[Users] [Bug 3025] New: Inline-signed messages can be tampered with and still be shown as validly signed

[noreply at thewildbeast.co.uk]

http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3025

            Bug ID: 3025
           Summary: Inline-signed messages can be tampered with and still
                    be shown as validly signed
    Classification: Unclassified
           Product: Claws Mail
           Version: 3.9.2
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Plugins/Privacy
          Assignee: users at lists.claws-mail.org
          Reporter: mozilla at virginmedia.com

The PGP inline signature format consists of several boilerplate lines (armor)
surrounding the message text.  The signature verifies not only that the message
was produced by the owner of the key but that the contents of the message are
identical to when it was signed.

A blank line is mandatory after the armor and before the text of the message. 
However, if this line is modified to contain text, Claws still reports the
signature as valid.

GnuPG command line signature checking returns a fail code (not a bad signature
code)  when this happens and a message that the armor header is invalid.  Not
sure what that should correspond to in Claws.  Privacy-warn?  Not
Privacy-passed though.

-- 
You are receiving this mail because:
You are the assignee for the bug.