Francesco Poli <f...@firenze.linux.it> writes: > The fact is that I didn't perform any pasting: even running "gpg > --verify" directly on the message file fails (Sylpheed stores e-mail > messages in MH format, hence each message is on a separate file). > > I received the message encoded as quoted-printable: maybe something in > the middle performed some re-encoding, that broke the signature?
No, it's not broken. But you need to decode the quoted-printable content first and then verify. I believe most(?) email clients do this. At least Gnus does, and that's all I care about. /tmp/x is the raw message with QP noise, as I assume Sylpheed stores it (which makes sense): bj...@nemi:~$ egrep ^Subject /tmp/x Subject: [DSA 2040-1] New squidguard packages fix several vulnerabilities bj...@nemi:~$ tail /tmp/x --=20 To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.or= g with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian= .org Archive: http://lists.debian.org/20100502125652.ga3...@galadriel.inutil.o= rg This fails: bj...@nemi:~$ gpg --verify /tmp/x gpg: invalid dash escaped line: -\n gpg: invalid dash escaped line: -\n gpg: unexpected armor: ----------\n gpg: unknown armor header: For apt-get: deb http://security.debian.org/ stable/updates main gpg: unknown armor header: For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/upda= gpg: invalid armor header: tes/main\n But this works: bj...@nemi:~$ mimencode -u -q < /tmp/x|gpg --verify gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A gpg: Good signature from "Moritz Muehlenhoff <j...@debian.org>" gpg: aka "Moritz Muehlenhoff <j...@inutil.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CA4F D469 C047 165A 1A55 CCD7 5E6D EF1C 4E2E CA5A ...as expected. Guess you need to report a bug against Sylpheed if it attempts to verify the signature before decoding. Bjørn -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87fx28amvk....@nemi.mork.no
