[Users] [Bug 2889] New: PGP encrypted and signed messages are not packaged correctly

Thu Mar 7 06:59:54 CET 2013

http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2889

            Bug ID: 2889
           Summary: PGP encrypted and signed messages are not packaged
                    correctly
    Classification: Unclassified
           Product: Claws Mail
           Version: 3.9.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Plugins/Privacy
          Assignee: users at lists.claws-mail.org
          Reporter: chead at chead.ca

I sent a message to someone, marked as encrypted and signed. That person
reported that it appeared as encrypted, but not signed. I tracked down why.

Claws-Mail, when told to both encrypt and sign a message with PGP, takes the
message, signs it, takes the whole resulting package, and encrypts it. For
PGP/Inline, this results in an armoured clearsign wrapped inside an armoured
encrypt. For PGP/Mime, this results in a multipart/signed wrapped inside an
armoured encrypt wrapped inside a multipart/encrypted. Thus it is necessary to
run the armoured blob through "gpg -d" twice, once to decrypt and once to
verify the signature.

Other systems (in this case Enigmail for Thunderbird) just take the original
message and invoke GnuPG once, telling it to simultaneously both sign and
encrypt (i.e. the equivalent to "gpg -e -s"). For PGP/Inline, this results in a
single armoured blob which, when passed (once!) to "gpg -d", gives back the
original message along with a signature verification result. For PGP/Mime, this
results in a multipart/encrypted, whose encrypted part is an armoured blob;
running this through "gpg -d" (once!) results in a signature verification
result along with a multipart/mixed with one part, a text/plain.

-- 
You are receiving this mail because:
You are the assignee for the bug.