Re: [courier-users] Invalid Signature
No luck. This one also came through as invalid. One thing I noticed is that although some of your posts came through marked "Invalid signature" by evolution prior to last Sept. or Oct., the proportion of these, compared to those which evolution validated, rose substantially after that time. I'll go back through these and see if I can see any obvious pattern. On Tue, 2013-01-15 at 21:50 -0500, Sam Varshavchik wrote: > So, what's probably happening is that Evolutions gets one of these wrong. > But what I don't understand is that you say that the sig does verify on some > messages. But, if Evolution is either misparsing the MIME boundary delimiter > string, or failing to convert the text to the canonical CRLF format, then it > should be getting the signatures wrong every time. > > Maybe Evolution mistakenly trims off all trailing newlines from all > messages, so the sig would fail to verify if a signed message ends with a > blank line. > > This message shouldn't end with a logical blank line. Let's see if Evolution > manages to get the signature right, with this one. > > > Invalid signature -- Lindsay Haisley | "Humor will get you through times of no humor FMP Computer Services | better than no humor will get you through 512-259-1190 | times of humor." http://www.fmp.com|- Butch Hancock -- Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Invalid Signature
On Tue, 2013-01-15 at 21:50 -0500, Sam Varshavchik wrote: > $ gpg msg1.txt.sig > gpg: Signature made Tue 15 Jan 2013 07:28:20 PM EST using DSA key ID 81E550E2 > gpg: Good signature from "Sam Varshavchik " Yep! This works. So the problem is with Evolution - no great surprise there. I'll need to figure out how to get evolution to dump some relevant md5sums during the validation process, or snag temp files, so that I can figure out what it's actually doing. It may not be worth the effort. Just knowing that signature verification is broken in evolution is good to know in the event that I should ever have a mission-critical need to validate a PGP signature. -- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Invalid Signature
On Wed 16/Jan/2013 07:19:17 +0100 Bernd Wurst wrote: > Am 15.01.2013 20:01, schrieb Lindsay Haisley: >> Slightly OT, but about half or more of Sam's posts to this list show an >> invalid signature in my mail reader. The PGP (GPG) ID of the signature >> is the same - 81E550E2 - whether it shows up as valid or invalid. Has >> anyone else noticed this, and is there a reason for it, or is it perhaps >> a local issue here? > > I can confirm this. Had to import Sam's key first to notice. ;-) > > The latest courier release info has a correct sig, the messages in this > thread don't. > > I'm using current Thunderbird on Ubuntu Linux. While reading Lindsay's > message, I remembered that I have similar problems here on my own. Sam's signatures have been reported to break Enigmail since 2003. In particular: - Comment #23 From Patrick Brunschwig 2007-04-24 05:11:53 - [...] In theory it would be possible to switch to gpgme (and I somehow have this in the back of my head for a long time), but it means to rewrite all of the current backend, so it's quite a task. https://sourceforge.net/p/enigmail/bugs/4/ The bug is still open, so I guess he hasn't switched to gpgme yet. Enigmail conflated clearsigned messages and detached signatures (see http://lists.gnupg.org/pipermail/gnupg-users/2007-April/030916.html ). I don't know whether Evolution's bug is similar. -- -- Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Invalid Signature
Hi. Am 15.01.2013 20:01, schrieb Lindsay Haisley: > Slightly OT, but about half or more of Sam's posts to this list show an > invalid signature in my mail reader. The PGP (GPG) ID of the signature > is the same - 81E550E2 - whether it shows up as valid or invalid. Has > anyone else noticed this, and is there a reason for it, or is it perhaps > a local issue here? I can confirm this. Had to import Sam's key first to notice. ;-) The latest courier release info has a correct sig, the messages in this thread don't. I'm using current Thunderbird on Ubuntu Linux. While reading Lindsay's message, I remembered that I have similar problems here on my own. I send messages PGP-signed from a Python script. One kind of message always has a correct sig, others in some cases don't. I did never find a rule why this happens. Perhaps there is a link between this... cu, Bernd signature.asc Description: OpenPGP digital signature -- Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Invalid Signature
On Tue, 2013-01-15 at 21:50 -0500, Sam Varshavchik wrote: > Now, I think I've grown out of my arrogant phase many years ago, but I'm > fairly certain that Evolution is screwing up here. Sam, I've been appreciating your work and your knowledgeable arrogance since the days, probably a dozen years ago or more, when you were publishing qmail patches and I was corresponding with you about them while trying to get a startup Texas ISP up to speed with their mail server management :) No worries, mate! I'll take a look at this and parse and test the message as you suggest and see what I come up with. It wouldn't surprise me at all if Evolution were in error here. As MUAs go, Evolution is a very odd beast. It was originally written by a company called Ximian (the monkey people) which was bought by Novell and eventually morphed into the default Gnome MUA. My impression is that the code base is so convoluted, complex and probably poorly maintained between development teams that it's very difficult to work with. It's no longer the default Gnome MUA. On the other hand, if one avoids the many bugs in the program, it has some elegant and very powerful capabilities for managing and reading emails, such as being able to extract MIME encapsulated emails (as in a sequester by SpamAssassin) and save them as discrete emails into mail storage. Unlike any other GUI MUA I've ever worked with, it treats people like technical adults, much as mutt does, and provides many powerful hooks and tools for managing email. T-bird doesn't match it. No MS product even comes close, nor does Mac Mail. There's no doubt, though, that it's buggy, and I wouldn't be surprised at all if your assertion were true. If we can come up with something concrete here I'll post a bug against Evolution and hopefully it'll make it to the upstream people, if any, responsible for maintaining it. -- Lindsay Haisley | "Never expect the people who caused a problem FMP Computer Services | to solve it." - Albert Einstein 512-259-1190 | http://www.fmp.com| -- Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Invalid Signature
Hello, On Tue, Jan 15, 2013 at 07:05:38PM -0600, Lindsay Haisley wrote: > On Tue, 2013-01-15 at 19:28 -0500, Sam Varshavchik wrote: > > Lindsay Haisley writes: > > > > > Slightly OT, but about half or more of Sam's posts to this list show an > > > invalid signature in my mail reader. The PGP (GPG) ID of the signature > > > is the same - 81E550E2 - whether it shows up as valid or invalid. Has > > > anyone else noticed this, and is there a reason for it, or is it perhaps > > > a local issue here? > > > That leaves two possibilities: > > > > 1) There's a disrepancy between my understanding of how PGP-signed email > > must get created, and how what you use, Evolution, thinks it should be > > done, > > in some corner case. A few times when someone noticed this before, I did go > > > > back, manually MIME-decoded the suspect message by hand, according to what > > the MIME RFC says, than fed the decoded content to PGP, and it was happy. > > Evolution uses GnuPG (gpg) v1.4.11 to handle encryption and signature > verification. The signature on this email, to which I'm replying, _did_ > fail. Evolution reports, FWIW: > > gpg: armor header: Version: GnuPG v1.4.12 (GNU/Linux) > gpg: Signature made Tue 15 Jan 2013 06:28:20 PM CST using DSA key ID 81E550E2 > gpg: using PGP trust model > gpg: BAD signature from "Sam Varshavchik " > gpg: binary signature, digest algorithm SHA1 Well, for me (mutt 1.5.20-9+squeeze2 and GnuPG 1.4.10-4) that mail did have a valid signature (for Sams part as explained by him): gpg: Unterschrift vom Mi 16 Jan 2013 01:28:20 CET mittels DSA-Schlüssel ID 81E550E2 gpg: Korrekte Unterschrift von "Sam Varshavchik " gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur! gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört. Haupt-Fingerabdruck = 7F87 3288 3015 BF63 BC71 7A5A C7DA 7719 81E5 50E2 Regards Helge -- Dr. Helge Kreutzmann deb...@helgefjell.de Dipl.-Phys. http://www.helgefjell.de/debian.php 64bit GNU powered gpg signed mail preferred Help keep free software "libre": http://www.ffii.de/ signature.asc Description: Digital signature -- Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Invalid Signature
Lindsay Haisley writes: Well the copy sent directly was marked as having an invalid signature as well, so message munging by Sourceforge can probably be ruled out. I don't know. I may try to see how Evolution submits emails to gpg. This may tell us something. Well, here's a demonstration of how PGP signatures SHOULD be verified. When this came up a while ago, I reviewed the relevant RFC specification, and I find no fault with my implementation of PGP signature creation and verification. It's a fortunate luck of the draw that the message that you checked did not use quoted-printable MIME encoding, but plain encoding. Which means you can actually slice apart the message and feed the right parts directly to gpg, and verify the sig manually. Here's how, see if you can reproduce the following steps: Open the raw message file, and save both of the MIME sections in it, as two separate files: The first MIME section begins as follows: Content-Type: text/plain; format=flowed; delsp=yes; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit Lindsay Haisley writes: The first line in the file should be the Content-Type: header, and the file should end with exactly one blank line. There are two blank lines at the end of the first MIME section in the raw email message file: though it's annoying. --=_monster.email-scan.com-6997-1358296100-0029 However, according to the relevant MIME specs, the second empty blank line is actually a part of the MIME boundary marker that immediately follows it. This is one of the most common bugs in MIME decoders, they fail to consider the newline sequence immediately before the MIME delimiter string as a logical part of the MIME boundary delimiter, even though this is highlighted and underlined, in honking capital letters (well, almost), in the appropriate RFC. So, if you did this right, and if you named this file, say, msg1.txt, then you should get the following checksum: $ md5sum msg1.txt 1307dabdb13c9067a6f699118f1d96a2 msg1.txt Then save the second MIME section, with the signature, as msg1.txt.sig. It's fairly short: $ cat msg1.txt.sig -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEABECAAYFAlD19CQACgkQx9p3GYHlUOJVeQCaA6SwE8QCrfLRurbkd2Q1EJT5 b5MAn3rJx/7bwk5/XrqLGc0dswLrlc3t =AZlV -END PGP SIGNATURE- $ The MIME PGP RFC specifies that the signature applies to text that's formatted using the CRLF end-of-line sequence, so convert msg1.txt accordingly: [mrsam@monster tmp]$ unix2dos msg1.txt.out [mrsam@monster tmp]$ mv msg1.txt.out msg1.txt The checksum of the reformatted msg1.txt should now be: $ md5sum msg1.txt 4bea49c17cb71cd6e33ad1f456650f3d msg1.txt Now, you can run gpg manually, to verify the signature: $ gpg msg1.txt.sig gpg: Signature made Tue 15 Jan 2013 07:28:20 PM EST using DSA key ID 81E550E2 gpg: Good signature from "Sam Varshavchik " That's all, folks. Now, I think I've grown out of my arrogant phase many years ago, but I'm fairly certain that Evolution is screwing up here. I just can't see what I'm doing wrong. Since Evolution invokes gpg to verify the signature, the only possibility here, is that it screws up and feeds the wrong content into pgp to verify. I would venture a guess that Evolution is either: A) Verifying the sig of text content that ends with LFs, rather than the CRLF newline sequence. This is spelled out in section 5 of RFC 2015: # When the PGP digital signature is generated: # # (1) The data to be signed must first be converted to its #type/subtype specific canonical form. For text/plain, this #means conversion to an appropriate character set and conversion #of line endings to the canonical sequence. This is why in my walkthrough, above, you ran unix2dos to convert the text message to the canonical CRLF newline sequence format. Quite an archaic concept, but that's what the spec says. B) Screwing up the MIME boundary parsing, and Evolution tries to verify the checksum on the message that ends with two empty lines. It does not. It ends with one empty line, and the second newline sequence logically belongs to the MIME boundary delimiter that follows. This is quite explicitly stated on page 19 of RFC 2046: # The boundary delimiter MUST occur at the beginning of a line, i.e., # following a CRLF, and the initial CRLF is considered to be attached # = # to the boundary delimiter line rather than part of the preceding # # part. # = So, what's probably happening is that Evolutions gets one of these wrong. But what I don't understand is that you say that the sig does verify on some messages. But, if Evolution is either misparsing the MIME boundary delimiter string, or failing to convert the text to the cano
Re: [courier-users] Invalid Signature
Well the copy sent directly was marked as having an invalid signature as well, so message munging by Sourceforge can probably be ruled out. I don't know. I may try to see how Evolution submits emails to gpg. This may tell us something. -- Lindsay Haisley | "We have met the enemy and he is us." FMP Computer Services | 512-259-1190 | -- Pogo http://www.fmp.com| -- Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Invalid Signature
On Tue, 2013-01-15 at 19:28 -0500, Sam Varshavchik wrote: > Lindsay Haisley writes: > > > Slightly OT, but about half or more of Sam's posts to this list show an > > invalid signature in my mail reader. The PGP (GPG) ID of the signature > > is the same - 81E550E2 - whether it shows up as valid or invalid. Has > > anyone else noticed this, and is there a reason for it, or is it perhaps > > a local issue here? > That leaves two possibilities: > > 1) There's a disrepancy between my understanding of how PGP-signed email > must get created, and how what you use, Evolution, thinks it should be done, > in some corner case. A few times when someone noticed this before, I did go > back, manually MIME-decoded the suspect message by hand, according to what > the MIME RFC says, than fed the decoded content to PGP, and it was happy. Evolution uses GnuPG (gpg) v1.4.11 to handle encryption and signature verification. The signature on this email, to which I'm replying, _did_ fail. Evolution reports, FWIW: gpg: armor header: Version: GnuPG v1.4.12 (GNU/Linux) gpg: Signature made Tue 15 Jan 2013 06:28:20 PM CST using DSA key ID 81E550E2 gpg: using PGP trust model gpg: BAD signature from "Sam Varshavchik " gpg: binary signature, digest algorithm SHA1 > What can be done is for you to identify some recent message that you got > from the list, whose sig you can't verify. I can bounce a copy to you from > my Outbox. This would be what I sent to Sourceforge. It should have the > original signature. This message, to which I'm replying, will do. -- Lindsay Haisley | "The difference between a duck is because FMP Computer Services |one leg is both the same" 512-259-1190 | - Anonymous http://www.fmp.com| -- Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Invalid Signature
Lindsay Haisley writes: Slightly OT, but about half or more of Sam's posts to this list show an invalid signature in my mail reader. The PGP (GPG) ID of the signature is the same - 81E550E2 - whether it shows up as valid or invalid. Has anyone else noticed this, and is there a reason for it, or is it perhaps a local issue here? I checked last month's worth of my messages to all Courier lists, the copies that I get back from the mailing list. Cone uses gpg to both sign, and verify the signature, of a message. There were no verification failures. The rules for what exactly gets signed, in a message (not everything) are quite delicate, and we know two facts: * I never fail to verify my own email's signature. The rules for signing, and verifying PGP signatures, as implemented in Cone, with GPG's help, seems to be quite stable. Never had an issue with verifying my own sig. * Sourceforge appends its own spam to the email. It adds its own multipart/mixed MIME section, wrapping the one with the original content, and the PGP signature, and then attaches its spam-of-the-day. That leaves two possibilities: 1) There's a disrepancy between my understanding of how PGP-signed email must get created, and how what you use, Evolution, thinks it should be done, in some corner case. A few times when someone noticed this before, I did go back, manually MIME-decoded the suspect message by hand, according to what the MIME RFC says, than fed the decoded content to PGP, and it was happy. 2) It's possible that Sourceforge's spam, that it appends to all list email, might confuse Evolution. It never confuses Cone, as I said, but I can see how this obnoxious MIME wrapper can make something go off the rails. What can be done is for you to identify some recent message that you got from the list, whose sig you can't verify. I can bounce a copy to you from my Outbox. This would be what I sent to Sourceforge. It should have the original signature. If you still cannot verify the signature, from this copy, this would indicate a disconnect between how Cone and Evolution thinks PGP signing should be done. If you can verify it, though, this would suggest that Sourceforge's spam appendage is confusing Evolution. I don't see anything technically wrong with what Sourceforge is doing; it's by the book, even though it's annoying. pgpFKKFDXBM3D.pgp Description: PGP signature -- Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users