Re: [courier-users] Invalid Signature

2013-01-16 Thread Lindsay Haisley
No luck.  This one also came through as invalid.

One thing I noticed is that although some of your posts came through
marked "Invalid signature" by evolution prior to last Sept. or Oct., the
proportion of these, compared to those which evolution validated, rose
substantially after that time.

I'll go back through these and see if I can see any obvious pattern.

On Tue, 2013-01-15 at 21:50 -0500, Sam Varshavchik wrote:
> So, what's probably happening is that Evolutions gets one of these wrong.  
> But what I don't understand is that you say that the sig does verify on some  
> messages. But, if Evolution is either misparsing the MIME boundary delimiter  
> string, or failing to convert the text to the canonical CRLF format, then it  
> should be getting the signatures wrong every time.
> 
> Maybe Evolution mistakenly trims off all trailing newlines from all  
> messages, so the sig would fail to verify if a signed message ends with a  
> blank line.
> 
> This message shouldn't end with a logical blank line. Let's see if Evolution  
> manages to get the signature right, with this one.
> 
> 
> Invalid signature

-- 
Lindsay Haisley   |  "Humor will get you through times of no humor
FMP Computer Services |  better than no humor will get you through
512-259-1190  | times of humor."
http://www.fmp.com|- Butch Hancock


--
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Invalid Signature

2013-01-16 Thread Lindsay Haisley
On Tue, 2013-01-15 at 21:50 -0500, Sam Varshavchik wrote:
> $ gpg msg1.txt.sig
> gpg: Signature made Tue 15 Jan 2013 07:28:20 PM EST using DSA key ID 81E550E2
> gpg: Good signature from "Sam Varshavchik "

Yep!

This works.  So the problem is with Evolution - no great surprise there.
I'll need to figure out how to get evolution to dump some relevant
md5sums during the validation process, or snag temp files, so that I can
figure out what it's actually doing.  It may not be worth the effort.
Just knowing that signature verification is broken in evolution is good
to know in the event that I should ever have a mission-critical need to
validate a PGP signature.

-- 
Lindsay Haisley   | "Everything works if you let it"
FMP Computer Services |
512-259-1190  |  --- The Roadie
http://www.fmp.com|


--
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Invalid Signature

2013-01-16 Thread Alessandro Vesely
On Wed 16/Jan/2013 07:19:17 +0100 Bernd Wurst wrote:
> Am 15.01.2013 20:01, schrieb Lindsay Haisley:
>> Slightly OT, but about half or more of Sam's posts to this list show an
>> invalid signature in my mail reader.  The PGP (GPG) ID of the signature
>> is the same - 81E550E2 - whether it shows up as valid or invalid.  Has
>> anyone else noticed this, and is there a reason for it, or is it perhaps
>> a local issue here?
> 
> I can confirm this. Had to import Sam's key first to notice. ;-)
> 
> The latest courier release info has a correct sig, the messages in this
> thread don't.
> 
> I'm using current Thunderbird on Ubuntu Linux. While reading Lindsay's
> message, I remembered that I have similar problems here on my own.

Sam's signatures have been reported to break Enigmail since 2003.  In
particular:

  - Comment #23 From Patrick Brunschwig 2007-04-24 05:11:53 -
  [...]
  In theory it would be possible to switch to gpgme (and I somehow
  have this in the back of my head for a long time), but it means to
  rewrite all of the current backend, so it's quite a task.
   https://sourceforge.net/p/enigmail/bugs/4/

The bug is still open, so I guess he hasn't switched to gpgme yet.

Enigmail conflated clearsigned messages and detached signatures (see
http://lists.gnupg.org/pipermail/gnupg-users/2007-April/030916.html ).
I don't know whether Evolution's bug is similar.

-- 
































--
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Invalid Signature

2013-01-15 Thread Bernd Wurst
Hi.

Am 15.01.2013 20:01, schrieb Lindsay Haisley:
> Slightly OT, but about half or more of Sam's posts to this list show an
> invalid signature in my mail reader.  The PGP (GPG) ID of the signature
> is the same - 81E550E2 - whether it shows up as valid or invalid.  Has
> anyone else noticed this, and is there a reason for it, or is it perhaps
> a local issue here?

I can confirm this. Had to import Sam's key first to notice. ;-)

The latest courier release info has a correct sig, the messages in this
thread don't.

I'm using current Thunderbird on Ubuntu Linux. While reading Lindsay's
message, I remembered that I have similar problems here on my own.

I send messages PGP-signed from a Python script. One kind of message
always has a correct sig, others in some cases don't. I did never find a
rule why this happens. Perhaps there is a link between this...

cu,
Bernd




signature.asc
Description: OpenPGP digital signature
--
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 ___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Invalid Signature

2013-01-15 Thread Lindsay Haisley
On Tue, 2013-01-15 at 21:50 -0500, Sam Varshavchik wrote:
> Now, I think I've grown out of my arrogant phase many years ago, but I'm  
> fairly certain that Evolution is screwing up here.

Sam, I've been appreciating your work and your knowledgeable arrogance
since the days, probably a dozen years ago or more, when you were
publishing qmail patches and I was corresponding with you about them
while trying to get a startup Texas ISP up to speed with their mail
server management :)  No worries, mate!

I'll take a look at this and parse and test the message as you suggest
and see what I come up with.  It wouldn't surprise me at all if
Evolution were in error here.  As MUAs go, Evolution is a very odd
beast.  It was originally written by a company called Ximian (the monkey
people) which was bought by Novell and eventually morphed into the
default Gnome MUA.  My impression is that the code base is so
convoluted, complex and probably poorly maintained between development
teams that it's very difficult to work with.  It's no longer the default
Gnome MUA.

On the other hand, if one avoids the many bugs in the program, it has
some elegant and very powerful capabilities for managing and reading
emails, such as being able to extract MIME encapsulated emails (as in a
sequester by SpamAssassin) and save them as discrete emails into mail
storage.  Unlike any other GUI MUA I've ever worked with, it treats
people like technical adults, much as mutt does, and provides many
powerful hooks and tools for managing email.  T-bird doesn't match it.
No MS product even comes close, nor does Mac Mail.

There's no doubt, though, that it's buggy, and I wouldn't be surprised
at all if your assertion were true.  If we can come up with something
concrete here I'll post a bug against Evolution and hopefully it'll make
it to the upstream people, if any, responsible for maintaining it.

-- 
Lindsay Haisley   | "Never expect the people who caused a problem
FMP Computer Services |  to solve it." - Albert Einstein
512-259-1190  |
http://www.fmp.com|


--
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Invalid Signature

2013-01-15 Thread Helge Kreutzmann
Hello,
On Tue, Jan 15, 2013 at 07:05:38PM -0600, Lindsay Haisley wrote:
> On Tue, 2013-01-15 at 19:28 -0500, Sam Varshavchik wrote:
> > Lindsay Haisley writes:
> > 
> > > Slightly OT, but about half or more of Sam's posts to this list show an
> > > invalid signature in my mail reader.  The PGP (GPG) ID of the signature
> > > is the same - 81E550E2 - whether it shows up as valid or invalid.  Has
> > > anyone else noticed this, and is there a reason for it, or is it perhaps
> > > a local issue here?
> 
> > That leaves two possibilities:
> > 
> > 1) There's a disrepancy between my understanding of how PGP-signed email  
> > must get created, and how what you use, Evolution, thinks it should be 
> > done,  
> > in some corner case. A few times when someone noticed this before, I did go 
> >  
> > back, manually MIME-decoded the suspect message by hand, according to what  
> > the MIME RFC says, than fed the decoded content to PGP, and it was happy.
> 
> Evolution uses GnuPG (gpg) v1.4.11 to handle encryption and signature
> verification.  The signature on this email, to which I'm replying, _did_
> fail.  Evolution reports, FWIW:
> 
> gpg: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
> gpg: Signature made Tue 15 Jan 2013 06:28:20 PM CST using DSA key ID 81E550E2
> gpg: using PGP trust model
> gpg: BAD signature from "Sam Varshavchik "
> gpg: binary signature, digest algorithm SHA1

Well, for me (mutt 1.5.20-9+squeeze2 and GnuPG 1.4.10-4) that mail did 
have a valid signature (for Sams part as explained by him):

gpg: Unterschrift vom Mi 16 Jan 2013 01:28:20 CET mittels DSA-Schlüssel ID 
81E550E2
gpg: Korrekte Unterschrift von "Sam Varshavchik "
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:  Es gibt keinen Hinweis, daß die Signatur wirklich dem
vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 7F87 3288 3015 BF63 BC71  7A5A C7DA 7719 81E5 50E2

Regards

   Helge
-- 
  Dr. Helge Kreutzmann deb...@helgefjell.de
   Dipl.-Phys.   http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
   Help keep free software "libre": http://www.ffii.de/


signature.asc
Description: Digital signature
--
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 ___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Invalid Signature

2013-01-15 Thread Sam Varshavchik

Lindsay Haisley writes:


Well the copy sent directly was marked as having an invalid signature as
well, so message munging by Sourceforge can probably be ruled out.

I don't know.  I may try to see how Evolution submits emails to gpg.
This may tell us something.


Well, here's a demonstration of how PGP signatures SHOULD be verified. When  
this came up a while ago, I reviewed the relevant RFC specification, and I  
find no fault with my implementation of PGP signature creation and  
verification.


It's a fortunate luck of the draw that the message that you checked did not  
use quoted-printable MIME encoding, but plain encoding. Which means you can  
actually slice apart the message and feed the right parts directly to gpg,  
and verify the sig manually. Here's how, see if you can reproduce the  
following steps:


Open the raw message file, and save both of the MIME sections in it, as two  
separate files:


The first MIME section begins as follows:


Content-Type: text/plain; format=flowed; delsp=yes; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Lindsay Haisley writes:



The first line in the file should be the Content-Type: header, and the file  
should end with exactly one blank line. There are two blank lines at the end  
of the first MIME section in the raw email message file:




though it's annoying.


--=_monster.email-scan.com-6997-1358296100-0029


However, according to the relevant MIME specs, the second empty blank line  
is actually a part of the MIME boundary marker that immediately follows it.  
This is one of the most common bugs in MIME decoders, they fail to consider  
the newline sequence immediately before the MIME delimiter string as a  
logical part of the MIME boundary delimiter, even though this is highlighted  
and underlined, in honking capital letters (well, almost), in the  
appropriate RFC.


So, if you did this right, and if you named this file, say, msg1.txt, then  
you should get the following checksum:


$ md5sum msg1.txt
1307dabdb13c9067a6f699118f1d96a2  msg1.txt

Then save the second MIME section, with the signature, as msg1.txt.sig. It's  
fairly short:


$ cat msg1.txt.sig
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEABECAAYFAlD19CQACgkQx9p3GYHlUOJVeQCaA6SwE8QCrfLRurbkd2Q1EJT5
b5MAn3rJx/7bwk5/XrqLGc0dswLrlc3t
=AZlV
-END PGP SIGNATURE-
$

The MIME PGP RFC specifies that the signature applies to text that's  
formatted using the CRLF end-of-line sequence, so convert msg1.txt  
accordingly:


[mrsam@monster tmp]$ unix2dos msg1.txt.out
[mrsam@monster tmp]$ mv msg1.txt.out msg1.txt

The checksum of the reformatted msg1.txt should now be:

$ md5sum msg1.txt
4bea49c17cb71cd6e33ad1f456650f3d  msg1.txt

Now, you can run gpg manually, to verify the signature:

$ gpg msg1.txt.sig
gpg: Signature made Tue 15 Jan 2013 07:28:20 PM EST using DSA key ID 81E550E2
gpg: Good signature from "Sam Varshavchik "

That's all, folks.

Now, I think I've grown out of my arrogant phase many years ago, but I'm  
fairly certain that Evolution is screwing up here. I just can't see what I'm  
doing wrong. Since Evolution invokes gpg to verify the signature, the only  
possibility here, is that it screws up and feeds the wrong content into pgp  
to verify. I would venture a guess that Evolution is either:


A) Verifying the sig of text content that ends with LFs, rather than the  
CRLF newline sequence. This is spelled out in section 5 of RFC 2015:


#   When the PGP digital signature is generated:
#
#   (1)  The data to be signed must first be converted to its
#type/subtype specific canonical form.  For text/plain, this
#means conversion to an appropriate character set and conversion
#of line endings to the canonical  sequence.

This is why in my walkthrough, above, you ran unix2dos to convert the text  
message to the canonical CRLF newline sequence format. Quite an archaic  
concept, but that's what the spec says.


B) Screwing up the MIME boundary parsing, and Evolution tries to verify the  
checksum on the message that ends with two empty lines. It does not. It ends  
with one empty line, and the second newline sequence logically belongs to  
the MIME boundary delimiter that follows. This is quite explicitly stated on  
page 19 of RFC 2046:


#   The boundary delimiter MUST occur at the beginning of a line, i.e.,
#   following a CRLF, and the initial CRLF is considered to be attached
# =
#   to the boundary delimiter line rather than part of the preceding
#   
#   part.
#   =

So, what's probably happening is that Evolutions gets one of these wrong.  
But what I don't understand is that you say that the sig does verify on some  
messages. But, if Evolution is either misparsing the MIME boundary delimiter  
string, or failing to convert the text to the cano

Re: [courier-users] Invalid Signature

2013-01-15 Thread Lindsay Haisley
Well the copy sent directly was marked as having an invalid signature as
well, so message munging by Sourceforge can probably be ruled out.

I don't know.  I may try to see how Evolution submits emails to gpg.
This may tell us something.

-- 
Lindsay Haisley   | "We have met the enemy and he is us."
FMP Computer Services |
512-259-1190  |  -- Pogo
http://www.fmp.com|


--
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Invalid Signature

2013-01-15 Thread Lindsay Haisley
On Tue, 2013-01-15 at 19:28 -0500, Sam Varshavchik wrote:
> Lindsay Haisley writes:
> 
> > Slightly OT, but about half or more of Sam's posts to this list show an
> > invalid signature in my mail reader.  The PGP (GPG) ID of the signature
> > is the same - 81E550E2 - whether it shows up as valid or invalid.  Has
> > anyone else noticed this, and is there a reason for it, or is it perhaps
> > a local issue here?

> That leaves two possibilities:
> 
> 1) There's a disrepancy between my understanding of how PGP-signed email  
> must get created, and how what you use, Evolution, thinks it should be done,  
> in some corner case. A few times when someone noticed this before, I did go  
> back, manually MIME-decoded the suspect message by hand, according to what  
> the MIME RFC says, than fed the decoded content to PGP, and it was happy.

Evolution uses GnuPG (gpg) v1.4.11 to handle encryption and signature
verification.  The signature on this email, to which I'm replying, _did_
fail.  Evolution reports, FWIW:

gpg: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
gpg: Signature made Tue 15 Jan 2013 06:28:20 PM CST using DSA key ID 81E550E2
gpg: using PGP trust model
gpg: BAD signature from "Sam Varshavchik "
gpg: binary signature, digest algorithm SHA1

> What can be done is for you to identify some recent message that you got  
> from the list, whose sig you can't verify. I can bounce a copy to you from  
> my Outbox. This would be what I sent to Sourceforge. It should have the  
> original signature.

This message, to which I'm replying, will do.

-- 
Lindsay Haisley   | "The difference between a duck is because
FMP Computer Services |one leg is both the same"
512-259-1190  | - Anonymous
http://www.fmp.com|


--
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Invalid Signature

2013-01-15 Thread Sam Varshavchik

Lindsay Haisley writes:


Slightly OT, but about half or more of Sam's posts to this list show an
invalid signature in my mail reader.  The PGP (GPG) ID of the signature
is the same - 81E550E2 - whether it shows up as valid or invalid.  Has
anyone else noticed this, and is there a reason for it, or is it perhaps
a local issue here?


I checked last month's worth of my messages to all Courier lists, the copies  
that I get back from the mailing list. Cone uses gpg to both sign, and  
verify the signature, of a message. There were no verification failures.


The rules for what exactly gets signed, in a message (not everything) are  
quite delicate, and we know two facts:


* I never fail to verify my own email's signature. The rules for signing,  
and verifying PGP signatures, as implemented in Cone, with GPG's help, seems  
to be quite stable. Never had an issue with verifying my own sig.


* Sourceforge appends its own spam to the email. It adds its own  
multipart/mixed MIME section, wrapping the one with the original content,  
and the PGP signature, and then attaches its spam-of-the-day.


That leaves two possibilities:

1) There's a disrepancy between my understanding of how PGP-signed email  
must get created, and how what you use, Evolution, thinks it should be done,  
in some corner case. A few times when someone noticed this before, I did go  
back, manually MIME-decoded the suspect message by hand, according to what  
the MIME RFC says, than fed the decoded content to PGP, and it was happy.


2) It's possible that Sourceforge's spam, that it appends to all list email,  
might confuse Evolution. It never confuses Cone, as I said, but I can see  
how this obnoxious MIME wrapper can make something go off the rails.


What can be done is for you to identify some recent message that you got  
from the list, whose sig you can't verify. I can bounce a copy to you from  
my Outbox. This would be what I sent to Sourceforge. It should have the  
original signature.


If you still cannot verify the signature, from this copy, this would  
indicate a disconnect between how Cone and Evolution thinks PGP signing  
should be done. If you can verify it, though, this would suggest that  
Sourceforge's spam appendage is confusing Evolution. I don't see anything  
technically wrong with what Sourceforge is doing; it's by the book, even  
though it's annoying.




pgpFKKFDXBM3D.pgp
Description: PGP signature
--
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 ___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users