Re: [gpgtools-users] Need OpenPGP for Secure Private Instant Messaging
On Wed, 16 Feb 2011 22:05 -0800, "Curtis Ward" wrote: > I beg you for one now. You seem to be confused about security. Your stated needs for confidentiality conflict with your desire for an out-of-the-box solution. Do you realize that any phone manufacturer / mobile carrier can sell phones that can be remotely controlled? This risk exists even more for iOS than Android, since neither the operating system nor device specification are open for scrutiny. Even with a GPG-aware mail client someone could well monitor your key presses or screen remotely. In short, don't use your mobile phone directly for secure communication. The best you can get is tethering, ie connect your computer to a network using the mobile phone as a network interface. Then you can tunnel secure channels on top of this using your (presumably secure) computer. -- Raphael 'kena' Poss ___ gpgtools-users mailing list gpgtools-users@lists.gpgtools.org FAQ: http://www.gpgtools.org/faq.html Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users Unsubscribe: http://lists.gpgtools.org/mailman/options/gpgtools-users/arch...@mail-archive.com?unsub=Unsubscribe&unsubconfirm=1 This email sent to: arch...@mail-archive.com
Re: [gpgtools-users] Mail does not validate my own signatures
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Op 3 feb 2011, om 10:59 heeft Raphael 'kena' Poss het volgende geschreven: >> 2. Working?: someone else composes a mail -> signs it -> sends it -> you >> download this message -> you can validate it (e.g. this mail) > > This mail (PGP inline), yes. > > The other mail (OpenPGP), no. To clarify: if I leave the message on the server, then PGP inline works and OpenPGP does not. If I download the messages, then both signatures verify. At least for your example e-mails. - -- k -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: https://www.biglumber.com/x/web?pk=9B3290AB2972C92BBAFAB69C236E4E505024FAE3 iEYEAREDAAYFAk1KfN0ACgkQRoOteLWdVhqvtACfclqrLRfp4pQqFtUau9UC03DY 0gsAn0CSBU1OvaCe+IFGJdbDKNqdB7ng =Fiex -END PGP SIGNATURE- ___ gpgtools-users mailing list gpgtools-users@lists.gpgtools.org FAQ: http://www.gpgtools.org/faq.html Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users Unsubscribe: http://lists.gpgtools.org/mailman/options/gpgtools-users/arch...@mail-archive.com?unsub=Unsubscribe&unsubconfirm=1 This email sent to: arch...@mail-archive.com
Re: [gpgtools-users] Mail does not validate my own signatures
Op 3 feb 2011, om 10:21 heeft Alexander Willner het volgende geschreven: > So I guess the workflows are: > 1. Working: composing mail -> signing it -> sending it -> others can validate > it > 2. Working?: someone else composes a mail -> signs it -> sends it -> you > download this message -> you can validate it (e.g. this mail) This mail (PGP inline), yes. The other mail (OpenPGP), no. > 3. Problem: composing mail -> signing it -> sending it -> download your own > message -> you can validate it yes > > I case that (2) is working I cannot see why (3) doesn't. Assuming you're not > using any filters to modify your own mails I guess this might worth a bug > report to Apple. > > Btw: could you sign your reply once? sure. -- k PGP.sig Description: Dit deel van het bericht is digitaal ondertekend ___ gpgtools-users mailing list gpgtools-users@lists.gpgtools.org FAQ: http://www.gpgtools.org/faq.html Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users Unsubscribe: http://lists.gpgtools.org/mailman/options/gpgtools-users/arch...@mail-archive.com?unsub=Unsubscribe&unsubconfirm=1 This email sent to: arch...@mail-archive.com
Re: [gpgtools-users] Mail does not validate my own signatures
Hi again, I think I nailed this bug. Basically, Mail.app improperly changes the MIME content headers upon receiving from the mail server. In particular, the following in the signed message body: """ Content-Type: text/plain; charset=us-ascii """ gets changed to: """ Content-Type: text/plain; charset=us-ascii """ i.e. "charset=..." gets moved to the next line, with a TAB character. Since the signature was generated with the content-type header on a single line, this change invalidates the signature. I found this out by looking at the detailed log from GPGME, see the bottom of this mail for a copy. Basically this shows that the mail was generated/sent with the header on a single line, which I can also confirm by looking at the e-mail on the IMAP server directly (using a different client). Strangely when keeping the mails on the IMAP server, the header is modified on the local copy but not on the server. Thunderbird/Enigmail also leaves the header untouched, that's why the signature verifies with it. I checked with GPGMail disabled (not in the Bundles directory), and I see that Mail.app still breaks the content header with GPGMail disabled. So this behavior seems not specific to GPGMail. Now that said, I hear that some other people using Mail.app can actually validate my sigs. Is there a setting in Mail.app to prevent this handling of content headers? Also, could we work around this in GPGMail by trying (once) to re-format the content headers the first time signature verification fails? Thanks Output from GPGME: - Log data when generating the sig: GPGME 2011-02-03 03:17:53 <0x7fff7020eca0> _gpgme_io_write: check: 436f6e74656e742d 5472616e73666572 Content-Transfer GPGME 2011-02-03 03:17:53 <0x7fff7020eca0> _gpgme_io_write: check: 2d456e636f64696e 673a20376269740d -Encoding: 7bit. GPGME 2011-02-03 03:17:53 <0x7fff7020eca0> _gpgme_io_write: check: 0a436f6e74656e74 2d547970653a2074 .Content-Type: t GPGME 2011-02-03 03:17:53 <0x7fff7020eca0> _gpgme_io_write: check: 6578742f706c6169 6e3b206368617273 ext/plain; chars GPGME 2011-02-03 03:17:53 <0x7fff7020eca0> _gpgme_io_write: check: 65743d75732d6173 6369690d0a0d0a66 et=us-asciif GPGME 2011-02-03 03:17:53 <0x7fff7020eca0> _gpgme_io_write: check: 6f6f0d0a0d0a626c 61680d0a0d0a ooblah ... GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 2d2d2d2d2d424547 494e205047502053 -BEGIN PGP S GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 49474e4154555245 2d2d2d2d2d0a5665 IGNATURE-.Ve GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 7273696f6e3a2047 6e7550472f4d6163 rsion: GnuPG/Mac GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 475047322076322e 302e313720284461 GPG2 v2.0.17 (Da GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 7277696e290a436f 6d6d656e743a2068 rwin).Comment: h GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 747470733a2f2f77 2e6269676c75 ttps://www.biglu GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 6d6265722e636f6d 2f782f7765623f70 mber.com/x/web?p GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 6b3d394233323930 4142323937324339 k=9B3290AB2972C9 GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 3242424146414236 3943323336453445 2BBAFAB69C236E4E GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 3530353032344641 45330a0a69455945 505024FAE3..iEYE GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 4152454441415946 416b314b45466341 AREDAAYFAk1KEFcA GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 43676b51526f4f74 654c576456686f6b CgkQRoOteLWdVhok GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 55774366644f584e 4236347762745245 UwCfdOXNB64wbtRE GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 5070727043456767 557675460a663467 PprpCEggUvuF.f4g GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 416e5242444d4741 5271794743704731 AnRBDMGARqyGCpG1 GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 2b6e62546a495148 72493459530a3d52 +nbTjIQHrI4YS.=R GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 434e550a2d2d2d2d 2d454e4420504750 CNU.-END PGP GPGME 2011-02-03 03:17:59 <0x7fff7020eca0> _gpgme_io_read: check: 205349474e415455 52452d2d2d2d2d0a SIGNATURE-. - Log data when validating the sig: GPGME 2011-02-03 03:18:38 <0x7fff7020eca0> _gpgme_io_write: check: 2d2d2d2d2d424547 494e205047502053 -BEGIN PGP S GPGME 2011-02-03 03:18:38 <0x7fff7020eca0> _gpgme_io_write: check: 49474e4154555245 2d2d2d2d2d0d0a56 IGNATURE-..V GPGME 2011-02-03 03:18:38 <0x7fff7020eca0> _gpgme_io_write: check: 657273696f6e3a20 476e7550472f4d61 ersion: GnuPG/Ma GPGME 2011-02-03 03:18:38 <0x7fff7020eca0> _gpgme_io_write: check: 6347504732207632 2e302e3137202844 cGPG2 v2.0.17 (D GPGME 2
[gpgtools-users] Fwd: Mail does not validate my own signatures
to follow up to my own e-mail. I had a look at the source code for GPGMail and MacGPGME. I think I see that GPGMail will query gpg to identify the signature, then parse the line with the timestamp and extract the keyID from there. This is where my subkey story may play into the picture, since for my signatures command-line gpg says the following: gpg: Signature made do 3 feb 01:17:54 2011 CET using DSA key ID B59D561A gpg: using subkey B59D561A instead of primary key 5024FAE3 Is it possible that the wrong key ID is used to look up which key to use to check the signature? Also, I'm not sure whether this is a problem in GPGMail or GPGME. Who's responsible for GPGME? Begin forwarded message: > From: Raphael 'kena' Poss > Date: 3 februari 2011 01:34:29 GMT+01:00 > To: gpgtools-users@lists.gpgtools.org > Subject: Mail does not validate my own signatures > > Hi everyone, > > this is a problem that is plaguing me for a few years already. As the > attachments to this mail suggest, GPGMail does not seem to recognize my own > signatures (although it does validate valid signatures from others). Enigmail > has no problem. > > Does anyone have an idea about what is happening? > > This error happens whether I create the signature with GPGMail or with > Enigmail. I have reproduced this with the latest GPGTools distribution > (20110125) and without any interference from MacPorts: > > kena@Mu ~ % which gpg > /usr/local/bin/gpg > kena@Mu ~ % ls -l /usr/local/bin/gpg > lrwxr-xr-x 1 root wheel 19 27 dec 2009 /usr/local/bin/gpg@ -> > /usr/local/bin/gpg2 > kena@Mu ~ % ls -l /usr/local/bin/gpg2 > lrwxr-xr-x 1 root wheel 27 3 feb 01:04 /usr/local/bin/gpg2@ -> > /usr/local/MacGPG2/bin/gpg2 > kena@Mu ~ % gpg --version > gpg (GnuPG/MacGPG2) 2.0.17 > [...] > > > Is there anything I could do to debug the signature verification process? > (get more debug info from gpg?) > > As an information point, I use a subkey to sign, instead of the master key. > (This seems unusual in the PGP/GPG world but it works well and is the > recommended way to have an expiration date on the signing key.) I don't know > if this is relevant here. > > > Thanks in advance for any suggestion. > > -- k ___ gpgtools-users mailing list gpgtools-users@lists.gpgtools.org FAQ: http://www.gpgtools.org/faq.html Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users Unsubscribe: http://lists.gpgtools.org/mailman/options/gpgtools-users/arch...@mail-archive.com?unsub=Unsubscribe&unsubconfirm=1 This email sent to: arch...@mail-archive.com
