Bug 374546

Summary: OpenPGP signatures performed by KMail, not recognized by other email clients
Product: [Applications] kmail2 Reporter: Vishnu <vishnugb>
Component: composereditor-ngAssignee: Laurent Montel <montel>
Status: CONFIRMED ---    
Severity: major CC: dvratil, olaf.the.lost.viking, sknauss
Priority: NOR    
Version: 5.8.0   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Signed mail sent with KMail
Signed mail sent with Evolution
Signed mail (new) sent with KMail
Signed mail sent with KMail (5.7.0)

Description Vishnu 2017-01-04 15:15:43 UTC
I had some issues with mails signed and sent using KMail showing up with incorrect signatures in (Gnome) Evolution, so upon exploring, (according to the gnome bugzilla), the issue is with KMail using 7-bit encoding. 

https://bugzilla.gnome.org/show_bug.cgi?id=719877
https://bugzilla.redhat.com/show_bug.cgi?id=481408#c7

Can someone verify?
Comment 1 Vishnu 2017-03-01 06:29:53 UTC
Is this the correct component for this, or should I change it?
Comment 2 Vishnu 2017-03-01 06:33:53 UTC
There is an interesting discussion on StackOverflow. The comments to the answer throw additional light on this.

https://stackoverflow.com/questions/25710599/content-transfer-encoding-7bit-or-8-bit
Comment 3 Vishnu 2017-03-01 07:47:30 UTC
Found the following. I think they're related, but not duplicate, because this issue occurs upon PGP sigining. Can someone confirm?

https://bugs.kde.org/show_bug.cgi?id=95733
Comment 4 Daniel Vrátil 2017-05-09 06:59:30 UTC
Do you have a specific email that you can reproduce the issue with? Could you attach it here or share it privately with me?
Comment 5 Vishnu 2017-05-09 08:10:10 UTC
Created attachment 105408 [details]
Signed mail sent with KMail

I'm attaching the two mails from my 'Sent' folder. The 'To' address is
also mine, and even the messages I receive in that mailbox show the
same behaviour as those in the sent folders. i.e., that KMail accepts
both signatures as valid; Evolution doesn't accept the ones sent by
KMail.

To check, you'll have to locally sign my key. My OpenPGP fingerprint is:
5015 1D4C 9BDF 9062 A9E1  62CB 5B1F4BEE7EED7131
Comment 6 Vishnu 2017-05-09 08:12:25 UTC
Created attachment 105410 [details]
Signed mail sent with Evolution

The main difference between the two is that in the one sent with Evolution, there is a '=20' just before where I display my 'OpenPGP Fingerprint' in the body of the mail.
Comment 7 Vishnu 2017-05-13 04:40:04 UTC
Comment on attachment 105408 [details]
Signed mail sent with KMail

>Return-Path: <vishnugb@gmail.com>
>Received: from xps.localnet ([**.**.**.**]) by smtp.gmail.com with
> ESMTPSA id x90sm62511497pfk.73.2016.12.23.05.50.42 for
> <vishnuvk@tifrh.res.in> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256
> bits=128/128); Fri, 23 Dec 2016 05:50:42 -0800 (PST)
>From: "Vishnu V. Krishnan" <vishnugb@gmail.com>
>To: "Vishnu V. Krishnan" <vishnuvk@tifrh.res.in>
>Subject: Evolution-KMail Signature Check
>Date: Fri, 23 Dec 2016 19:20:40 +0530
>Message-ID: <1900777.K7UtrQqy9P@xps>
>User-Agent: KMail/5.3.3 (Linux/4.9.0-0-MANJARO; KDE/5.28.0; x86_64; ; )
>MIME-Version: 1.0
>Content-Type: multipart/signed; boundary="nextPart6365234.uDzk2OtqMF"; micalg="pgp-sha256"; protocol="application/pgp-signature"
>X-Evolution-Source: 1480143603.1777.2@omega1
>
>--nextPart6365234.uDzk2OtqMF
>Content-Transfer-Encoding: 7Bit
>Content-Type: text/plain; charset="us-ascii"
>
>Test mail to verify a possible Evolution-KMail signing issue.
>
>-- 
>OpenPGP fingerprint: 5015 1D4C 9BDF 9062 A9E1  62CB 5B1F 4BEE 7EED 7131
>--nextPart6365234.uDzk2OtqMF
>Content-Type: application/pgp-signature; name="signature.asc"
>Content-Description: This is a digitally signed message part.
>Content-Transfer-Encoding: 7Bit
>
>-----BEGIN PGP SIGNATURE-----
>
>iQEzBAABCAAdFiEEUBUdTJvfkGKp4WLLWx9L7n7tcTEFAlhdK7AACgkQWx9L7n7t
>cTFSSgf9GYQGVp7lNCEBd6WRDrSKrIFnntch6DdMrMTNYrSk6P26GA7gEy1GpozQ
>e7ZZG9Y9a380CzlO+0XFDKxXQi53JlmGe+rh44inALAcY6+eefjFT3TO1AdfZxcM
>ISgUUmypwWSJ2xBAaR4So+jlJa45KMax0ARElGds3CuvIn7I2Dfg6zuU8g+L23Je
>EeEHbqq8wIat9XOJJ/yfkclvZRII49LJhLOMV3QNEEccFrvCmUArDGtAOm+K9Kdv
>QEYkZfLhzEQ/TLj0qPuaA5D40cAYrCtx8XKiqfzpdOvwndc5t0H1NMgteGVMooha
>rjrky+GhvDBpqIpE1bfctbU4Ch1PSQ==
>=3OVd
>-----END PGP SIGNATURE-----
>
>--nextPart6365234.uDzk2OtqMF--
>
Comment 8 Vishnu 2017-05-13 04:43:20 UTC
Created attachment 105501 [details]
Signed mail (new) sent with KMail

Sorry, please ignore the previous comment. I am attaching a mail sent using the current (17.04) KMail, and opened and saved using Evolution. It still shows the mail as having a 'Bad Signature'.
Comment 9 Daniel Vrátil 2017-05-13 19:05:42 UTC
Hmm indeed there seems to be a problem with our 7bit encoding handling. When I send an email to myself with UTF-8 characters, which forces KMail to use quoted-printable encoding, then Evolution verifies the signature correctly. With 7bit encoding I get a verification error.

This is interesting because we pipe the email through pgp to verify the signature and in KMail the signature is verified correctly.

I'll dig a bit deeper to see how we pipe this email into gpg.
Comment 10 Vishnu 2017-06-26 04:05:30 UTC
Is this one a duplicate of the following?

https://bugs.kde.org/show_bug.cgi?id=298349
Comment 11 Vishnu 2017-09-07 18:08:14 UTC
(In reply to Daniel Vrátil from comment #9)
> Hmm indeed there seems to be a problem with our 7bit encoding handling. When
> I send an email to myself with UTF-8 characters, which forces KMail to use
> quoted-printable encoding, then Evolution verifies the signature correctly.
> With 7bit encoding I get a verification error.
> 

I tried using a non-ASCII, UTF-8 character, but to no avail. The same issue remains, and other email clients say that the signature is invalid.
Comment 12 Sandro Knauß 2017-10-19 22:10:34 UTC
The root of the problem is that kmail is using "binary sigantures" sigclass 0x00 and not "text signatures" sigclass 0x01. And binary signatures do not allow changes in lineend aka \n -> \r\n text signatures allow these and strip empty lines at the end

Nearly all MUAs expect, that the signatures are "text signatures" and do not take care about these little changes. See also:
http://www.openpgp-schulungen.de/info/verify-mime/ (german link)

IMO kmail should also switch to "text signatures" because for email it is only text and all binaries need to be encoded to BASE64. Unfortunately RFC3156 allows both. But still tells a exact way to prepare the signature (section 5).

Also rfc4880 can be interfering here (section 7 and 7.1) that request modifications before signing it. In my experience other MUAs modifies the content because they need to push the content through the cmdline instead using gpgme, that's why the signature fails.
Comment 13 Vishnu 2018-01-01 10:54:05 UTC
This issue seems to have been resolved for me after the recent update to KMail 5.7
Comment 14 OlafLostViking 2018-01-03 09:01:50 UTC
I am using KMail 5.7.0 and it cannot verify signatures sent by itself ("Message was signed with unkown key 0x1234.... The validity of the signature cannot be verified. Status: Bad signature."). When I add Unicode characters into the message body, the signature is verified correctly. Mails sent by Thunderbird always verify.

Additionally, an encrypted and signed message from Thunderbird is shown in KMail correctly "stacked" (after clicking decrypt, KMail shows the blue "Encrypted message" frame with a valid green "Signed by ..." frame inside) while an encrypted mail sent by KMail will simply be shown as an empty mail with the msg.asc and AT00..1 attachments (after clicking "decrypt" one can very shortly see the blue frame).
Comment 15 Vishnu 2018-01-05 04:42:30 UTC
Created attachment 109688 [details]
Signed mail sent with KMail (5.7.0)

The other client I use is Evolution, and it seems to recognise signatures by KMail, even when using only ASCII charachters.
Comment 16 OlafLostViking 2018-01-06 22:35:22 UTC
Can I provide some mails, too, that would help to analyse the problem? What exact combination of mails would be needed? Or is everything understood and it's "just" a matter of fixing?

Since it seems to be working with Vishnu, could it be a combination of KMail/kgpg/gpgme/etc.? Thanks!
Comment 17 OlafLostViking 2018-04-29 14:43:36 UTC
KMail 5.8.0 is still not usable as a mail client when using encryption with openpgp. Now I am not even able to force it as described before by using unicode characters anymore (or I am missing something...).

KMail itself will only show an attachment with "Version 1" in it and another (called msg.asc) which contains the message as I was able to verify with "gpg --decrypt msg.asc".

Thunderbird/Enigmail just says the e-mail was broken by Exchange and isn't able to repair/show the message.


BTW: Why am I asked to click on "Decrypt Message" on every mail in the message list? It would probably be more convenient to just try to decrypt it and only when there's not fitting key in the agent ask for user interaction.
Comment 18 OlafLostViking 2018-05-01 20:14:27 UTC
I've looked a little bit further into this problem and it seems in my case it is at least partly an @#$&* Exchange server that is/has to be used for sending. It's simply forwarding Thunderbird mails, but rewriting the KMail mails to a new base64 encoded attachment (which, as written, contains the PGP message). Other mail servers don't seem to do that. @Vishnu, did you use an Exchange sometimes?

If this is really true, would it be possible to somehow "trick" Exchange into not rewriting the 7-Bit MIME part (ASC armored PGP message) into a base64 MIME part (I'm not knowledgable enough to understand why it is even doing that. 7Bit/1000chars should be fine.)? 

BTW:
> Why am I asked to click on "Decrypt Message" on every mail
> in the message list? It would probably be more convenient
> to just try to decrypt it and only when there's not fitting
> key in the agent ask for user interaction.
Found the setting! That's why I'd really enjoy using KMail again - it has so many things I wish for :-)
Comment 19 Vishnu 2018-05-02 05:28:48 UTC
@Olaf, Nope, I've never used Exchange.