On 24/09/16 03:45, [email protected] wrote: > http://www.draketo.de/english/gnupg-attack > > This happened at an interesting point in time: > The financial allocation poll was finished last Sunday and I wanted to > publish > the results - but the GPG signatures of at least 4 participants were invalid > and I luckily was paranoid enough to postpone the publishing because of that. > > I had requested the contributors to re-sign the attachments with a detached > signature, i.e. not embedded into the mail headers but a plain file > attachment > instead. I could validate 3 of the original attachments to not be tampered > with. So likely the invalid sigs were due to bugs in the mailservers. > > Still, I am waiting for one signature of a core developer to be validated and > considering this event, I will not publish the results until I have a > validation. > His case is also the most concerning one: The mail with the invalid signature > did NOT embed it into the mail headers but shipped it as a file attachment. > This should be much less likely to be a mailserver bug, so I'd really rather > wait for the participant to find time to give me a new sig. He's aware of it. > > As consequences, I would request the following: > > - I've seen invalid signatures on devl rather frequently in the past and > shrugged it off because the contents were not security-critical discussion > and > mailservers frequently seem to damage the headers in a way which causes > invalid sigs. > Can any of our server admins reproduce this = is this a bug of our server, > not > my mail client? I had commented on the mails with invalid sigs at the > "Financial allocation poll stage 3" thread. > If yes, can you please investigate the reason? You could ask the senders of > those mails for copies from their "Sent mail" dir and diff against what devl > received. > It would be good to fix this: Invalid signatures happening frequently teaches > people to ignore it. > > - Anyone who is not signing their mails yet should please start doing so. > The same applies to Git commits.
I thought these were generally caused by configuration errors, with GPG getting confused due to the hash algorithm configured in the local config being different to that in the (older) key?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
