GNOME Bugzilla – Bug 217319
Signatures are incorrectly flagged bad
Last modified: 2013-09-10 14:02:36 UTC
Evolution is incorrectly flagging correctly-signed messages as being bad. This is a critical bug in the crypto support in Evolution; crypto you can't trust to work properly is worse than no crypto at all. The following message demonstrates the bug: ============================================ From crism@maden.org Thu Dec 13 16:14:54 2001 Return-Path: <crism@maden.org> Delivered-To: rjhansen@inav.net Received: (qmail 4265 invoked by uid 0); 13 Dec 2001 16:14:54 -0600 Received: from dot.dreamhost.com (216.240.131.10) by soli.inav.net with SMTP; 13 Dec 2001 16:14:54 -0600 Received: from maden.maden.org (adsl-63-206-116-197.dsl.snfc21.pacbell.net [63.206.116.197]) (authenticated (0 bits)) by dot.dreamhost.com (8.12.0.Beta7/8.12.0.Beta7/Debian 8.12.0.Beta7-1) with ESMTP id fBDMEdNV002588; Thu, 13 Dec 2001 14:14:39 -0800 Message-Id: <5.1.0.14.0.20011213140447.00a86090@mail.maden.org> X-Sender: maden@mail.maden.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 13 Dec 2001 14:07:20 -0800 To: general@lpsf.org From: "Christopher R. Maden" <crism@maden.org> Subject: Dmitry's going home! Mime-Version: 1.0 Status: U X-UIDL: 1008281694.4285.soli.inav.net Content-Type: text/plain X-Evolution-Source: pop://rjhansen@soli.inav.net/inbox Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <URL: http://www.planetpdf.com/mainpage.asp?webpageid=1787 > just broke the story. Dmitry's attorneys released a statement this afternoon saying that, although the charges haven't been completely dismissed, they will be, and he is free to return home to Russia for the holidays. He will be required to testify for the government, but he will also be testifying for Elcom, and will be telling the same story on both sides in any case. (-: Elcom's lawyer says they are pleased to have him returning home, and that they have always wanted the proceeding to be against them instead of Dmitry. ~Chris - -- Libertarian candidate, California State Assembly, District 13 Free Sklyarov: <URL: http://www.freesklyarov.org/ > Freelance text nerd: <URL: http://crism.maden.org/ > PGP Fingerprint: BBA6 4085 DED0 E176 D6D4 5DFC AC52 F825 AFEC 58DA -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 iQA+AwUBPBkmmKxS+CWv7FjaEQJ9tACWPBfpJDtbWJHTz8hljlUkANNN4ACg8nKU 3y3OL8sxZyM4uVuQbRh/R3Q= =/8QB -----END PGP SIGNATURE----- ========================================= ... Chris' key is in my keyring and is set up appropriately. Evolution flags this message as possessing a bad signature. GPG 1.0.6 and PGP 6.5.8 both think otherwise: ========================================= [rjhansen@leviticus rjhansen]$ gpg crism.asc gpg: Signature made Thu 13 Dec 2001 04:07:20 PM CST using DSA key ID AFEC58DA gpg: Good signature from "Christopher R. Maden <crism@maden.org>" gpg: aka "Christopher R. Maden <crism@shore.net>" gpg: aka "Christopher R. Maden <chris.maden@hmmci.com>" [rjhansen@leviticus rjhansen]$ pgp crism.asc Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. File is signed. Good signature from user "Christopher R. Maden <crism@maden.org>". Signature made 2001/12/13 22:07 GMT Plaintext filename: crism
Robert: it's better if you attach the message as a file, since whitespace stuff can get lost otherwise.
you are supposed to CRLF encode before feeding it to PGP. Since you didn't, I assume that if you did that this signature would be broken...thus solving this as NOTXIMIAN.
no, pgp internally retranslates to CRLFs when verifying.
uh huh, then why is it not verifying? and why does a signed message from kmail that verifies if I crlf encode yet doesn't when I don't? hmmm...interesting you have to pass an argument to pgp (I think pgp -t?) to tell it to auto-crlf encode.
Created attachment 40847 [details] [review] hope you don't mind waiting while evo loops over every possible combination.
You don't have to loop over every possible combination. You have to find out two things: 1. What's causing Evo to incorrectly flag messages as improperly signed? Is it the CR/LF problem, is it a matter of escaped From lines, what? 2. Every mailer which has problems will have the same set of problems. Hypothetically speaking, if Outlook Express' PGP plugin doesn't escape FROM lines, Eudora's might not do CR/LFs correctly. 3. Use the mailer information in the email header to decide the proper set of rules to apply. 4. Apply the rules and send it on to GPG. ... You don't need to iterate over every possible braindamage; you only need to fix the braindamages which exist. :)
do you understand the concept of abstraction? apparently not... I don't have access to the X-Mailer header at this level of the code - besides, I don't want to keep a table of who is broken and in what way. Live with my patch or use another mailer.
Jeff, please stop being unreasonable.
*** This bug has been marked as a duplicate of 215972 ***