Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?

To: debian-security@lists.debian.org
Cc: joey@debian.org
Subject: Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
From: Nick Boyce <nick@glimmer.demon.co.uk>
Date: Sun, 23 Mar 2003 14:34:00 +0000
Message-id: <[🔎] 200303231434.00871.nick@glimmer.demon.co.uk>
In-reply-to: <[🔎] 20030322063638.GI19644@finlandia.infodrom.north.de>
References: <m18wN5A-000u8tC@finlandia.Infodrom.North.DE> <[🔎] 200303220413.01902.nick@glimmer.demon.co.uk> <[🔎] 20030322063638.GI19644@finlandia.infodrom.north.de>

On Saturday 22 Mar 2003 6:36 am, Martin Schulze wrote:

> Nick Boyce wrote :
>
> > I get a bad signature reported by Kmail on this announcement.
> >  Saving the message out to a text file and verifying manually also
> > fails :
>
> Ditch KMail, it is a permanent source of problems when it comes to
> digital signatures.

Jeez .. that's disturbing to hear ..

> Also read http://www.debian.org/security/faq#signature

OK - thanks for the pointer - I just read that page and am now 
enlightened :)  

1)  The following is good to know :

   "The debian-security-announce list has a filter that 
   only allows messages with a correct signature from 
   one of the security team members to be posted."

2)  but this bit is not :

   "Most likely some piece of mail software on your 
   end ... breaks the signature. 
   Known culprits are fetchmail (with the mimedecode 
   option enabled), formail (from procmail 3.14 only) 
   and evolution."

   (and Kmail it seems)

It seems to me we have a biggish problem with some major mail clients 
here - we should not just live with this situation.  

I'm particularly bemused by the way Kmail handles your signatures fine 
for me, for all other DSA's from you that I've ever received - and also 
handles other people's signatures without apparent problem - and yet it 
screwed this one up.

An even more disturbing thought is that in contrast to rejecting 
signatures that are in fact good, Kmail may validate signatures that 
are in fact bad ...

> Feel free to fetch the message from the list archives on the
> web and verify that one instead of the local copy.

I did that, and, as you suggest, it verifies ok;  I selected all text on 
http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00048.html 
and saved it to a file using Kate, and manually ran gpg :

nick@glimmer:~$ gpg --verify DSA-265-1-3.txt
gpg: Signature made Fri 21 Mar 2003 14:01:16 GMT using DSA key ID 
801EA932
gpg: Good signature from "Martin Schulze <joey@debian.org>"
gpg:                 aka "Martin Schulze <joey@infodrom.north.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: B53F E57B D0C1 F689 FCE2  5623 5B9A A5F8 801E 
A932

Thanks for calming me down again :-)

Cheers
Nick Boyce
Bristol, UK

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

References:
- Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
  - From: Nick Boyce <nick@glimmer.demon.co.uk>
- Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: Re: PTRACE Fixed?
Next by Date: Re: [despammed] ptrace
Previous by thread: Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
Next by thread: Re: [SECURITY] [DSA 265-1] -- BAD SIGNATURE !?
Index(es):
- Date
- Thread