Hi David, David J. Weller-Fahy wrote: > I have not tried to modify the default algorithm yet (no time today > other than the initial patch and install), however I have used the patch > to sign emails to myself and others and compared the claimed algorithm > used. Without the patch today's tip show's SHA-1 as the algorithm, with > the patch the algorithm today's tip show's SHA-256 as the algorithm.
So far, I've defaulted $smime_sign_digest_alg to "sha256". I'll be glad to change that, but was just picking what I hoped was a reasonable value. > Tomorrow (or Sunday) I'll take a look at the signatures in Thunderbird, > and look at the extracted algorithms. I'll also try setting the digest > alrogithm manually tomorrow, and report back. > > Let me know if there are any other specific things I need to look for, > other than mismatches. Thank you for taking a look! I mostly wanted to make sure this patch fixed the problem and didn't cause any other issues. I think the original reporter must have had a smime cert that specified sha256 as the default message digest algorithm. smime was then *generating* the signature using sha256, but the micalg parameter in the email header was hardcoded to say "sha1". Thunderbird apparently didn't like that and so was rejecting the signature. This patch hopefully aligns the header with the actual digest algorithm, but requires updating $smime_sign_command to have a placeholder specifying the algorithm to use: "-md %d". In any case, if you were able to just test the signatures with the patch to make sure Thunderbird and mutt were happy with them, that would be very helpful. If you were somehow able to replicate the original problem and see if the patch "fixed" it, that would be even better (but not required). Thank you in any case! -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA http://www.8t8.us/configs/gpg-key-transition-statement.txt
signature.asc
Description: PGP signature
