Broken signature for DSA-2040-1

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Broken signature for DSA-2040-1

Francesco Poli (t1000)
Hi,
I received DSA-2040-1 and verified its GPG signature, as I always do.
I found out that I am unable to correctly verify the signature.

I got confirmation that I am not the only one who sees this issue with
DSA-2040-1: see the following thread on [hidden email]
for further details
http://lists.debian.org/debian-security-tracker/2010/05/msg00000.html

What went wrong?
Did the quoted-printable encoding mess up with the signature?


P.S.: please Cc: me on replies, as I am not subscribed to
[hidden email]

--
 http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html
 Need some pdebuild hook scripts?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

attachment0 (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Broken signature for DSA-2040-1

Kurt Roeckx
On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote:
> Hi,
> I received DSA-2040-1 and verified its GPG signature, as I always do.
> I found out that I am unable to correctly verify the signature.

Works for me:
gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
gpg: Good signature from "Moritz Muehlenhoff <[hidden email]>"
gpg:                 aka "Moritz Muehlenhoff <[hidden email]>"


Kurt


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Broken signature for DSA-2040-1

Francesco Poli (t1000)
On Sun, 2 May 2010 21:14:55 +0200 Kurt Roeckx wrote:

> On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote:
> > Hi,
> > I received DSA-2040-1 and verified its GPG signature, as I always do.
> > I found out that I am unable to correctly verify the signature.
>
> Works for me:
> gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
> gpg: Good signature from "Moritz Muehlenhoff <[hidden email]>"
> gpg:                 aka "Moritz Muehlenhoff <[hidden email]>"
>
>
Thanks for checking, Kurt.

Could it be a Sylpheed bug?

Is there a way to download the DSA in mbox format (just like I can
download bug reports with "querybts -m"), so that I can report the bug
against package sylpheed?


--
 http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html
 Need some pdebuild hook scripts?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

attachment0 (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Broken signature for DSA-2040-1

Joey Schulze
In reply to this post by Kurt Roeckx
Kurt Roeckx wrote:
> On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote:
> > Hi,
> > I received DSA-2040-1 and verified its GPG signature, as I always do.
> > I found out that I am unable to correctly verify the signature.
>
> Works for me:
> gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
> gpg: Good signature from "Moritz Muehlenhoff <[hidden email]>"
> gpg:                 aka "Moritz Muehlenhoff <[hidden email]>"

Without a working signature the mail wouldn't be transported through
debian-security-announce.  A valid ecurity team member's signature is
required.

Regards,

        Joey

--
Beware of bugs in the above code; I have only proved it correct,
not tried it.  -- Donald E. Knuth


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20100502194941.GB31750@...

Reply | Threaded
Open this post in threaded view
|

Re: Broken signature for DSA-2040-1

Sébastien Delafond-2
In reply to this post by Francesco Poli (t1000)
On May/02, Francesco Poli wrote:
> Could it be a Sylpheed bug?

We've narrowed it down to an encoding issue: the original DSA email was
sent as ISO-8859-1, and mutt was able to verify it just fine; however,
on a system using UTF-8, any kind of pasting of the original text will
produce a file that gpg does not verify: that'll teach me to include the
"é" in my firstname instead of a plain "e" ;)

Cheers,

--Seb

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Broken signature for DSA-2040-1

Francesco Poli (t1000)
On Mon, 3 May 2010 00:47:25 +0200 Sebastien Delafond wrote:

> On May/02, Francesco Poli wrote:
> > Could it be a Sylpheed bug?
>
> We've narrowed it down to an encoding issue: the original DSA email was
> sent as ISO-8859-1, and mutt was able to verify it just fine; however,
> on a system using UTF-8, any kind of pasting of the original text will
> produce a file that gpg does not verify:

The fact is that I didn't perform any pasting: even running "gpg
--verify" directly on the message file fails (Sylpheed stores e-mail
messages in MH format, hence each message is on a separate file).

I received the message encoded as quoted-printable: maybe something in
the middle performed some re-encoding, that broke the signature?

However, that does not explain why Mutt is able to correctly verify
the signature...
Damn Mutt, always one step beyond!  ;-)

> that'll teach me to include the
> "é" in my firstname instead of a plain "e" ;)

Wouldn't we be better off using PGP/MIME signed messages (RFC 2015)
in order to avoid encoding issues?
As far as I've heard, clear-signed e-mail messages are deprecated precisely
because of this kind of signature breakages, due to possible re-encoding.

Any thoughts?


--
 http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html
 Need some pdebuild hook scripts?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

attachment0 (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Broken signature for DSA-2040-1

Bjørn Mork
Francesco Poli <[hidden email]> writes:

> The fact is that I didn't perform any pasting: even running "gpg
> --verify" directly on the message file fails (Sylpheed stores e-mail
> messages in MH format, hence each message is on a separate file).
>
> I received the message encoded as quoted-printable: maybe something in
> the middle performed some re-encoding, that broke the signature?

No, it's not broken.  But you need to decode the quoted-printable
content first and then verify.  I believe most(?) email clients do this.
At least Gnus does, and that's all I care about.


/tmp/x is the raw message with QP noise, as I assume Sylpheed stores it
(which makes sense):

bjorn@nemi:~$ egrep ^Subject /tmp/x
Subject: [DSA 2040-1] New squidguard packages fix several vulnerabilities
bjorn@nemi:~$ tail /tmp/x

--=20
To UNSUBSCRIBE, email to [hidden email]=
g
with a subject of "unsubscribe". Trouble? Contact [hidden email]=
.org
Archive: http://lists.debian.org/20100502125652.GA3528@...=
rg



This fails:

bjorn@nemi:~$ gpg --verify /tmp/x
gpg: invalid dash escaped line: -\n
gpg: invalid dash escaped line: -\n
gpg: unexpected armor: ----------\n
gpg: unknown armor header: For apt-get: deb http://security.debian.org/ stable/updates main
gpg: unknown armor header: For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/upda=
gpg: invalid armor header: tes/main\n


But this works:

bjorn@nemi:~$ mimencode -u -q < /tmp/x|gpg --verify
gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
gpg: Good signature from "Moritz Muehlenhoff <[hidden email]>"
gpg:                 aka "Moritz Muehlenhoff <[hidden email]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CA4F D469 C047 165A 1A55  CCD7 5E6D EF1C 4E2E CA5A



...as expected.  Guess you need to report a bug against Sylpheed if it
attempts to verify the signature before decoding.



Bjørn


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/87fx28amvk.fsf@...