GPG signature verification broken

I sign an email with enigmail using PGP/mime -> Horde state

Tue, 26 Mar 2013 18:55:33 +0000

I sign an email with enigmail using PGP/mime -> Horde states: gpg: Signature made Tue 26 Mar 2013 07:27:20 PM CET using RSA key ID xxx gpg: Good signature from xxx (the key being on a keyserver) When i sign+encrypt an email with enigmail using PGP/mime (exactly the same account and key) -> After decryption Horde states: gpg: Signature made Tue 26 Mar 2013 07:27:20 PM CET using RSA key ID xxx gpg: Can't check signature: No public key

Duplicate of Bug #12100?

Tue, 26 Mar 2013 20:02:45 +0000

Duplicate of Bug #12100?

i traced the problem down quite a bit already: in ./www/i

Wed, 27 Mar 2013 02:06:13 +0000

i traced the problem down quite a bit already: in ./www/imp/lib/Mime/Viewer/Pgp.php:427 $this->getConfigParam('imp_contents')->getBodyPart($signed_id, array('mimeheaders' => true)) returns an empty string because: in ./www/imp/lib/Contents.php:245 $part->getContents(); returns an empty string, therefore Horde_Mime_Part::getRawPartText(...) three lines below fails, since there are no mime parts in the string. (the string contains only the mime headers of the base_id container) why this happens is unclear to me

> in ./www/imp/lib/Mime/Viewer/Pgp.php:427 And that's exa

Wed, 27 Mar 2013 03:03:52 +0000

> in ./www/imp/lib/Mime/Viewer/Pgp.php:427 And that's exactly the code that was changed/fixed in Bug #12100.

>> in ./www/imp/lib/Mime/Viewer/Pgp.php:427 > > And that's

Wed, 27 Mar 2013 10:05:18 +0000

>> in ./www/imp/lib/Mime/Viewer/Pgp.php:427 > > And that's exactly the code that was changed/fixed in Bug #12100. gee, i really missed your comment. thanks for saving my time :) the fix introduced there indeed fixes verification for signed and encrypted mails, but breaks verification of signed only. the problem seems to be with the change introduced on line 443, as 'mimeheaders' => true and 'stream' => true cannot be set both as can be seen in ./imp/lib/Contents.php:292

(line numbers as in origin master) > 'mimeheaders' => tru

Wed, 27 Mar 2013 10:39:17 +0000

(line numbers as in origin master) > 'mimeheaders' => true and 'stream' => true cannot be set both as can > be seen in > > ./imp/lib/Contents.php:292 actually i'm totally unsure about the code there, maybe it should be able to provide this, but then its broken. this piece of code from line 287 to 299 looks really wrong to me, since there should be 4 possible cases (mime: yes/no, stream: yes/no) but the code has only 3 different execution paths.

Changes have been made in Git (master): commit f1c84583504f

Thu, 28 Mar 2013 04:19:41 +0000

Changes have been made in Git (master): commit f1c84583504f142ca37eae1b9dcda3b99dab801c Author: Michael M Slusarz Date: Wed Mar 27 22:18:44 2013 -0600 Fix returning stream if requested (Bug #12142) imp/lib/Contents.php | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) http://git.horde.org/horde-git/-/commit/f1c84583504f142ca37eae1b9dcda3b99dab801c

I can't reproduce. Signature verification works fine for me

Thu, 28 Mar 2013 04:19:50 +0000

I can't reproduce. Signature verification works fine for me. > this piece of code from line 287 to 299 looks really wrong to me, > since there should be 4 possible cases (mime: yes/no, stream: yes/no) > but the code has only 3 different execution paths. So? The one missing case is not used in the PGP code. So not sure what that has to do with this ticket.

> I can't reproduce. Signature verification works fine for

Thu, 28 Mar 2013 23:09:28 +0000

> I can't reproduce. Signature verification works fine for me. now i'm embarassed. i can't either. sorry if i wasted your time! >> this piece of code from line 287 to 299 looks really wrong to me, >> since there should be 4 possible cases (mime: yes/no, stream: yes/no) >> but the code has only 3 different execution paths. > > So? The one missing case is not used in the PGP code. So not sure > what that has to do with this ticket. ehm nothing, i was just guessing, since i didn't really understand the code... so now there is only one special case, that is somewhat missing: mails created with enigmail don't have a detached signature. so the signature verification is done in Horde_Crypt_Pgp::_decryptMessage. since in this method the pubkeyring consists only my own pubkey, this will always yield "Can't check signature: No public key" (opposed to the detached signatures which are verified in IMP_Crypt_Pgp::verifySignature which automatically tries to fetch the correct key....) (see Mime/Viewer/Pgp.php under /* Check for combined encryption/signature data. */ for the beginning of this call path) but i don't yet see an easy solution to this problem. because all the signature logic is in the mime viewer, the key fetching logic is in IMP_Crypt_Pgp and the decryption in Horde_Crypt_Pgp. the signature keyid is in the encrypted container, so somehow you would need to first decrypt it, then fetch the key, then decrypt it again, with the fetched key in the keyring...

> mails created with enigmail don't have a detached signatur

Thu, 04 Apr 2013 05:22:42 +0000

> mails created with enigmail don't have a detached signature. so the > signature verification is done in Horde_Crypt_Pgp::_decryptMessage. > since in this method the pubkeyring consists only my own pubkey, this > will always yield "Can't check signature: No public key" (opposed to > the detached signatures which are verified in > IMP_Crypt_Pgp::verifySignature which automatically tries to fetch the > correct key....) I am not following. Signed messages can be sent in one of three ways: 1) As PGP armored text (handled in Plain viewer). 2) multpart/signed w/ application/pgp-signature (handled in PGP viewer). 3) Encrypted + signed message -- multipart/encrypted (handled in PGP viewer). There are acutally 2 types here (encrypted with embedded signed part AND encrypted+signed). Both are handled by the PGP viewer. Not sure which one is not being handled properly for you.

>> mails created with enigmail don't have a detached signatu

Thu, 04 Apr 2013 12:17:37 +0000

>> mails created with enigmail don't have a detached signature. so the >> signature verification is done in Horde_Crypt_Pgp::_decryptMessage. >> since in this method the pubkeyring consists only my own pubkey, this >> will always yield "Can't check signature: No public key" (opposed to >> the detached signatures which are verified in >> IMP_Crypt_Pgp::verifySignature which automatically tries to fetch the >> correct key....) > > I am not following. Signed messages can be sent in one of three ways: > > 1) As PGP armored text (handled in Plain viewer). > 2) multpart/signed w/ application/pgp-signature (handled in PGP viewer). > 3) Encrypted + signed message -- multipart/encrypted (handled in PGP > viewer). There are acutally 2 types here (encrypted with embedded > signed part AND encrypted+signed). Both are handled by the PGP > viewer. > > Not sure which one is not being handled properly for you. its about case 3: * when there is a pgp-encrypted part which contains both an encrypted packet and a signature packet, the signature is only verified in Horde_Crypt_Pgp::_decryptMessage, which does not fetch the key from a keyserver. * whereas when the encrypted part contains a message with a detached signature, it is verified in the viewer, and the key is properly fetched. for the two cases see http://www.ietf.org/rfc/rfc2015.txt section 6.2 vs. 6.1

Changes have been made in Git (FRAMEWORK_5_0): commit 2f4b7

Tue, 09 Apr 2013 21:28:46 +0000

Changes have been made in Git (FRAMEWORK_5_0): commit 2f4b732a481e1c948221f5e04ef0038904c0fd16 Author: Michael M Slusarz Date: Tue Apr 9 15:28:09 2013 -0600 [mms] Fix signature verification for PGP combined signed & encrypted messages (Bug #12142). imp/docs/CHANGES | 2 + imp/lib/Crypt/Pgp.php | 44 ++++++++++++++++++++++++++++++++++-------- imp/lib/Mime/Viewer/Pgp.php | 37 +++++++++++++++++++++++++---------- imp/package.xml | 2 + 4 files changed, 65 insertions(+), 20 deletions(-) http://git.horde.org/horde-git/-/commit/2f4b732a481e1c948221f5e04ef0038904c0fd16

Changes have been made in Git (master): commit 9281a2cda2ec

Tue, 09 Apr 2013 21:30:45 +0000

Changes have been made in Git (master): commit 9281a2cda2ec8ed9ae4b25fdee59460b822581b4 Author: Michael M Slusarz Date: Tue Apr 9 15:28:09 2013 -0600 [mms] Fix signature verification for PGP combined signed & encrypted messages (Bug #12142). Conflicts: imp/lib/Mime/Viewer/Pgp.php imp/package.xml imp/docs/CHANGES | 2 + imp/lib/Crypt/Pgp.php | 44 ++++++++++++++++++++++++++++++++++-------- imp/lib/Mime/Viewer/Pgp.php | 39 ++++++++++++++++++++++++++----------- imp/package.xml | 1 + 4 files changed, 65 insertions(+), 21 deletions(-) http://git.horde.org/horde-git/-/commit/9281a2cda2ec8ed9ae4b25fdee59460b822581b4

Does this fix?

Tue, 09 Apr 2013 21:30:55 +0000

Does this fix?

Marking as resolved since this fixes the issue reported in t

Mon, 15 Apr 2013 19:39:06 +0000

Marking as resolved since this fixes the issue reported in this ticket for me.