Hi Guys
Steve tells me that he had a problem with my last email to the list (Re: Rural Broadband). He got a bad signature from GPG.
In a follow up exchange off list Steve said:
"Here's what gpg says:
--- $ gpg -v --verify signature.asc msg gpg: armor header: Version: GnuPG v2.0.22 (GNU/Linux) gpg: Signature made Tue 19 Jan 2016 14:04:01 GMT using RSA key ID 5BADD312 gpg: using PGP trust model gpg: BAD signature from "Mick Morgan (Mick's new 4096 bit key) mick@rlogin.net" [unknown] gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096 --"
Ive been using this key since the middle of 2012. I have also been using claws (with PGP/MIME enabled) as my MUA for ages. There seem to be a couple of reasons why GPG should complain. The most obvious is that the email has been changed after signature. Paranoia aside, this can easily happen if the MUA (at either end?) changes the mail by wrapping at a particular line length. Another possible reason is that my signature key length (4096 bits) is too long for the recipient's system to handle correctly.
But as I say, I have been using the current key for nearly four years now, so my question is, has anyone else seen this problem with my signature? And does anyone know what may be going on here?
Cheers
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On Tue, Jan 19, 2016 at 04:37:11PM +0000, mick wrote:
Steve tells me that he had a problem with my last email to the list (Re: Rural Broadband). He got a bad signature from GPG.
In a follow up exchange off list Steve said:
"Here's what gpg says:
$ gpg -v --verify signature.asc msg gpg: armor header: Version: GnuPG v2.0.22 (GNU/Linux) gpg: Signature made Tue 19 Jan 2016 14:04:01 GMT using RSA key ID 5BADD312 gpg: using PGP trust model gpg: BAD signature from "Mick Morgan (Mick's new 4096 bit key) mick@rlogin.net" [unknown] gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096 --"
Ive been using this key since the middle of 2012. I have also been using claws (with PGP/MIME enabled) as my MUA for ages. There seem to be a couple of reasons why GPG should complain. The most obvious is that the email has been changed after signature. Paranoia aside, this can easily happen if the MUA (at either end?) changes the mail by wrapping at a particular line length. Another possible reason is that my signature key length (4096 bits) is too long for the recipient's system to handle correctly.
But as I say, I have been using the current key for nearly four years now, so my question is, has anyone else seen this problem with my signature? And does anyone know what may be going on here?
It validates fine for me here (mutt/gpg on Debian 8.2 [jessie]).
J.
On 19/01, Jonathan McDowell wrote:
It validates fine for me here (mutt/gpg on Debian 8.2 [jessie]).
Hmm I must have asploded my mutt set up.
I have mails in my Trash folder from Mick from February and earlier that validate correctly but later mails don't. I'll have a poke around and post back if I figure out what's up.
Steve
On 19/01, Steve Engledow wrote:
I'll have a poke around and post back if I figure out what's up.
Well, thanks to Noodles for figuring out what it was.
Way back when Terry Pratchett went and popped his clogs, I jumped on the bandwagon of [adding Clacks headers](http://www.gnuterrypratchett.com/) to my outgoing mail.
Unfortunately, the instructions at http://www.gnuterrypratchett.com/#postfix mean that the X-Clacks-Overhead header gets added even to incoming messages and even to the headers of individual parts of MIME messages. This means postfix was modifying the message on the way in and the signature was then invalid.
Unfortunately, I can't find a good way to get postfix to insert a header just on the way out and just in one place so I'll have to drop that for now. Or maybe just get mutt to do it for me.
Steve
On Wed, 20 Jan 2016 12:44:28 +0000 Steve Engledow steve@offend.me.uk allegedly wrote:
On 19/01, Steve Engledow wrote:
I'll have a poke around and post back if I figure out what's up.
Well, thanks to Noodles for figuring out what it was.
Way back when Terry Pratchett went and popped his clogs, I jumped on the bandwagon of [adding Clacks headers](http://www.gnuterrypratchett.com/) to my outgoing mail.
Steve
Glad you found out what was wrong - but I can't see your X-Header.
(I did much the same thing as you by adding the X-Clacks-Overhead header to the webserver on my blog. All my HTTP responses include that header. :-) You may also find Adrian Kennard's draft RFC for explicit padding of Ethernet Packets at http://www.me.uk/draft-kennard-padding.txt amusing.)
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On Wed, 2016-01-20 at 14:41 +0000, mick wrote:
(I did much the same thing as you by adding the X-Clacks-Overhead header to the webserver on my blog. All my HTTP responses include that header. :-) You may also find Adrian Kennard's draft RFC for explicit padding of Ethernet Packets at http://www.me.uk/draft-kennard-padding.txt amusing.)
I do, and thank you for pointing it out.
On Tue, 19 Jan 2016 16:51:11 +0000 Jonathan McDowell noodles@earth.li allegedly wrote:
On Tue, Jan 19, 2016 at 04:37:11PM +0000, mick wrote:
Steve tells me that he had a problem with my last email to the list (Re: Rural Broadband). He got a bad signature from GPG.
But as I say, I have been using the current key for nearly four years now, so my question is, has anyone else seen this problem with my signature? And does anyone know what may be going on here?
It validates fine for me here (mutt/gpg on Debian 8.2 [jessie]).
Jonathan
Many thanks for checking. Good to know it isn't universally broken.
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On 19 January 2016 at 16:37, mick mbm@rlogin.net wrote:
$ gpg -v --verify signature.asc msg gpg: armor header: Version: GnuPG v2.0.22 (GNU/Linux) gpg: Signature made Tue 19 Jan 2016 14:04:01 GMT using RSA key ID 5BADD312 gpg: using PGP trust model gpg: BAD signature from "Mick Morgan (Mick's new 4096 bit key) mick@rlogin.net" [unknown] gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096 --"
I get something similar after importing your key from the keyserver:
gpg -v --verify signature.asc text.txt gpg: armour header: Version: GnuPG v2.0.22 (GNU/Linux) gpg: Signature made Tue 19 Jan 2016 16:37:11 GMT using RSA key ID 5BADD312 gpg: using classic trust model gpg: BAD signature from "Mick Morgan (Mick's new 4096 bit key) mick@rlogin.net" gpg: textmode signature, digest algorithm SHA256
But of course, I'm taking a risk of sounding like a moron; how much of your email do I need to trim (from gmail show original saved to a file) or copy / paste from the webmail in order to get something that can be fed to gpg?
Regards, Srdjan
On Tue, 19 Jan 2016 16:58:06 +0000 Srdjan Todorovic todorovic.s@googlemail.com allegedly wrote:
I get something similar after importing your key from the keyserver:
gpg -v --verify signature.asc text.txt gpg: armour header: Version: GnuPG v2.0.22 (GNU/Linux) gpg: Signature made Tue 19 Jan 2016 16:37:11 GMT using RSA key ID 5BADD312 gpg: using classic trust model gpg: BAD signature from "Mick Morgan (Mick's new 4096 bit key) mick@rlogin.net" gpg: textmode signature, digest algorithm SHA256
But of course, I'm taking a risk of sounding like a moron; how much of your email do I need to trim (from gmail show original saved to a file) or copy / paste from the webmail in order to get something that can be fed to gpg?
Srdjan
Unfortunately that is one of the problems I face in using a PGP/MIME compliant MUA when lots of people don't. I don't use Gmail (in fact I run my own mailserver - I hate the idea of someone else handling my mail) so I'm no expert on Gmail's idiosyncracies, but I'm pretty sure it doesn't handle PGP/MIME well, if at all. The only way I could get a Gmail user to properly handle my signed/encrypted mail would be for me to create the message in a text editor, then sign/encrypt that message and paste it into my email. So long as I didn't use PGP/MIME, then the email would contain something like this:
-----BEGIN PGP MESSAGE----- Version: GnuPG v1
owEBagKV/ZANAwAIAQof5gtbrdMSAaw6YghtYWlsLnR4dFafmGVUaGlzIGlzIGEg dGVzdCBtZXNzYWdlLiBJdCBpcyBzaWduZWQgYnkgbWUuCokCHAQAAQgABgUCVp+Y ZQAKCRAKH+YLW63TEvDhD/0WdN+TX/7G6yn1s9jW9ajXfDpoOJXXKhMeM4xvNol7 vUpmDAhJKSQ5bu83WYoZA6xSAy/K+lqnSIoUgomxUDOSLF+1cMQYbXNLWAGGX6ZH IAOt4n4QEzqvjvJp4dGSIIb5k42sa9rYjlC7A91PY+4s0xA1O3qROJlWI6q1cZqB Bdvb8Gx3oTgGhfRcBn4tgjXry8hmrPc0IqlZUlRYD1XJ7BVlIAmvFMH7tfyhSnkC usDmkbHyCj5l3Do62aYMAh3OpCIcDXhNxCBglA3+QwYadAQDDSgjBG/a0ZDiUltr j20+x6Yckp4wZBOGofzYJ2Wh3jfc8CPVIGPv5Ip7/7Uv2J+QggCxMjsEtyC8KhLT aslYDzc8isYOlJ3kWoDp/iOP2xPW5PyMbxxLjFVmna8sFfpjxhyQouSjqUmNObwU +w6opL07V8bghtipbFAcL0D1B+sPucyCYgOir23cyJ4B49aJT92rFv4c3cTuhgWa PHyDNCaGNU4BC6ZLn1+facs6IdnSZQEPgpms8E55eIQ+u7C64rTJ13Au+GxFs//J blEVQjrSj8SMvzF4W5xLPhT0y2OjfBVI+xYyxe2RVq0NWHv3seFDfvq0noxt9l9Y 6En1QGrQdz5oPKTbgVWELLmYgMP1m125KJlRVWuGkiMQxbSia4pnGTOrdKtGpxJr iA== =usRP -----END PGP MESSAGE-----
You could then cut/paste everything with the BEGIN/END headers and verify my mail.
However, if you, as a Gmail user simply try to cut/paste my PGP/MIME signed email into a text file and then try to validate it against the signature, you will get the problem you see.
But I'm damned if I'm going to modify my mail usage simply to accommodate Google. :-)
Mick
(Question to the list: Is there any point in my continuing to sign mail to the list if it is going to cause difficulty?)
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On 20/01, mick wrote:
(Question to the list: Is there any point in my continuing to sign mail to the list if it is going to cause difficulty?)
Can anyone using gmail confirm that an attached signature (like the one on this email) causes any difficulties in reading the email?
I'm pretty certain anyone who's interested in receiving signed email (I am) is likely to have ditched gmail for something more friendly so unless the answer to my question above is "holy crap, I can't even read this email" then I don't see a problem.
Spot the deliberate flaw in my test ;)
Steve
On Wed, 20 Jan 2016 14:57:19 +0000 Steve Engledow steve@offend.me.uk allegedly wrote:
On 20/01, mick wrote:
(Question to the list: Is there any point in my continuing to sign mail to the list if it is going to cause difficulty?)
Can anyone using gmail confirm that an attached signature (like the one on this email) causes any difficulties in reading the email?
Steve
I should have made it clear that the problem with Gmail (and similar systems) is most probably caused by the webmail interface, not by the SMTP/POP/IMAP service. You use mutt as your MUA, so I assume that you are picking up your mail using POP or IMAP and then reading it locally. Mutt can handle PGP/MIME (can't it?). Webmail interfaces have a problem with that.
So, my guess is that anyone using Gmail /without/ the crappy web interface may have less of a problem.
I'm pretty certain anyone who's interested in receiving signed email (I am) is likely to have ditched gmail for something more friendly so unless the answer to my question above is "holy crap, I can't even read this email" then I don't see a problem.
Spot the deliberate flaw in my test ;)
Yeah, well...... :-)
(And now I can see your X-Clacks header. Added by Mutt?)
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
-
Huge -
Jonathan McDowell -
mick -
Srdjan Todorovic -
Steve Engledow