Lindsay Haisley writes:
Slightly OT, but about half or more of Sam's posts to this list show an invalid signature in my mail reader. The PGP (GPG) ID of the signature is the same - 81E550E2 - whether it shows up as valid or invalid. Has anyone else noticed this, and is there a reason for it, or is it perhaps a local issue here?
I checked last month's worth of my messages to all Courier lists, the copies that I get back from the mailing list. Cone uses gpg to both sign, and verify the signature, of a message. There were no verification failures.
The rules for what exactly gets signed, in a message (not everything) are quite delicate, and we know two facts:
* I never fail to verify my own email's signature. The rules for signing, and verifying PGP signatures, as implemented in Cone, with GPG's help, seems to be quite stable. Never had an issue with verifying my own sig.
* Sourceforge appends its own spam to the email. It adds its own multipart/mixed MIME section, wrapping the one with the original content, and the PGP signature, and then attaches its spam-of-the-day.
That leaves two possibilities:1) There's a disrepancy between my understanding of how PGP-signed email must get created, and how what you use, Evolution, thinks it should be done, in some corner case. A few times when someone noticed this before, I did go back, manually MIME-decoded the suspect message by hand, according to what the MIME RFC says, than fed the decoded content to PGP, and it was happy.
2) It's possible that Sourceforge's spam, that it appends to all list email, might confuse Evolution. It never confuses Cone, as I said, but I can see how this obnoxious MIME wrapper can make something go off the rails.
What can be done is for you to identify some recent message that you got from the list, whose sig you can't verify. I can bounce a copy to you from my Outbox. This would be what I sent to Sourceforge. It should have the original signature.
If you still cannot verify the signature, from this copy, this would indicate a disconnect between how Cone and Evolution thinks PGP signing should be done. If you can verify it, though, this would suggest that Sourceforge's spam appendage is confusing Evolution. I don't see anything technically wrong with what Sourceforge is doing; it's by the book, even though it's annoying.
pgpFKKFDXBM3D.pgp
Description: PGP signature
------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
