hi folks-- a friend recently sent me a PGP/MIME encrypted/signed message from k-mail 1.13.7.
enigmail decrypted it but claimed "bad signature".
Looking at it in more detail, i see that the message is structured like
this:
A └┬╴multipart/encrypted
B ├─╴application/pgp-encrypted attachment
C └─╴application/octet-stream inline [msg.asc]
but decrypting C shows that inside C is:
D └┬╴multipart/signed
E ├─╴text/plain
F └─╴application/pgp-signature [signature.asc]
The OpenPGP layer in C is *just encryption* -- no OpenPGP signature,
which (i think) is why enigmail shows "bad signature".
But the signature F is correct when calculated over E.
I think enigmail's usual mechanism for constriction of PGP/MIME messages
has part C contain the signature as well as encryption, and then part D
is just the message itself.
Both approaches seem valid from the perspective of RFC 3156, though the
enigmail construction seems simpler.
But i'm concerned because it seems like enigmail ought to be able to
parse the kmail construction, at least if the top-level cleartext part
is itself multipart/signed.
Any thoughts?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
