Skip Menu |
 

This queue is for tickets about the Mail-GnuPG CPAN distribution.

Report information
The Basics
Id: 113203
Status: open
Priority: 0/
Queue: Mail-GnuPG

People
Owner: Nobody in particular
Requestors: no-operation [...] t-online.de
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: GnuPG.pm: Encrypting an already signed email (feature request)
Date: Sun, 20 Mar 2016 15:20:32 +0100
To: no-operation [...] t-online.de, bug-Mail-GnuPG [...] rt.cpan.org
From: Darius Zarrabi <no-operation [...] t-online.de>
Download (untitled) / with headers
text/plain 2.5k
Ladies and Gents, I use a script (a modified version of "gpgit.pl" from https://gitlab.com/mikecardwell/gpgit), which serves as a Postfix-filter and which automatically gpg-encrypts all outgoing(!) mails for which a public key is known. The gpgit.pl-script in turn uses Mail::GnuPG by calling mime_encrypt($mime,@recipients). When a mail arrives at the server, _mime_encrypt first separates headers from the body and then calls MIME::Entity->build to assemble the part-headers to add it to the entity (the body) to be encrypted. Everything is working fine beside one minor issue. If a signed email comes in, it contains a header looking like this: Content-Type: multipart/signed; boundary="----------=_1458481552-7056-0"; protocol="application/pgp-signature"; micalg=pgp-sha512 While passing _mime_encrypt, the original header is removed and replaced by Content-Type: multipart/signed; boundary="----------=_5647921540-1266-0"; which is then added to the entity to be encrypted. Unfortunately, Thunderbird / Enigmail insists on the additional entries protocol="application/pgp-signature"; micalg=pgp-sha512 Without them, it refuses to check the signature. May I therefore suggest, please, that, beginning with line 859 (my version of Mail::GnuPG is 0.21), the code should be altered from my $workingentity = $entity; $entity->make_multipart; if ($entity->parts > 1) { $workingentity = MIME::Entity->build(Type => $entity->head->mime_attr("Content-Type")); $workingentity->add_part($_) for ($entity->parts); $entity->parts([]); $entity->add_part($workingentity); } to my $workingentity = $entity; $entity->make_multipart; if ($entity->parts > 1) { $workingentity = MIME::Entity->build(Type => $entity->head->mime_attr("Content-Type")); + if ($entity->head->mime_attr("Content-Type") eq "multipart/signed"){ + $workingentity->head->mime_attr("Content-Type.micalg",$entity->head->mime_attr("Content-Type.micalg")); + $workingentity->head->mime_attr("Content-Type.protocol",$entity->head->mime_attr("Content-Type.protocol")); + } $workingentity->add_part($_) for ($entity->parts); $entity->parts([]); $entity->add_part($workingentity); } Does this make sense? Or do I oversee something that could get broken by this change? For me, the modified code works and performs as expected in the sense that the later decrypted mail contains a signature that can be checked with Enigmail. Best regards, Dr. Darius Zarrabi Wiesbaden, Germany
Download (untitled) / with headers
text/plain 984b
This is definitely a bug. RFC 1847, section 2.1 (https://tools.ietf.org/html/rfc1847): 2.1 Definition of Multipart/Signed (1) MIME type name: multipart (2) MIME subtype name: signed (3) Required parameters: boundary, protocol, and micalg (4) Optional parameters: none (5) Security considerations: Must be treated as opaque while in transit Boundary, protocol and micalg are *required*. Mail::GnuPG takes a PGP/MIME signed email with the following Content-Type header: Content-Type: multipart/signed; boundary="----------=_1458481552-7056-0"; protocol="application/pgp-signature"; micalg=pgp-sha512 And then spits out an encrypted message, which after decryption contains a MIME part with the following Content-Type header: Content-Type: multipart/signed; boundary="----------=_1458481552-7056-0" Stripping the protocol and micalg attributes means that none of Thunderbird, Evolution and Mutt (and presumably more) will validate the signature after decrypting the message.
From: jahlives [...] gmx.ch
Download (untitled) / with headers
text/plain 450b
Am Di 05. Apr 2016, 15:23:31, MCARDWELL schrieb: Show quoted text
> Stripping the protocol and micalg attributes means that none of > Thunderbird, Evolution and Mutt (and presumably more) will validate > the signature after decrypting the message.
At least in my current version (38.6.0-3.fc23), Thunderbird even crashes upon opening such mails. Although other clients (evolution in my case) could display these mails. Just without trying to validate the signature


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.