GPGMail does not properly sign messages
GPGMail 2.5b5, build 891b
I have used all aspects of the latest GPGTools beta, and it appears to be working as expected, with one exception.
When sending a signed message, the signature is not "gpg compatible". Though it can be read by GPGMail, it can not be interpreted by non-GPGMail clients, nor by the GPG services (when pasted into a text editor). As one example, here is a message that I sent from my GPGMail client that I later received on a Gmail account. You can verify that if you copy the raw text, that you can not verify this signature using GPG services. The problem appears to be that there is no "BEGIN PGP SIGNED MESSAGE" statement at the beginning of the message. This is a major problem, as I can no longer send signed messages, as I don't know if the recipient is using GPGMail, or another service (like Google's end-to-end). Here is the raw text.
--Apple-Mail=_990AD954-8805-44F6-9A5A-72098A06230B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Here is an example of sending a signed message via GPGMail. As
is seen, =
the signature of the the raw text that is sent can not be verified
by =
non-GPGMail clients as it is missing the initial text "-----BEGIN
PGP =
SIGNED MESSAGE=E2=80=94=E2=80=94=E2=80=9C
I am using GPGMail 2.5b5 and GPGServices 1.10b5
--Apple-Mail=_990AD954-8805-44F6-9A5A-72098A06230B
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc Content-Type: application/pgp-signature;
name=signature.asc Content-Description: Message signed with OpenPGP
using GPGMail
-----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJU+DFoAAoJECEwxJzLvm6pzPYIAINCEkTAY7eBgDOFFnvvnxiF
NcVUhr9kVpvqZs8tobIiFah9MBi4cXH7xiLWIxrjlKvHf3kHT/JPDYCDobrrOHzl
4cytDi21fOj0nXfy0lew2Uh3+8MnurIeja77WIIcLPr1nue+YN8Aqy0ET5/0omaw
GTxy9jeuNPe0/y3BcAmmPsQhfSFBqAInRUVDCziFgMsQMxHI1hURNNwLrkoPx7ii
ipA7XxBZ+4sDqRk2V4X0I96/EKQZD4dSH0ihetxQnA6R9EaEIjyJhtN6HDnoy3Nc
Ik87QJZXUXi6I+hCeUcEUyfIdLumZOboyrkafUSsu6NGXEMOmwBauh2qfLmsBRk=
=NvuB -----END PGP SIGNATURE-----
--Apple-Mail=_990AD954-8805-44F6-9A5A-72098A06230B--
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Steve on 16 Mar, 2015 11:43 AM
Hi lunokhod,
the cause of this problem could be, that this is a malformed mail. To take a closer look, we'd need the mail as .eml file. Please attach both the sent mail and the received email as .eml file to this discussion.
To do that
All the best,
steve
2 Posted by lunokhod on 18 Mar, 2015 01:13 PM
Attached is the signed eml message. I edited out the destination, but that is it. I don't think that I need to send you the message that was received as the outgoing message is clearly the problem...
Support Staff 3 Posted by Steve on 26 Mar, 2015 03:44 PM
Lunokhod, this email is standard PGP/MIME.
You can easily verify such emails using GPGMail (or Thunderbird + Enigmail). GPGMail uses the standardized form for sending PGP signed/encrypted emails. While there are many advantages to this approach, there is the disadvantage, that it's not very compatible with webmail clients.
Could you find out what OS and email client is being used on the recipients end?
All the best,
steve
4 Posted by lunokhod on 26 Mar, 2015 04:49 PM
Steve,
Thanks for the response. You seem to have verified my initial question:
If you take the raw text of a messaged signed by GPGMail, you can not verify this message at the unix command line using standard GPG tools. Nor can you even verify it if copy it into a text editor and use GPG services.
This is major flaw that will stop people from using GPGMail.
Why does GPGMail refuse to add the standard line "BEGIN PGP SIGNED MESSAGE" at the beginning of the message? This would make it possible to verify the signature in any way the user likes.
5 Posted by lunokhod on 26 Mar, 2015 05:27 PM
Here is a copy of the message, as received by the recipient (with their email address masked). I invite you to attempt to verify the signature of this message, using any means at your disposal. Even though you don't have the recipient's private key, you should be able to at least tell your software detects the signature or not.
Support Staff 6 Posted by Steve on 26 Mar, 2015 06:41 PM
HI Lunokhod,
here goes the story of PGP/MIME vs. PGP/Inline:
GPGMail defaults to the only standard there is for sending OpenPGP Mails, which is PGP/MIME. The format you are referring to, is called PGP/Inline and is an undocumented non-standard format, which leads to several problems, which is why we default to PGP/MIME.
Nevertheless you can switch GPGMail to use OpenPGP/Inline. While this is not encouraged, we've added that option.
Find out how to do that here.
There's no difference in security level, yet you have to be aware, that while PGP/MIME also encrypts all attachments, OpenPGP/Inline does not!
Also, you're limited to text only. Any formatting will be ignored.
If you want to read more about the deficites of Inline/PGP you may want to read this note of Daniel Kahn Gillmore called Inline PGP signatures considered harmful. This is the GnuPG FAQ entry covering this question.
So in fact the standard "BEGIN PGP SIGNED MESSAGE" isn't a standard, but what GPGMail does is the actual standard. Also I do not understand where you see a problem in this. If you don't trust GPGMail to verify your messages correctly you probably should not use it in the first place. And then again, you can just setup your email account in Thunderbird + Enigmail to check if the verification results do match.
Or you can switch to PGP/Inline with GPGMail which I would not recoommend.
Hope this explains what's going on here,
steve
7 Posted by lunokhod on 27 Mar, 2015 10:32 AM
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
This is an example of a signed message using GPG services. Please note that the message starts with "BEGIN SIGNED PGP MESSAGE", whereas an equivalent signed message from GPGMail would exclude the "BEGIN SIGNED PGP MESSAGE".
This gives rise to the following problems:
It is impossible to copy the raw text signed by GPGMail into a text file and verify the signature using GPG services or gpg at the command line.
Signed messages from GPG Services and GPGMail are different and incompatible.
My contacts who use GPG, who are primarily unix geeks, can not verify my signatures, making GPG useless to me.
This will be my last comment on the subject.
-----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJVFTFWAAoJECEwxJzLvm6prNcIAKPLJawGyRlq0cfS4cXIIABR
v6zT/0ITnd2lYFErv4W6cG8r7w7xLOXNHl9mAXDep3D/g2lpuNuMH9KuBoAmyQYA
bZZ+eD7PEvJgrxkhVIqI6quL5EIZTq5gkFgNhnOoDXXGOSN9W1NIfi7vVd1irKaI
9BALJFC86OU97BaXVvh3fJxpHjSf7oevf0dj0YsXHCLiC7+GtZPXia2TnlNvF8y+
86NaBDf6hmTzj1zg0/DOM3krrAyKIsSOMzV7184pj+BM5bOeLtvsG1CRKqtk3Ka/
ssNC9VFS4BWhWWBjt6H4RZVUdGFsGm5N13EnWQKtxoBHeZFrsh3p9k8/TBXSImQ=
=FgX2 -----END PGP SIGNATURE-----
8 Posted by lunokhod on 27 Mar, 2015 10:40 AM
Last comment:
Google's "end-to-end" can not verify GPGMail signatures. End-to-end can verify a signed message created by GPG Services, which is copied into the end-to-end window. If this is the fault of end-to-end, I will open an issue with them at Github.
Support Staff 9 Posted by Steve on 27 Mar, 2015 12:37 PM
hi again,
the fact that Googles End-to-End is able to verify output from GPGServices is, because GPGServices produces PGP/Inline cyphertext while GPGMail produces PGP/MIME cyphertext. The reasons for that are explained in comment #6 in this very discussion.
You can ask for PGP/MIME support for Googles End-to-End.
As for your questions:
Correct. PGP/MIME messages cannot be easily verified that way. (see comment #6)
Different: yes. GPGServices uses PGP/Inline while GPGMail defaults to PGP/MIME. Incompatible: hmm, GPGMail understands both PGP/MIME and PGP/Inline. Just send some GPGServices cyphertext in an email to yourself and open it with GPGMail.
Well that totally depends on the mail clients your contacts are using. E.g. gpg4win on Windows understands PGP/MIME while K9 mail on android has an open ticket for PGP/MIME support.
As also states in comment #6, if you want you are free to default GPGMail to PGP/Inline with the known shortcomings. Reasons why we don't recommend that are giving above as well.
Steve closed this discussion on 03 Jun, 2015 01:37 PM.