<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.28.1">
</HEAD>
<BODY>
On Sat, 2009-11-28 at 16:06 -0500, Jeremy T. Bouse wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
I've been sending gpg signed messages through Thunderbird using
Enigmail without problems. Further I've sent emails to myself from Gmail
using FireGPG and the signature was come through fine. I just hadn't
sent anything to the list from my Gmail account and using FireGPG.
As I noted though FireGPG was base64 encoding the messages themselves
along with the MIME encoding so I don't know if it's that combination
that's causing a problem for the ALE mailing list software. It has been
isolated to email sent via FireGPG though it seems. Whether the fix
should be found in the mailing list software or FireGPG itself could
probably be debated in great length.
</PRE>
</BLOCKQUOTE>
In this particular case it's being caused by <I>something</I> wrapping a header in the signed portion of the message body.<BR>
<BR>
If you use Evolution try this experiment:<BR>
1. Export Jim's email with the invalid sig (File / Save Message)<BR>
2. Change lines 57-58 from this<BR>
<BR>
Content-Type: multipart/alternative;<BR>
boundary="firegpg0710eqg2kkoajgv6vsvmxiqq1"<BR>
<BR>
to this:<BR>
<BR>
Content-Type: multipart/alternative; boundary="firegpg0710eqg2kkoajgv6vsvmxiqq1"<BR>
<BR>
(i.e. unwrap the header and leave a single space before "boundary=")<BR>
3. Import it.<BR>
4. Enjoy the valid signature!<BR>
<BR>
(You can probably do something similar w/ Thunderbird.)<BR>
<BR>
Conclusion: the wrapped header caused the sig to be invalidated.<BR>
<BR>
Open question: Who wrapped it, Mailman, firegpg or gmail?<BR>
<BR>
My answer: probably mailman. On what grounds? Using a message sent to ALE via gmail/firegpg, I compared the raw message sent by mailman to the one stored in my gmail Sent folder. Firegpg sends messages by going around the gmail web interface and sending them to gmail directly via smtp. Thus the copy in my gmail Sent folder would reflect what firegpg sent whereas the one in my inbox from ALE reflects what mailman sent. The difference (apart from an additional envelope) was in that one header, which when corrected, gave a valid sig.<BR>
<BR>
Now what I haven't seen is the raw message as it arrives at the ALE mail server. That would be interesting because it would tell us whether mailman or gmail wrapped the header. Also looking at the message just before it leaves the server could help. Perhaps there's another layer after mailman (as Jeremy suggests below).<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
If anything running on the ALE mail server that would affect mail going
through the list could be a cause. If it's not repacking the message
back exactly as it was received this would invalidate the signature very
easily...
</PRE>
</BLOCKQUOTE>
Which seems to be what's happening.<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<BR>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>