Re: about how the MUA mutt signs mails

Thu, 01 Jun 2017 02:03:13 -0700 

On Thu, Jun 01, 2017 at 08:48:34AM +0200, Matthias Apitz wrote:


Hello,

When I send signed mails to me with the MUA mutt (just for test) the
received mail is verified fine in mutt, i.e. it says in mutt:

   [-- Begin signature information --]
   Good signature from: Matthias Apitz (GnuPG CCID) <g...@unixarea.de>
           created: Wed May 31 21:40:19 2017
   [-- End signature information --]

   [-- The following data is signed --]

   hello


   [-- End of signed data --]

but when I save the signature part into a file 'signature.asc' and the
ASCII content of the mail as a file 'data' from the menu in mutt:

q:Exit  s:Save  |:Pipe  p:Print  ?:Help
 I     1 <no description>                                          [text/plain, 
7bit, utf-8, 0.1K]
 I     2 signature.asc                                            
[applica/pgp-signat, 7bit, 0.8K]

and run:

$ gpg2 --verify signature.asc data
gpg: Signature made Wed May 31 21:40:19 2017 CEST
gpg:                using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
gpg: BAD signature from "Matthias Apitz (GnuPG CCID) <g...@unixarea.de>" 
[ultimate]

it says 'BAD signature'.

Why the file 'data' has BAD signature? The file 'data' after saving from
mutt from the above menu just contains:

$ cat data
hello

$ od -c data
0000000    h   e   l   l   o  \n  \n
0000007

I digged into this trussing the mutt-gpg2 process chain and it turned out that
the netto data which verifies mutt is:

$ od -c data.asc
0000000    C   o   n   t   e   n   t   -   T   y   p   e   :       t   e
0000020    x   t   /   p   l   a   i   n   ;       c   h   a   r   s   e
0000040    t   =   u   t   f   -   8  \r  \n   C   o   n   t   e   n   t
0000060    -   D   i   s   p   o   s   i   t   i   o   n   :       i   n
0000100    l   i   n   e  \r  \n  \r  \n   h   e   l   l   o  \r  \n  \r
0000120   \n
0000121

i.e. containes as well some mail header line about the content and charset and 
esp.
as well \r\n line terminators. If I modify the file to this it is fine:

$ gpg2 --verify signature.asc data.asc
gpg: Signature made Wed May 31 21:40:19 2017 CEST
gpg:                using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
gpg: Good signature from "Matthias Apitz (GnuPG CCID) <g...@unixarea.de>" 
[ultimate]

Is this correct how mutt signs such mail bodies?


This is "PGP-MIME" format, as refined in
<https://tools.ietf.org/html/rfc3156>. Section 5 of that clearly states:

  The multipart/signed body MUST consist of exactly two parts.  The
  first part contains the signed data in MIME canonical format,
  including a set of appropriate content headers describing the data.

  The second body MUST contain the OpenPGP digital signature.  It MUST
  be labeled with a content type of "application/pgp-signature".

So, the MUA must convert the message body to MIME format (with the right
line endings, with any Base64 or Quoted Printable encoding applied) and
add the Content-Type header BEFORE signing the message. Similarly, the
MUA must verify the signature BEFORE parsing the body's header for how
to decode the message for display/saving.

To re-iterate, when you save the message body, mutt strips the header
and decodes the file (imagine if this was a binary attachment in Base64
encoding; you DO want mutt to reconstruct it back into binary form).





        matthias

--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub





_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



--
For more information, please reread.



Attachment:
signature.asc

Description: PGP signature


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users






















					Reply via email to