Re: Broken signature for DSA-2040-1

To: debian-security@lists.debian.org
Subject: Re: Broken signature for DSA-2040-1
From: Bjørn Mork <bjorn@mork.no>
Date: Mon, 03 May 2010 19:58:07 +0200
Message-id: <[🔎] 87fx28amvk.fsf@nemi.mork.no>
References: <[🔎] 20100502210646.60b4b162.frx@firenze.linux.it> <[🔎] 20100502191455.GA3656@roeckx.be> <[🔎] 20100502213231.fd28cb3c.frx@firenze.linux.it> <[🔎] 20100502224725.GA25142@frisco.mine.nu> <[🔎] 20100503193335.81468532.frx@firenze.linux.it>

Francesco Poli <frx@firenze.linux.it> writes:

> The fact is that I didn't perform any pasting: even running "gpg
> --verify" directly on the message file fails (Sylpheed stores e-mail
> messages in MH format, hence each message is on a separate file).
>
> I received the message encoded as quoted-printable: maybe something in
> the middle performed some re-encoding, that broke the signature?

No, it's not broken.  But you need to decode the quoted-printable
content first and then verify.  I believe most(?) email clients do this.
At least Gnus does, and that's all I care about.

/tmp/x is the raw message with QP noise, as I assume Sylpheed stores it
(which makes sense):

bjorn@nemi:~$ egrep ^Subject /tmp/x
Subject: [DSA 2040-1] New squidguard packages fix several vulnerabilities
bjorn@nemi:~$ tail /tmp/x

--=20
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.or=
g
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian=
.org
Archive: http://lists.debian.org/20100502125652.GA3528@galadriel.inutil.o=
rg

This fails:

bjorn@nemi:~$ gpg --verify /tmp/x
gpg: invalid dash escaped line: -\n
gpg: invalid dash escaped line: -\n
gpg: unexpected armor: ----------\n
gpg: unknown armor header: For apt-get: deb http://security.debian.org/ stable/updates main
gpg: unknown armor header: For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/upda=
gpg: invalid armor header: tes/main\n

But this works:

bjorn@nemi:~$ mimencode -u -q < /tmp/x|gpg --verify
gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
gpg: Good signature from "Moritz Muehlenhoff <jmm@debian.org>"
gpg:                 aka "Moritz Muehlenhoff <jmm@inutil.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CA4F D469 C047 165A 1A55  CCD7 5E6D EF1C 4E2E CA5A

...as expected.  Guess you need to report a bug against Sylpheed if it
attempts to verify the signature before decoding.

Bjørn

Reply to:

References:
- Broken signature for DSA-2040-1
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: Broken signature for DSA-2040-1
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: Broken signature for DSA-2040-1
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: Broken signature for DSA-2040-1
  - From: Sebastien Delafond <seb@debian.org>
- Re: Broken signature for DSA-2040-1
  - From: Francesco Poli <frx@firenze.linux.it>

Prev by Date: Re: Broken signature for DSA-2040-1
Next by Date: Upcoming etch point release
Previous by thread: Re: Broken signature for DSA-2040-1
Next by thread: Re: Broken signature for DSA-2040-1
Index(es):
- Date
- Thread