. Can you check "show > > encryption result" in configure Kmail->Security->PGP and confirm > > whether or not "- " (DASH SPACE) is being prepended to the "-- " > > (DASH DASH SPACE) signature marker? > > well I am talking about KMail 1.3.2 under KDE 2.2.2. There is no > ability to customize signature marker... I never said that. But since the PGP message markers start with -----=20 (5x DASH) lines starting with - (DASH) are escaped by prepending "- "=20 (DASH SPACE) much like a line starting with "From " is exdcaped by=20 prepending ">" to it... To repeat the question: does the "encryption result" window show that=20 the sig marker line is being prepended with "- " (DASH SPACE) ie. does=20 it read "- -- " (DASH SPACE DASH DASH SPACE) _after_ clearsigning? Marc - --=20 Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8h7gS3oWD+L2/6DgRApDMAJ93nj6V3APGelOczFxW7GRj7bNE9ACeIGIJ 9Ir69QoeN6IwbjphIadYBjA=3D =3DttT+ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 07 March 2002 20:22 charta wrote: <snip> > YES encryption result window shows that: <snip> > Any comments? <snip> Well one source of error removed... What about sending a signed message to 39029@bugs.kde.org so we can see=20 if we have a problem... Maybe it's just evolution. AFAIK it's OpenPGP integration is less than=20 perfect. What about other MUAs? Does the signature verification fail there too? What about saving a message that fails verification for your friend and=20 running it through gpg --verify < saved_message ? Does GnuPG complain? Do the bodies in your sent folder and in your friends' inbox of the=20 message you send differ? Probably a buggy MTA converts the content from=20 8bit to quoted-printable or vice versa... Just some thoughts. Marc - --=20 Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8h9FT3oWD+L2/6DgRAmAUAJ91Zg4Run/r76hFNC6aPCFjTjvK+gCg+YM2 a9kNuDGaFohLkkkv5OekkME=3D =3DlUnr -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 07 March 2002 22:45 Marc Mutz wrote: > On Thursday 07 March 2002 20:22 charta wrote: > <snip> > > Any comments? > Well one source of error removed... > What about sending a signed message to 39029@bugs.kde.org so we can > see if we have a problem... Ok. > Maybe it's just evolution. AFAIK it's OpenPGP integration is less > than perfect. Yes... Besides Evolution can only attach signature as attachment and there is always problem to verify that received message because KMail doesn't recognize signed message and doesn't know how to verify signature attached in that way. Could this problem be somehow solved? If you need example of such message I can post it as attachment somewhere... > What about other MUAs? Does the signature verification fail there > too? Sorry I haven't any friends around here that use anything else than KMail Evolution or pine ... :) > What about saving a message that fails verification for your > friend and running it through > gpg --verify < saved_message > ? Does GnuPG complain? Yes it does: $ gpg --verify msg1-quoted-printable.txt gpg: CRC error; 0bed11 - dc30be gpg: quoted printable character in armor - probably a buggy MTA has been used $ $ gpg --verify msg2-8bit.txt gpg: Signature made Fri Mar 8 11:17:50 2002 EET using DSA key ID C1211EA0 gpg: Good signature from "Andrius Adomaitis <Andrius.Adomaitis@if.lt>" $ First message was sent to myself using quoted-printable message encoding setting then taken from 'sent-mail' folder saved as msg1-quoted-printable.txt and verified with gpg. Second message was sent using 8bit message body encoding. So looks like we found problem source. I sent 8bit encoded msg to my friend he will check if Evolution correctly checks signature this time... I will inform about results to 39029@bugs.kde.org. > Do the bodies in your sent folder and in your friends' inbox of the > message you send differ? Probably a buggy MTA converts the content > from 8bit to quoted-printable or vice versa... > > Just some thoughts. Thanks they were helpful. > Marc - -- ____________________________ Andrius <...> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8iJBaflScM8EhHqARAj3wAJ4w42spzZm5j4rVS4LWUB8YfFyQfgCfSxgW 9KkLSKarrx5ilwh2rOPK/0U= =t61O -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 08 March 2002 11:20 Andrius Adomaitis wrote: <snip> > > What about saving a message that fails verification for your > > friend and running it through > > gpg --verify < saved_message > > ? Does GnuPG complain? > > Yes it does: > > $ gpg --verify msg1-quoted-printable.txt > gpg: CRC error; 0bed11 - dc30be > gpg: quoted printable character in armor - probably a buggy MTA has > been used > $ > $ gpg --verify msg2-8bit.txt > gpg: Signature made Fri Mar 8 11:17:50 2002 EET using DSA key ID > C1211EA0 > gpg: Good signature from "Andrius Adomaitis > <Andrius.Adomaitis@if.lt>" $ > > First message was sent to myself using quoted-printable message > encoding setting then taken from 'sent-mail' folder saved as > msg1-quoted-printable.txt and verified with gpg. Second message was > sent using 8bit message body encoding. Can you try the same with the local copy that was filed into your=20 sent-mail folder? Does GnuPG complain there too? Or only after it has=20 been sent? > So looks like we found problem source. I sent 8bit encoded msg to my > friend he will check if Evolution correctly checks signature this > time... I will inform about results to 39029@bugs.kde.org. <snip> Did you already try this? We're heading the release and this should be=20 dealt with if it's still there in the current RC2 (which I doubt since=20 you can verify _my_ sig and I _use_ quoted-printable). Marc - --=20 Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8iq/N3oWD+L2/6DgRAgcCAKDCcroCYhbc0X6MB7Boz7eOfPGTVwCbBOp1 tSKs1RP9EGtkRlgEDuSay6k=3D =3D/7iq -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry. Ignore me. It's too late already ;-) Marc On Sunday 10 March 2002 01:58 Marc Mutz wrote: <snip> > > First message was sent to myself using quoted-printable message=20 > > encoding setting then taken from 'sent-mail' folder <snip> > Can you try the same with the local copy that was filed into your > sent-mail folder? Does GnuPG complain there too? Or only after it > has been sent? <snip> - --=20 Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8irMd3oWD+L2/6DgRAuE4AJ9iWWqnR1Uj9h0twYsJG26qBoq8MACeIwsQ 4WN3Q2G6bOfy1n7XevD5asI=3D =3Drj+d -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 08 March 2002 11:20 Andrius Adomaitis wrote: > On Thursday 07 March 2002 22:45 Marc Mutz wrote: > > Maybe it's just evolution. AFAIK it's OpenPGP integration is less > > than perfect. > > Yes... Besides Evolution can only attach signature as attachment > and there is always problem to verify that received message because > KMail doesn't recognize signed message and doesn't know how to verify > signature attached in that way. > > Could this problem be somehow solved? This will be solved in KDE 3.1. > > What about other MUAs? Does the signature verification fail there > > too? > > Sorry I haven't any friends around here that use anything else than > KMail Evolution or pine ... :) Verification of signed messages produced by KMail works with KMail (of=20 course) mutt and all other MUAs except Evolution it seems. So guess=20 where the problem is. > > What about saving a message that fails verification for your > > friend and running it through > > gpg --verify < saved_message > > ? Does GnuPG complain? > > Yes it does: > > $ gpg --verify msg1-quoted-printable.txt > gpg: CRC error; 0bed11 - dc30be > gpg: quoted printable character in armor - probably a buggy MTA has > been used > $ > $ gpg --verify msg2-8bit.txt > gpg: Signature made Fri Mar 8 11:17:50 2002 EET using DSA key ID > C1211EA0 > gpg: Good signature from "Andrius Adomaitis > <Andrius.Adomaitis@if.lt>" $ > > First message was sent to myself using quoted-printable message > encoding setting then taken from 'sent-mail' folder saved as > msg1-quoted-printable.txt and verified with gpg. Second message was > sent using 8bit message body encoding. > > So looks like we found problem source. No this is not the source of the problem. GnuPG can't handle the=20 quoted-printable encoded message correctly. But that's no problem=20 because the mail client normally removes the quoted-printable encoding=20 before it passes the signed message to GnuPG for verification. > I sent 8bit encoded msg to my > friend he will check if Evolution correctly checks signature this > time... I will inform about results to 39029@bugs.kde.org. We are still waiting for the results. Nevertheless I will close your bug=20 report as your problems are definitely not caused by a bug in KMail but=20 by a bug in Evolution (or a bug in your friend's GnuPG configuration). Regards Ingo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8wzGIGnR+RTDgudgRAv4zAJ9fBJk+6RjiaZeO2Vy0N5qF7lBOZwCdG+j1 7gqmKV1G118c8oV0gebbMX8=3D =3DTxlW -----END PGP SIGNATURE-----
I realize this bug is "closed" as "fixed", but I'm running into a very similar issue w/version 1.5. The "complaint" is that the altered --<space> indicator "breaks" the signature detection logic in his client [appearenly mutt 1.5.x] This brings to mind an interesting thought: should the "signature" be included as part of the "signed" text, or should it be seperate? I realize this is probably a philosophical debate topic, but my feeling is that the .sig should be appended as the last step before sending the message itself, not pre-loaded when starting a reply/new message. By applying the .sig as a "last step", you avoid this particular problem [because the signature, correctly or incorrectly parsed, remains outside of the "protected" part of a message] It also reduces the "clutter" that occurs [especially on mailing lists] because it is harder to trim out "just the sig" from a quoted message [then again, many list users fail to trim in the first place, so what's the point?] In any case, I note that many of the developers on this list are using 1.5.9 AND are creating "detached" gpg signatures -- I presume that is a feature not in the current release? Does this cause any problems with detecting --<space> seperators?
Subject: Re: automaticaly added "--" footer leads to improperly calculated PGP or GPG signature On Friday 14 March 2003 23:02, Tom Emerson wrote: > I realize this bug is "closed" as "fixed", but I'm running > into a very similar issue w/version 1.5. The "complaint" is that the > altered --<space> indicator "breaks" the signature detection logic in > his client [appearenly mutt 1.5.x] Then his client has to be fixed because it's gpg that replaces the --<space> by -<space>--<space> if it's used to clearsign a message. > This brings to mind an > interesting thought: should the "signature" be included as part of > the "signed" text, or should it be seperate? > > I realize this is probably a philosophical debate topic, IMO the sig belongs to your message and therefore it has to be signed. Else someone could simply alter your sig (e.g. change your phone number). > In any case, I note that many of the developers on this list are > using 1.5.9 AND are creating "detached" gpg signatures -- I presume > that is a feature not in the current release? Wrong. Read the OpenPGP howto at kmail.kde.org. > Does this cause any problems with detecting --<space> seperators? No. One of the advantages of detached signatures is that lines which begin with a dash don't need to be escaped. Regards, Ingo