Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
On Saturday 22 Mar 2003 6:36 am, Martin Schulze wrote:
> Nick Boyce wrote :
>
> > I get a bad signature reported by Kmail on this announcement.
> > Saving the message out to a text file and verifying manually also
> > fails :
>
> Ditch KMail, it is a permanent source of problems when it comes to
> digital signatures.
Jeez .. that's disturbing to hear ..
> Also read http://www.debian.org/security/faq#signature
OK - thanks for the pointer - I just read that page and am now
enlightened :)
1) The following is good to know :
"The debian-security-announce list has a filter that
only allows messages with a correct signature from
one of the security team members to be posted."
2) but this bit is not :
"Most likely some piece of mail software on your
end ... breaks the signature.
Known culprits are fetchmail (with the mimedecode
option enabled), formail (from procmail 3.14 only)
and evolution."
(and Kmail it seems)
It seems to me we have a biggish problem with some major mail clients
here - we should not just live with this situation.
I'm particularly bemused by the way Kmail handles your signatures fine
for me, for all other DSA's from you that I've ever received - and also
handles other people's signatures without apparent problem - and yet it
screwed this one up.
An even more disturbing thought is that in contrast to rejecting
signatures that are in fact good, Kmail may validate signatures that
are in fact bad ...
> Feel free to fetch the message from the list archives on the
> web and verify that one instead of the local copy.
I did that, and, as you suggest, it verifies ok; I selected all text on
http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00048.html
and saved it to a file using Kate, and manually ran gpg :
nick@glimmer:~$ gpg --verify DSA-265-1-3.txt
gpg: Signature made Fri 21 Mar 2003 14:01:16 GMT using DSA key ID
801EA932
gpg: Good signature from "Martin Schulze <joey@debian.org>"
gpg: aka "Martin Schulze <joey@infodrom.north.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: B53F E57B D0C1 F689 FCE2 5623 5B9A A5F8 801E
A932
Thanks for calming me down again :-)
Cheers
Nick Boyce
Bristol, UK
Reply to: