[ale] testing firegpg with mailman

Tim Watts timtw at earthlink.net
Sun Nov 29 13:26:04 EST 2009


On Sun, 2009-11-29 at 10:47 -0500, Jeremy T. Bouse wrote:
> Somehow FireGPG is handling the issue the signatures still appear valid, I can
> only suppose it's noticing the MIME content headers have been reformated
> and formats them back before verifing.
> 
Huh? Outside of brute force trial-and-error how would it know which
headers have been reformatted? There could be any number of wrapped
headers in the body part each having no indication of whether it was
wrapped before or after signature generation. It would have to try every
permutation of wrapped headers -- in total violation of treating the
body part as opaque. Not saying it's impossible. It just doesn't seem
like a reasonable thing to do given that they've made efforts to be RFC
compliant in other ways. Besides people /have/ observed that firegpg
also correctly identifies the invalid sigs.

(sorry. I'm grumpy this morning, er afternoon).


> > On Sat, Nov 28, 2009 at 3:18 PM, Michael H. Warfield <mhw at wittsend.com
> > <mailto:mhw at wittsend.com>> wrote:
> > 
> >     Jim,
> > 
> >     On Sat, 2009-11-28 at 14:23 -0500, Jim Kinney wrote:
> >     > OK. So Mailman is (maybe) munging the gpg signature. Fixing that will
> >     > be a challenge if it's caused by signing the wrong sections of the
> >     > message body.
> > 
> >     Something is not right here.  I run a mailman site supporting several
> >     dozen lists and multiple domains (IT-ISAC, ISAC Council, +++) and I
> >     don't see this problem.  We use gpg/pgp all the time on those lists.
> >     Furthermore, my own signatures through the ALE list seem to be coming
> >     through fine.
> > 
> >     Couple of years ago, I did run into a problem with MailScanner which
> >     Julian and I took a few days to shoot.  In that case, MailScanner was
> >     unpacking the mime and then repacking it (quoted printable in that case,
> >     I believe).  While the contents of the attachments remained unaltered,
> >     the encoding encapsulation changed (Mime is ambiguous on several points
> >     and something time MailTools or MimeTools will pack something
> >     differently than will Evolution or Thunderbird).  We had to stipulate
> >     something in MailScanner where the message was passed unmolested if
> >     nothing was found untoward in it, rather than repacking it and sending
> >     it on.
> > 
> >     There are a couple of MailScanner Mime settings that could impact this
> >     but I seriously doubt it.
> > 
> >     Try this for a test.  Send a message back to me and to the list.  Just a
> >     Reply-All should do just fine.  I can do a byte for bye, attachment for
> >     attachment comparison.  Make SURE <mhw at wittsend.com
> >     <mailto:mhw at wittsend.com>> is on the cc list,
> >     so I get a direct copy.  You should be able to verify my signatures on
> >     this message the same way.  Compare the results from the ALE relay to
> >     the direct message.
> > 
> >     Regards,
> >     Mike
> > 
> >     > What is needed now is to test a gpg signature sent from a plain text
> >     > (NOT from firegpg) email through mailman. It needs to be tested
> >     > through both firegpg and regular text email (anyone got a quick link
> >     > to gpg with mutt?).
> >     >
> >     > I sent myself a test message from firegpg to myself and NOT through
> >     > mailman. firgpg then reported it as a good signature. That leads me to
> >     > think the issue _is_ with mailman.
> >     >
> >     > oh joy. criticizing a gnu codebase ....
> >     >
> >     > On Sat, Nov 28, 2009 at 12:41 PM, Jeremy T. Bouse
> >     > <jeremy.bouse at undergrid.net <mailto:jeremy.bouse at undergrid.net>>
> >     wrote:
> >     >         jim.kinney at gmail.com <mailto:jim.kinney at gmail.com> wrote:
> >     >
> >     >         > This is a simple test of firegpg running on Fedora
> >     >         12/Firefox 3.5.5
> >     >         >
> >     >         > Please reply with good or bad signature status.
> >     >         >
> >     >
> >     >
> >     >         gpg command line and output:
> >     >         /usr/bin/gpg
> >     >         gpg: Signature made Sat 28 Nov 2009 11:04:06 AM EST using RSA
> >     >         key ID
> >     >         6A87D3C5
> >     >         gpg: BAD signature from "James P. Kinney III (Physicist,
> >     >         Brewer, Dad)
> >     >         <jimkinney at gmail.com <mailto:jimkinney at gmail.com>>"
> >     >
> >     > --
> >     > James P. Kinney III
> >     > Actively in pursuit of Life, Liberty and Happiness
> >     >
> >     --
> >     Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> >       /\/\|=mhw=|\/\/          | (678) 463-0932 |
> >      http://www.wittsend.com/mhw/
> >       NIC whois: MHW9          | An optimist believes we live in the
> >     best of all
> >      PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure
> >     of it!
> > 
> > -- 
> > James P. Kinney III
> > Actively in pursuit of Life, Liberty and Happiness        
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


________
Pray that your loneliness may spur you into finding something to live
for, great enough to die for.
-- Dag Hammarskjold

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20091129/f0450fa6/attachment.bin 


More information about the Ale mailing list