On 05/23/2013 12:56 PM, Andy Ruddock wrote: > The message just sent to enigmail-users@enigmail.net didn't verify on > my SeaMonkey/Enigmail Wheezy install. > I see a mail with three attachments, one of which is signature.asc
yes, exactly. this is http://bugs.debian.org/679640 , which i am not sure how to fix. And it sounds like Patrick, while having gamely attempted one fix (very much appreciated!), does not want to spend more time trying to resolve it for the versions in debian wheezy. As a workaround, you can try verifying the message by copying it to your "local folders" and viewing it from there. i don't have enough insight as to how TB 10 changed its IMAP presentation layer to make it incompatible with the version of enigmail targetted at TB 10 know how to resolve the issue myself, so i'd appreciate any help from folks who might understand the situation better than i would. That said, the only affected message verifications are non-signed messages with a PGP/MIME-signed internal part, like so: A└┬╴multipart/mixed B ├┬╴multipart/signed C │├─╴text/plain D │└─╴application/pgp-signature attachment [signature.asc] E └─╴text/plain inline and only when these messages are viewed over IMAP -- NNTP and local folders do not appear to be affected. You'll find these messages in the wild; they are produced by mailman when it forwards on a signed message and appends a message footer. Arguably, verifying these nested signatures is itself a security liability that can lead to spoofed message verification UI (see the thread "enigmail verification problem with signed message/rfc822 subparts" on the enigmail list [0]), and thunderbird itself natively ignores similarly-structured embedded S/MIME message signatures. For clarity: consider what happens when (using the above message A as an example) message part C is short, and message part E is quite long. Can the user distinguish which material was actually signed by the issuer of the signature in D without viewing the message source? So in some sense, the version in wheezy is safer because in some circumstances it will refuse to show a message signature verification from a spoofed message that has a signed embedded part, while more recent versions will show the positive message verification UI. This is a pretty weak argument, though, since that verification UI will show anyway on the same message seen via Local Folders. Anyway, i'm afraid the problem currently remains unresolved (in either direction). Regards, --dkg [0] http://thread.gmane.org/gmane.comp.mozilla.enigmail.general/17707/focus=17839
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net