The PGP inline signature format consists of several boilerplate lines (armor) surrounding the message text. The signature verifies not only that the message was produced by the owner of the key but that the contents of the message are identical to when it was signed. A blank line is mandatory after the armor and before the text of the message. However, if this line is modified to contain text, Claws still reports the signature as valid. GnuPG command line signature checking returns a fail code (not a bad signature code) when this happens and a message that the armor header is invalid. Not sure what that should correspond to in Claws. Privacy-warn? Not Privacy-passed though.
Hi, Thanks for reporting, this is indeed far from desirable. I'll investigate!
Actually, to be precise, GnuPG command line does not return a fail code. It issues a warning but the signature is still reported as good.
Right now, there is no programmatic way for Claws Mail to detect that this has happened, so this looks like a good bugreport idea for the GpgME library.