Martin von Gagern added the comment:
Take the attached test5.eml. Run it through the following python script:
import email
print (email.message_from_file(open("test5.eml")).as_string(False))
The result will have both instances of the X-Long-Line header rewrapped.
As the second instance is included in the digest calculation, the
signature verification will now fail.
This is a real world signature algorithm, following RFC 3156 (if I
didn't make a mistake). If you have an OpenPGP-enabled mailreader (e.g.
enigmail for Thunderbird) and have some way of injecting a mail as is
into your mail folders (e.g. a maildir-based server), then you can use
this setup to verify that the signature was correct in the first place
and is broken after parsing and reconstruction by python.
If you don't have such a setup available, and you don't believe me that
rewrapping the header breaks the signature, then I could either devise
some unrealistic but easy-to-check signing process, or could try to get
this working with an S/MIME signature using an X.509 certificate. I
would rather avoid this, though.
_____________________________________
Tracker <[EMAIL PROTECTED]>
<http://bugs.python.org/issue1670765>
_____________________________________--- Begin Message ---
This is the signed contents.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
