[kmail2] [Bug 439958] X-Face can break cryptographic signatures
https://bugs.kde.org/show_bug.cgi?id=439958 Sandro Knauß changed: What|Removed |Added Resolution|--- |FIXED Version Fixed In||21.12.3 Status|CONFIRMED |RESOLVED Latest Commit||https://invent.kde.org/pim/ ||messagelib/commit/b23d11d27 ||d8619715a2fb3fa5a290e11cb5a ||027b --- Comment #18 from Sandro Knauß --- Git commit b23d11d27d8619715a2fb3fa5a290e11cb5a027b by Sandro Knauß. Committed on 24/02/2022 at 14:13. Pushed by knauss into branch 'release/21.12'. [messagecomposer] Do not sign long headers. As KMime sometimes strips newlines from headers, this makes signatures break, if the signed content includes those headers. In order to have a fast fix, do not add long headers to the signature part. FIXED-IN: 21.12.3 M +51 -0messagecomposer/autotests/signjobtest.cpp M +1-0messagecomposer/autotests/signjobtest.h M +8-0messagecomposer/src/job/protectedheadersjob.cpp https://invent.kde.org/pim/messagelib/commit/b23d11d27d8619715a2fb3fa5a290e11cb5a027b -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 439958] X-Face can break cryptographic signatures
https://bugs.kde.org/show_bug.cgi?id=439958 Andreas Sturmlechner changed: What|Removed |Added CC||ast...@gentoo.org -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 439958] X-Face can break cryptographic signatures
https://bugs.kde.org/show_bug.cgi?id=439958 --- Comment #17 from Bug Janitor Service --- A possibly relevant merge request was started @ https://invent.kde.org/pim/messagelib/-/merge_requests/74 -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 439958] X-Face can break cryptographic signatures
https://bugs.kde.org/show_bug.cgi?id=439958 --- Comment #16 from Sandro Knauß --- (In reply to David C. Bryant from comment #14) > (In reply to Sandro Knauß from comment #13) > > I can confirm it [snip ...] > > > > @David: can you check, if you get proper signatures, if you disable the > > picture (X-Face)? (Picture tab of the Identity). > > Yes, Sandro, signatures work fine with X-Face disabled. See the screenshot > I'm adding as an attachment to this bug report today. I am using the same > picture as was in the X-Face header as my gravatar (see discussion below). > So the message appears the same (to me) both with and without embedded > X-Face headers (except that X-Face breaks the crypto signature). Okay, than I have to look into why X-Face header sometimes breaks the signature. It needs to be any modification after the signature is done. The X-Face header have multiple lines in autosave files. So I expect, that somehow the newlines gets stripped out after the signature is created. > A friend referred me to this web page: > https://datatracker.ietf.org/doc/html/draft-autocrypt-lamps-protected- > headers-02 and raised the question "should the X-Face header be a protected > header?" I'm not real sure of the answer. Personally, I don't care if > somebody views the wrong picture in a signed message I send. Integrity of > the text message is all I really care about. Others might feel differently, > though. Well the X-Face header is for sure a non-structural header and the RFC tells us to copy ALL non-structural headers, that are known when composing the mail. https://datatracker.ietf.org/doc/html/draft-autocrypt-lamps-protected-headers-02#section-4.1 -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 439958] X-Face can break cryptographic signatures
https://bugs.kde.org/show_bug.cgi?id=439958 --- Comment #15 from David C. Bryant --- Created attachment 141949 --> https://bugs.kde.org/attachment.cgi?id=141949=edit Screenshot -- signature works OK with X-Face disabled -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 439958] X-Face can break cryptographic signatures
https://bugs.kde.org/show_bug.cgi?id=439958 --- Comment #14 from David C. Bryant --- (In reply to Sandro Knauß from comment #13) > I can confirm it [snip ...] > > @David: can you check, if you get proper signatures, if you disable the > picture (X-Face)? (Picture tab of the Identity). Yes, Sandro, signatures work fine with X-Face disabled. See the screenshot I'm adding as an attachment to this bug report today. I am using the same picture as was in the X-Face header as my gravatar (see discussion below). So the message appears the same (to me) both with and without embedded X-Face headers (except that X-Face breaks the crypto signature). A friend referred me to this web page: https://datatracker.ietf.org/doc/html/draft-autocrypt-lamps-protected-headers-02 and raised the question "should the X-Face header be a protected header?" I'm not real sure of the answer. Personally, I don't care if somebody views the wrong picture in a signed message I send. Integrity of the text message is all I really care about. Others might feel differently, though. One other thing. The field used to display the "X-Face" picture is also used to display "gravatars" kept on file in KAddressbook. So people can (in effect) attach pictures to their messages without using "X-Face" (with the recipient's assistance). One can even configure KMail itself to search for gravatars on the internet (Configure KMail --> Plugins --> Gravatar Config). So "X-Face" is becoming redundant. Just a thought. -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 439958] X-Face can break cryptographic signatures
https://bugs.kde.org/show_bug.cgi?id=439958 Sandro Knauß changed: What|Removed |Added Status|REPORTED|CONFIRMED Component|composer|crypto Summary|Error in cryptographic |X-Face can break |signatures affixed by KMail |cryptographic signatures Ever confirmed|0 |1 --- Comment #13 from Sandro Knauß --- I can confirm it, but it is not reproducible with every gpg key, what is quite strange. What I checked is to create a draft with X-Face enabled. For one gnupg key the signatures keep fine. When I select another key, the signature is broken with the same X-Face. (I actually modified the identity and change the gnupg key and the matching email address). At least, if those mails get send, the signautre would get broken in any case, as the X-Face line is too long for most mail servers, so they would break the line and this will break the signature in always. @David: can you check, if you get proper signatures, if you disable the picture (X-Face)? (Picture tab of the Identity). -- You are receiving this mail because: You are watching all bug changes.
