[imp] Bad gpg signatures - solved

Chris Hastie lists at oak-wood.co.uk
Sun Mar 16 15:24:23 PST 2003 

On Sun, 16 Mar 2003, Rick Emery <rick at emery.homelinux.net> wrote
>Quoting Rick Emery <rick at emery.homelinux.net>:
>
>> Reviewing past messages revealed that MailScanner was adding its signature at
>> the end of the first part (with the original message), which I think was
>> messing
>> up the signature. I'd like to email the author(s) of MailScanner, but I'm not
>> really sure how to describe this problem.
>
>I'm working with the MailScanner author(s) to fix this problem. Does anybody
>know how/where MailMan (the mailing list software) attaches its signature? It
>appears after the PGP SIGNATURE, but doesn't seem to be in a separate part.
>

Rick

That depends on the nature of the signed message. Possibly
significantly, I notice in your last reply to my post you quote the part
of my message that describes the non-standard but common plain ascii
signatures, and then you describe a message formatted using PGP MIME (as
per RFC 3156 / 2015).

If the message is sent plain ascii with embedded signature from a MIME
point of view it is a simple Content-Type: text/plain message, and the
disclaimer can just be added to the end. This is beyond the part of the
message which the signature was calculated on, so it does not create a
problem.

If the message uses PGP MIME then Mailman must create a new MIME part.
In fact, it appears that what it does is to wrap the whole message up in
a multipart/mixed MIME structure, something like this (with a couple of
extra '#' to escape the PGP stuff):

Original message
================

Content-Type: multipart/signed; boundary="boudary1";
        protocol="application/pgp-signature"; micalg="pgp-sha1"

--boudary1
Content-Type: text/plain; charset="ISO-8859-1"

This is the messages
--boundary1
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

Signature string
-----END PGP SIGNATURE-----
--boundary1--

New Message
===========

Content-Type: multipart/mixed; boundary="boundary2"

--boundary2
Content-Type: multipart/signed; boundary="boudary1";
        protocol="application/pgp-signature"; micalg="pgp-sha1"

--boudary1
Content-Type: text/plain; charset="ISO-8859-1"

This is the messages
--boundary1
Content-Type: application/pgp-signature

#-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

Signature string
#-----END PGP SIGNATURE-----
--boundary1--

--boundary2
Content-type: text/plain

Mailman footer goes here.
--boundary2--


The trouble is that as your MIME structures get more complex the number
of MUA's that actually deal with them correctly gets less. This, I
suspect, is why MailScanner is tacking stuff on the end of existing MIME
parts, which is actually rather more difficult to do.

That said, your main problem is with certain M$ MUAs, and they just
don't cope with PGP MIME anyway so it doesn't really matter provided
that this method of dealing with messages is restricted to PGP signed
messages. But then there's S/MIME...

Basically, what it comes down to is that messing with messages in
transit is not a good idea. If you must, put it in the headers, not in
the message body. Or accept that sometimes it's all going to go wrong!
-- 
Chris Hastie

More information about the imp mailing list