[Tickets #12142] Re: GPG signature verification broken

noreply at bugs.horde.org noreply at bugs.horde.org
Thu Mar 28 23:09:29 UTC 2013 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/12142
------------------------------------------------------------------------------
  Ticket             | 12142
  Updated By         | o+horde at immerda.ch
  Summary            | GPG signature verification broken
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Bug
  State              | Feedback
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


o+horde at immerda.ch (2013-03-28 23:09) wrote:

> I can't reproduce.  Signature verification works fine for me.

now i'm embarassed. i can't either. sorry if i wasted your time!

>> this piece of code from line 287 to 299 looks really wrong to me,
>> since there should be 4 possible cases (mime: yes/no, stream: yes/no)
>> but the code has only 3 different execution paths.
>
> So?  The one missing case is not used in the PGP code.  So not sure  
> what that has to do with this ticket.

ehm nothing, i was just guessing, since i didn't really understand the code...

so now there is only one special case, that is somewhat missing:

mails created with enigmail don't have a detached signature. so the  
signature verification is done in Horde_Crypt_Pgp::_decryptMessage.  
since in this method the pubkeyring consists only my own pubkey, this  
will always yield "Can't check signature: No public key" (opposed to  
the detached signatures which are verified in  
IMP_Crypt_Pgp::verifySignature which automatically tries to fetch the  
correct key....)

(see Mime/Viewer/Pgp.php under  /* Check for combined  
encryption/signature data. */ for the beginning of this call path)

but i don't yet see an easy solution to this problem. because all the  
signature logic is in the mime viewer, the key fetching logic is in  
IMP_Crypt_Pgp and the decryption in Horde_Crypt_Pgp. the signature  
keyid is in the encrypted container, so somehow you would need to  
first decrypt it, then fetch the key, then decrypt it again, with the  
fetched key in the keyring...

More information about the bugs mailing list