netbsd-users: Re: corrupt pgp/mime sigs

Subject: Re: corrupt pgp/mime sigs
To: None <netbsd-users@netbsd.org>
From: Wolfgang S. Rupprecht <wolfgang+gnus20031210T121144@dailyplanet.dontspam.wsrcc.com>
List: netbsd-users
Date: 12/10/2003 12:25:57

<#secure method=pgpmime mode=sign>
christianbiere@gmx.de (Christian Biere) writes:
> Wolfgang S. Rupprecht wrote:
>> Are other folks seeing a message signature corruption too?
>
> No. IIRC, the author(s) of your software, Mailcrypt that is, don't
> agree with the rest of the world about how a signature should be
> attached to a mail. Therefore, it's incompatible with most other software
> which supports PGP.

Do you mean PGP/MIME vs PGP-style sigs?  I noticed that already.  The
fact that there are two incompatible "standards" is very annoying.
While Mailcrypt when used by itself is limited to PGP-style, when
using gnus it does (usually) decode and encode PGP/MIME.

The one thing I noticed about the messages that validate correctly is
they have a "Content-Type: multipart/signed; micalg=pgp-sha1;"
The ones that fail have a "Content-Type: multipart/signed; micalg=x-unknown;"

This is all fairly new to me and I'm not sure what the "micalq" is,
but if other folks can decode it, I guess gnus is screwing up.

> E.g., I cannot verify the validity of your mail
> signature as-is. (I'm not talking about clear signatures).

If it makes you feel better, neither could I validate my message
(although obviously it normally does validate correctly).  Whatever
lossage I was seeing cascaded to my message as well.

>> (I just started using automatic gnupg decoding with emacs/gnus.  It is
>> pretty slick, automatically fetching keys as needed.)
>
> Hopefully, it does differ between trusted and untrusted keys.

It does, but only if you use the expanded explanation.  If you use the
short form it only says "[[PGP Signed Part:OK]]".  FYI This is what it
showed for your message:

    [[PGP Signed Part:OK]
    gpg: Signature made Wed Dec 10 11:57:03 2003 PST using DSA key ID 7A3220C7
    gpg: Good signature from "Christian Biere <christianbiere@gmx.de>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: D952 6F9B 37E4 801A 5F9E  79AE D0A4 22C7 7A32 20C7
    ]

-wolfgang
-- 
Wolfgang S. Rupprecht 		     http://www.wsrcc.com/wolfgang/
       The above "From:" address is valid.  Don't mess with it.