3025 – PGP-Inline armor header can be modified and no warning is shown

Bug 3025 - PGP-Inline armor header can be modified and no warning is shown

Summary: PGP-Inline armor header can be modified and no warning is shown

Status:	RESOLVED INVALID

Alias:	None

Product:	Claws Mail (GTK 2)
Classification:	Unclassified
Component:	Plugins/Privacy/PGP (show other bugs)
Version:	3.9.2
Hardware:	PC Linux

Importance:	P3 normal
Assignee:	users

URL:

Depends on:
Blocks:

Reported:	2013-10-24 18:36 UTC by Ian Nartowicz
Modified:	2019-05-14 09:39 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Ian Nartowicz 2013-10-24 18:36:44 UTC

The PGP inline signature format consists of several boilerplate lines (armor) surrounding the message text.  The signature verifies not only that the message was produced by the owner of the key but that the contents of the message are identical to when it was signed.

A blank line is mandatory after the armor and before the text of the message.  However, if this line is modified to contain text, Claws still reports the signature as valid.

GnuPG command line signature checking returns a fail code (not a bad signature code)  when this happens and a message that the armor header is invalid.  Not sure what that should correspond to in Claws.  Privacy-warn?  Not Privacy-passed though.

Comment 1 Colin Leroy 2013-10-24 21:40:56 UTC

Hi,

Thanks for reporting, this is indeed far from desirable. I'll investigate!

Comment 2 Paul 2013-10-25 16:33:16 UTC

Actually, to be precise, GnuPG command line does not return a fail code. It issues a warning but the signature is still reported as good.

Comment 3 Andrej Kacian 2019-05-14 09:39:17 UTC

Right now, there is no programmatic way for Claws Mail to detect that this has happened, so this looks like a good bugreport idea for the GpgME library.

Note You need to log in before you can comment on or make changes to this bug.