[ale] ale's mailman and invalid sigs

Tim Watts timtw at earthlink.net
Fri Nov 27 23:59:33 EST 2009 

So I think I figured out how ALE's mailman is invalidating PGP sigs
under certain circumstances. Using the message I sent via gmail/firepgp
that got an invalid sig, I compared the raw msg that mailman sent out to
the one stored in my gmail Sent folder. What I found is that mailman
wrapped one of the headers in the signed portion of the message thus
invalidating the signature.

GPG is handed everything between the 'multipart/signed' boundaries
(-------firegpg0710eqg2j410d98by2livyjc in this case) to produce the
signature (line endings are also normalized but that's beside the
point). However, as you'll see below, mailman wrapped the 1st
Content-Type header when it sent out the message. That may have been the
RFC-correct thing to do since the header is 80 chars but I can't imagine
any modern email client that can't handle long headers.

Is there a way to persuade mailman to treat everything between
'multipart/signed' boundaries as sacred untouchable? Similarly for
clear-signed messages: Don't touch between "-----BEGIN PGP SIGNED
MESSAGE-----" and "-----BEGIN PGP SIGNATURE-----".

(The stuff below will be more legible in HTML, sorry)

=========================================== BEFORE MAILMAN:BEGIN
<...other msg headers...>
X-FireGPG-Version: 0.7.10
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="-----firegpg0710eqg2j410d98by2livyjc"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
-------firegpg0710eqg2j410d98by2livyjc
Content-Type: multipart/alternative; boundary="firegpg0710eqg2j410dlntbr800mza1"

--firegpg0710eqg2j410dlntbr800mza1
Content-Type: text/plain; format=flowed; charset=UTF-8
Content-Transfer-Encoding: base64

dHJ5aW5nIHRvIGlzb2xhdGUgd2h5IHNvbWUgQUxFIHNpZ3MgcmVwb3J0IGFzIGludmFsaWQuIHNl
bmRpbmcgdmlhIGdtYWlsL2ZpcmVncGcuLi4NCg0K
--firegpg0710eqg2j410dlntbr800mza1
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64

dHJ5aW5nIHRvIGlzb2xhdGUgd2h5IHNvbWUgQUxFIHNpZ3MgcmVwb3J0IGFzIGludmFsaWQuIHNl
bmRpbmcgdmlhIGdtYWlsL2ZpcmVncGcuLi48YnI+PGJyPg0K
--firegpg0710eqg2j410dlntbr800mza1--

-------firegpg0710eqg2j410d98by2livyjc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.10)

iQEcBAEBAgAGBQJLD/CRAAoJEPn9tXGjlLx6s4YH/3odcaI8elLPAeEV9MJofSQF
6sAYFS35KccDqRMExTDGh2xnyGAprtuCTSZ5VdURGf7pmePsjSB61tDxMFKBocyN
NCiGPwcTsI4u1HcaW1DrOXFZlpdy5V4uzT1KWJr9P6lKdzstzQWFSFGMecv1qNsj
p6DiM1XDbrSAHoliMOzlrVpuoDhFzzfFyPcyj8J5p0ce88wlqF1+7Pph9QWXy52H
hErIyNgRR4/5XOJvo5a1p1uoMoIbYWlPJnpBGvCCoe2fiaJl9InGgKLXBrTL84w5
tFJfC2gxy4uWBRQHujw3U0GPRb7BCevb8kfYePhnjlaD/2EKQeSNqH81nJPzm0Q=
=MasR
-----END PGP SIGNATURE-----

-------firegpg0710eqg2j410d98by2livyjc--
=========================================== BEFORE MAILMAN:END

=========================================== AFTER MAILMAN:BEGIN
<...other msg headers...>
Content-Type: multipart/mixed; boundary="===============1966690486=="
Sender: ale-bounces at ale.org
Errors-To: ale-bounces at ale.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============1966690486==
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="-----firegpg0710eqg2j410d98by2livyjc"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
-------firegpg0710eqg2j410d98by2livyjc
Content-Type: multipart/alternative;
        boundary="firegpg0710eqg2j410dlntbr800mza1"

--firegpg0710eqg2j410dlntbr800mza1
Content-Type: text/plain; format=flowed; charset=UTF-8
Content-Transfer-Encoding: base64

dHJ5aW5nIHRvIGlzb2xhdGUgd2h5IHNvbWUgQUxFIHNpZ3MgcmVwb3J0IGFzIGludmFsaWQuIHNl
bmRpbmcgdmlhIGdtYWlsL2ZpcmVncGcuLi4NCg0K
--firegpg0710eqg2j410dlntbr800mza1
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64

dHJ5aW5nIHRvIGlzb2xhdGUgd2h5IHNvbWUgQUxFIHNpZ3MgcmVwb3J0IGFzIGludmFsaWQuIHNl
bmRpbmcgdmlhIGdtYWlsL2ZpcmVncGcuLi48YnI+PGJyPg0K
--firegpg0710eqg2j410dlntbr800mza1--

-------firegpg0710eqg2j410d98by2livyjc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.10)

iQEcBAEBAgAGBQJLD/CRAAoJEPn9tXGjlLx6s4YH/3odcaI8elLPAeEV9MJofSQF
6sAYFS35KccDqRMExTDGh2xnyGAprtuCTSZ5VdURGf7pmePsjSB61tDxMFKBocyN
NCiGPwcTsI4u1HcaW1DrOXFZlpdy5V4uzT1KWJr9P6lKdzstzQWFSFGMecv1qNsj
p6DiM1XDbrSAHoliMOzlrVpuoDhFzzfFyPcyj8J5p0ce88wlqF1+7Pph9QWXy52H
hErIyNgRR4/5XOJvo5a1p1uoMoIbYWlPJnpBGvCCoe2fiaJl9InGgKLXBrTL84w5
tFJfC2gxy4uWBRQHujw3U0GPRb7BCevb8kfYePhnjlaD/2EKQeSNqH81nJPzm0Q=
=MasR
-----END PGP SIGNATURE-----

-------firegpg0710eqg2j410d98by2livyjc--


--===============1966690486==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

--===============1966690486==--

=========================================== AFTER MAILMAN:END


________
Love all, trust a few. Do wrong to none.
-- William Shakespeare

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20091127/f10750e8/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20091127/f10750e8/attachment-0001.bin

More information about the Ale mailing list