debian-security May 2010 archive
Main Archive Page > Month Archives  > debian-security archives
debian-security: Re: Broken signature for DSA-2040-1

Re: Broken signature for DSA-2040-1

From: Bjørn Mork <bjorn_at_nospam>
Date: Mon May 03 2010 - 17:58:07 GMT
To: debian-security@lists.debian.org

Francesco Poli <frx@firenze.linux.it> writes:

> The fact is that I didn't perform any pasting: even running "gpg
> --verify" directly on the message file fails (Sylpheed stores e-mail
> messages in MH format, hence each message is on a separate file).
>
> I received the message encoded as quoted-printable: maybe something in
> the middle performed some re-encoding, that broke the signature?

No, it's not broken. But you need to decode the quoted-printable
content first and then verify. I believe most(?) email clients do this.
At least Gnus does, and that's all I care about.

/tmp/x is the raw message with QP noise, as I assume Sylpheed stores it
(which makes sense):

bjorn@nemi:~$ egrep ^Subject /tmp/x
Subject: [DSA 2040-1] New squidguard packages fix several vulnerabilities
bjorn@nemi:~$ tail /tmp/x

--=20
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.or=
g
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian=
.org
Archive: http://lists.debian.org/20100502125652.GA3528@galadriel.inutil.o=
rg

This fails:

bjorn@nemi:~$ gpg --verify /tmp/x
gpg: invalid dash escaped line: -\n
gpg: invalid dash escaped line: -\n
gpg: unexpected armor: ----------\n
gpg: unknown armor header: For apt-get: deb http://security.debian.org/ stable/updates main
gpg: unknown armor header: For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/upda=
gpg: invalid armor header: tes/main\n

But this works:

bjorn@nemi:~$ mimencode -u -q < /tmp/x|gpg --verify
gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
gpg: Good signature from "Moritz Muehlenhoff <jmm@debian.org>"
gpg: aka "Moritz Muehlenhoff <jmm@inutil.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: CA4F D469 C047 165A 1A55 CCD7 5E6D EF1C 4E2E CA5A

...as expected. Guess you need to report a bug against Sylpheed if it
attempts to verify the signature before decoding.

Bjørn

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/87fx28amvk.fsf@nemi.mork.no