New subject: mailman breaking PGP/MIME-signed messages (was: Re: My First Signed email)

27 May 2011

On Sun, 15 May 2011 13:11:36 -0400, "Robert J. Hansen" <rjh@sixdemonbag.org> wrote:
> http://sixdemonbag.org/pgpmime.zip
> 
> Contains the good message (taken from my outbox), the bad message (as
> received from the list), and a diff between the two (as computed by
> Cygwin's diff).  Knock yourself out.

This is clearly a problem with mailman; mailman is not treating the
content within the multipart/signed message as an immmutable text.  In
particular, it's re-formatting multi-line headers within the signed
part.

This is apparently known upstream, reported many moons ago, when mailman
used sourceforge as a bugtracker:

 http://sourceforge.net/tracker/?func=detail&aid=815297&group_id=103&atid=100103

And it appears to now be tracked upstream here:

 https://bugs.launchpad.net/mailman/+bug/558123

Below you can see the change: the additional wrapping block (with the
mailing list footer) is totally fine.  the error is in swapping the
leading space for a tab before the boundary attribute for the
Content-Type of the signed part.

------------------------------------------------------------
0 dkg@pip:/tmp/cdtemp.4pvdgA$ wget -q http://sixdemonbag.org/pgpmime.zip
0 dkg@pip:/tmp/cdtemp.4pvdgA$ unzip -q -a pgpmime.zip 
0 dkg@pip:/tmp/cdtemp.4pvdgA$ strip_headers() { 
> awk '{ if (X) {print $0} } /^$/{ X=1 }'
> }
0 dkg@pip:/tmp/cdtemp.4pvdgA$ diff -u <(strip_headers < good_pgpmime.eml) <(strip_headers < bad_pgpmime.eml)

--- /dev/fd/63	2011-05-27 13:01:37.705397276 -0400
+++ /dev/fd/62	2011-05-27 13:01:37.705397276 -0400
@@ -1,7 +1,13 @@
 This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
+--===============1388267379==
+Content-Type: multipart/signed; micalg=pgp-sha256;
+	protocol="application/pgp-signature";
+	boundary="------------enigA22A6723C9B8F9F9E4CFB403"
+
+This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
 --------------enigA22A6723C9B8F9F9E4CFB403
 Content-Type: multipart/alternative;
- boundary="------------020209060504060800050601"
+	boundary="------------020209060504060800050601"
 
 This is a multi-part message in MIME format.
 --------------020209060504060800050601
@@ -89,3 +95,16 @@
 -----END PGP SIGNATURE-----
 
 --------------enigA22A6723C9B8F9F9E4CFB403--
+
+--===============1388267379==
+Content-Type: text/plain; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline
+
+_______________________________________________
+Enigmail mailing list
+Enigmail@mozdev.org
+https://www.mozdev.org/mailman/listinfo/enigmail
+
+--===============1388267379==--
1 dkg@pip:/tmp/cdtemp.4pvdgA$ grep -i mailman-version *.eml
bad_pgpmime.eml:X-Mailman-Version: 2.1.12
0 dkg@pip:/tmp/cdtemp.4pvdgA$ 
------------------------------------------------------------

The right thing to do is to fix mailman to not tamper with the message
body.  Perhaps it has already been fixed since 2.1.12?

Please follow up via mailman-developers@ (you may need to subscribe
first) if you have patches to offer.  If you don't want to subscribe,
i'd be happy to forward patches to the list if they seem plausible.

Regards,

        --dkg

    

mailman breaking PGP/MIME-signed messages (was: Re: My First Signed email)

Daniel Kahn Gillmor

Mark Sapiro

tags

participants (2)