[Tickets #12142] Re: GPG signature verification broken

noreply at bugs.horde.org noreply at bugs.horde.org
Thu Apr 4 12:17:37 UTC 2013 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/12142
------------------------------------------------------------------------------
  Ticket             | 12142
  Updated By         | o+horde at immerda.ch
  Summary            | GPG signature verification broken
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Bug
  State              | Feedback
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


o+horde at immerda.ch (2013-04-04 12:17) wrote:

>> mails created with enigmail don't have a detached signature. so the
>> signature verification is done in Horde_Crypt_Pgp::_decryptMessage.
>> since in this method the pubkeyring consists only my own pubkey, this
>> will always yield "Can't check signature: No public key" (opposed to
>> the detached signatures which are verified in
>> IMP_Crypt_Pgp::verifySignature which automatically tries to fetch the
>> correct key....)
>
> I am not following.  Signed messages can be sent in one of three ways:
>
> 1) As PGP armored text (handled in Plain viewer).
> 2) multpart/signed w/ application/pgp-signature (handled in PGP viewer).
> 3) Encrypted + signed message -- multipart/encrypted (handled in PGP  
> viewer).  There are acutally 2 types here (encrypted with embedded  
> signed part AND encrypted+signed).  Both are handled by the PGP  
> viewer.
>
> Not sure which one is not being handled properly for you.

its about case 3:
* when there is a pgp-encrypted part which contains both an encrypted  
packet and a signature packet, the signature is only verified in  
Horde_Crypt_Pgp::_decryptMessage, which does not fetch the key from a  
keyserver.
* whereas when the encrypted part contains a message with a detached  
signature, it is verified in the viewer, and the key is properly  
fetched.

for the two cases see http://www.ietf.org/rfc/rfc2015.txt  section 6.2 vs. 6.1

More information about the bugs mailing list