Bug 3025

Summary: PGP-Inline armor header can be modified and no warning is shown
Product: Claws Mail (GTK 2) Reporter: Ian Nartowicz <mozilla>
Component: Plugins/Privacy/PGPAssignee: users
Status: RESOLVED INVALID    
Severity: normal    
Priority: P3    
Version: 3.9.2   
Hardware: PC   
OS: Linux   

Description Ian Nartowicz 2013-10-24 18:36:44 UTC 
The PGP inline signature format consists of several boilerplate lines (armor) surrounding the message text.  The signature verifies not only that the message was produced by the owner of the key but that the contents of the message are identical to when it was signed.

A blank line is mandatory after the armor and before the text of the message.  However, if this line is modified to contain text, Claws still reports the signature as valid.

GnuPG command line signature checking returns a fail code (not a bad signature code)  when this happens and a message that the armor header is invalid.  Not sure what that should correspond to in Claws.  Privacy-warn?  Not Privacy-passed though.
Comment 1 Colin Leroy 2013-10-24 21:40:56 UTC 
Hi,

Thanks for reporting, this is indeed far from desirable. I'll investigate!
Comment 2 Paul 2013-10-25 16:33:16 UTC 
Actually, to be precise, GnuPG command line does not return a fail code. It issues a warning but the signature is still reported as good.
Comment 3 Andrej Kacian 2019-05-14 09:39:17 UTC 
Right now, there is no programmatic way for Claws Mail to detect that this has happened, so this looks like a good bugreport idea for the GpgME library.