http://www.draketo.de/english/gnupg-attack
This happened at an interesting point in time: The financial allocation poll was finished last Sunday and I wanted to publish the results - but the GPG signatures of at least 4 participants were invalid and I luckily was paranoid enough to postpone the publishing because of that. I had requested the contributors to re-sign the attachments with a detached signature, i.e. not embedded into the mail headers but a plain file attachment instead. I could validate 3 of the original attachments to not be tampered with. So likely the invalid sigs were due to bugs in the mailservers. Still, I am waiting for one signature of a core developer to be validated and considering this event, I will not publish the results until I have a validation. His case is also the most concerning one: The mail with the invalid signature did NOT embed it into the mail headers but shipped it as a file attachment. This should be much less likely to be a mailserver bug, so I'd really rather wait for the participant to find time to give me a new sig. He's aware of it. As consequences, I would request the following: - I've seen invalid signatures on devl rather frequently in the past and shrugged it off because the contents were not security-critical discussion and mailservers frequently seem to damage the headers in a way which causes invalid sigs. Can any of our server admins reproduce this = is this a bug of our server, not my mail client? I had commented on the mails with invalid sigs at the "Financial allocation poll stage 3" thread. If yes, can you please investigate the reason? You could ask the senders of those mails for copies from their "Sent mail" dir and diff against what devl received. It would be good to fix this: Invalid signatures happening frequently teaches people to ignore it. - Anyone who is not signing their mails yet should please start doing so. The same applies to Git commits. -- hopstolive (keyword for Ians spam filter)
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
