[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Broken signature for DSA-2040-1

Francesco Poli <frx@firenze.linux.it> writes:

> The fact is that I didn't perform any pasting: even running "gpg
> --verify" directly on the message file fails (Sylpheed stores e-mail
> messages in MH format, hence each message is on a separate file).
> I received the message encoded as quoted-printable: maybe something in
> the middle performed some re-encoding, that broke the signature?

No, it's not broken.  But you need to decode the quoted-printable
content first and then verify.  I believe most(?) email clients do this.
At least Gnus does, and that's all I care about.

/tmp/x is the raw message with QP noise, as I assume Sylpheed stores it
(which makes sense):

bjorn@nemi:~$ egrep ^Subject /tmp/x
Subject: [DSA 2040-1] New squidguard packages fix several vulnerabilities
bjorn@nemi:~$ tail /tmp/x

To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.or=
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian=
Archive: http://lists.debian.org/20100502125652.GA3528@galadriel.inutil.o=

This fails:

bjorn@nemi:~$ gpg --verify /tmp/x
gpg: invalid dash escaped line: -\n
gpg: invalid dash escaped line: -\n
gpg: unexpected armor: ----------\n
gpg: unknown armor header: For apt-get: deb http://security.debian.org/ stable/updates main
gpg: unknown armor header: For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/upda=
gpg: invalid armor header: tes/main\n

But this works:

bjorn@nemi:~$ mimencode -u -q < /tmp/x|gpg --verify
gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
gpg: Good signature from "Moritz Muehlenhoff <jmm@debian.org>"
gpg:                 aka "Moritz Muehlenhoff <jmm@inutil.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CA4F D469 C047 165A 1A55  CCD7 5E6D EF1C 4E2E CA5A

...as expected.  Guess you need to report a bug against Sylpheed if it
attempts to verify the signature before decoding.


Reply to: