Bad signatures, pgp and MIME
Howdy,
recent messages sent to debian-security-announce have shown that
there is some discrepancy in understanding how PGP/MIME works and
how people would think that it works.
The basic problem is that you can't split a pgp/mime signed message
into parts and then verify it. If you use Mutt for pgp-signing,
then splitting the message with mutt or munpack you cannot verify
the parts.
One reason given for this was that the Content-type header needs
to be part of the splitted message.
People were asking for the relevant document describing this
MIME/PGP standard.
At least Mutt and premail are understanding this type of signature.
Regarding security advisories, we will skip this kind of signing,
although this has a different reason. Signing the file before
sending it will enable you to fetch the advisory form the web
and verify the signature.
Regards,
Joey
--
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald E. Knuth
Please always Cc to me when replying to me on the lists.
Reply to: