[ale] [SPAM] again... sorry, please ignore

Jeremy T. Bouse jeremy.bouse at undergrid.net
Fri Nov 27 12:30:22 EST 2009


Tim Watts wrote:
> Thanks Jim.
> 
> I wonder if "wrong sig" == "invalid sig"? I did use my @earthlink key
> (A394BC7A) on a message sent from my @gmail account. That would, I
> guess, indicate a "wrong sig" as opposed to an invalid sig (the msg
> content and sig block don't agree).
> 
> What got me digging into this is that your previous message showed up
> with an "invalid signature". So I tried a few things with my earthlink &
> gmail accounts using the A394BC7A key:
> 
> elink account -> ALE via evolution	: good verify
> gmail account -> ALE via evolution	: good verify
> gmail account -> elink via evolution	: good verify
> gmail account -> elink via gmail/firegpg: good verify
> gmail account -> ALE via gmail/firegpg	: BAD verify
> 
> So it looks like the (fireGPG + ALE list) combo invalidates GPG sigs.
> The sig on this message should not be invalid (sent signed using
> evolution). I noticed Brandon's signed msgs on the list a few days ago
> also were invalidated but I couldn't tell what tool he was using.
> 
> Any ideas what could be causing this?
> 
> 
> 
> On Fri, 2009-11-27 at 11:13 -0500, Jim Kinney wrote:
>> My firegpg says "wrong sig". Double check you have the correct sig as
>> default.
>>
>> On Fri, Nov 27, 2009 at 10:30 AM, <timtwatts at gmail.com> wrote:
>>         trying to isolate why some ALE sigs report as invalid. sending
>>         via gmail/firegpg...
>>         

	The use of one key with a different email address should have no
bearing on the signature validity. The signature is based on the key ID
that generates it not the email address that sends it.

	I'm not sure if this is definitive... but when I look at the raw
messages (free from any MUA) I see the following for the email you sent
w/ Gmail/FireGPG:

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============1966690486==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="-----firegpg0710eqg2j410d98by2livyjc"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
-------firegpg0710eqg2j410d98by2livyjc
Content-Type: multipart/alternative;
	boundary="firegpg0710eqg2j410dlntbr800mza1"

--firegpg0710eqg2j410dlntbr800mza1
Content-Type: text/plain; format=flowed; charset=UTF-8
Content-Transfer-Encoding: base64

dHJ5aW5nIHRvIGlzb2xhdGUgd2h5IHNvbWUgQUxFIHNpZ3MgcmVwb3J0IGFzIGludmFsaWQuIHNl
bmRpbmcgdmlhIGdtYWlsL2ZpcmVncGcuLi4NCg0K
--firegpg0710eqg2j410dlntbr800mza1
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64

dHJ5aW5nIHRvIGlzb2xhdGUgd2h5IHNvbWUgQUxFIHNpZ3MgcmVwb3J0IGFzIGludmFsaWQuIHNl
bmRpbmcgdmlhIGdtYWlsL2ZpcmVncGcuLi48YnI+PGJyPg0K
--firegpg0710eqg2j410dlntbr800mza1--

-------firegpg0710eqg2j410d98by2livyjc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.10)

iQEcBAEBAgAGBQJLD/CRAAoJEPn9tXGjlLx6s4YH/3odcaI8elLPAeEV9MJofSQF
6sAYFS35KccDqRMExTDGh2xnyGAprtuCTSZ5VdURGf7pmePsjSB61tDxMFKBocyN
NCiGPwcTsI4u1HcaW1DrOXFZlpdy5V4uzT1KWJr9P6lKdzstzQWFSFGMecv1qNsj
p6DiM1XDbrSAHoliMOzlrVpuoDhFzzfFyPcyj8J5p0ce88wlqF1+7Pph9QWXy52H
hErIyNgRR4/5XOJvo5a1p1uoMoIbYWlPJnpBGvCCoe2fiaJl9InGgKLXBrTL84w5
tFJfC2gxy4uWBRQHujw3U0GPRb7BCevb8kfYePhnjlaD/2EKQeSNqH81nJPzm0Q=
=MasR
-----END PGP SIGNATURE-----

-------firegpg0710eqg2j410d98by2livyjc--


--===============1966690486==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

--===============1966690486==--

	This produced the invalid signature when I tried to verify it. I then
looked at the one you sent with Evolution and found the following:

--===============0374029357==
Content-Type: multipart/signed; micalg="pgp-sha1";
	protocol="application/pgp-signature";
	boundary="=-oj6C2VDJAKKXQuNsmR8l"


--=-oj6C2VDJAKKXQuNsmR8l
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks Jim.

I wonder if "wrong sig" =3D=3D "invalid sig"? I did use my @earthlink key
(A394BC7A) on a message sent from my @gmail account. That would, I
guess, indicate a "wrong sig" as opposed to an invalid sig (the msg
content and sig block don't agree).

What got me digging into this is that your previous message showed up
with an "invalid signature". So I tried a few things with my earthlink &
gmail accounts using the A394BC7A key:

elink account -> ALE via evolution	: good verify
gmail account -> ALE via evolution	: good verify
gmail account -> elink via evolution	: good verify
gmail account -> elink via gmail/firegpg: good verify
gmail account -> ALE via gmail/firegpg	: BAD verify

So it looks like the (fireGPG + ALE list) combo invalidates GPG sigs.
The sig on this message should not be invalid (sent signed using
evolution). I noticed Brandon's signed msgs on the list a few days ago
also were invalidated but I couldn't tell what tool he was using.

Any ideas what could be causing this?



On Fri, 2009-11-27 at 11:13 -0500, Jim Kinney wrote:
> My firegpg says "wrong sig". Double check you have the correct sig as
> default.
>=20
> On Fri, Nov 27, 2009 at 10:30 AM, <timtwatts at gmail.com> wrote:
>         trying to isolate why some ALE sigs report as invalid. sending
>         via gmail/firegpg...
>        =20
>        =20
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
>        =20
>=20
>=20
>=20
> --=20
> --=20
> James P. Kinney III
> Actively in pursuit of Life, Liberty and Happiness        =20
>=20
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


________
Most modern calendars mar the sweet simplicity of our lives by reminding
us that each day that passes is the anniversary of some perfectly
uninteresting event.
-- Oscar Wilde


--=-oj6C2VDJAKKXQuNsmR8l
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAABAgAGBQJLEAMNAAoJEPn9tXGjlLx6uAUIAMxoFsU+GsxkIJEvVEiQbXq1
GZTt5UIc/wQal4hwSQBit75XKwqnQpzbhbmGoVg7Pn8qSDosySrTwiCRDDVYqmka
j3JmEFqO/fL5TUJVNHibtkFUPalWrKI6VlXkucUfNC1NCU/nYfvfQlAyQv4//vpd
mwS7tGh8qdqdfBDmIGzZzJ5p5dlTRBKny141tMnM7bARHmFqZQjCVNODLr6AED2k
pPdCL4VQDsyA6dH2MNsevfLnbcAxDDPNS/r2o9oenqshOenVPeFNDNc9vVGpaCQN
P1KKadIAcJVQ2xx8IqGuo29ajcEAG1llXGs7PoyMcj0ow8Ho3H8GFQU77d4RwNw=
=A3xl
-----END PGP SIGNATURE-----

--=-oj6C2VDJAKKXQuNsmR8l--


--===============0374029357==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

--===============0374029357==--

	The problem appears to be in that the Gmail/FireGPG email is base64
encoded. It also looks like it's sending text/plain & text/html while
Evolution is only sending text/plain.

	It is always advisable that you use text/plain and disable text/html
when using PGP/MIME. I turn off text/html for Thunderbird/Enigmail. As
you say you can send to your elink acct via Gmail/FireGPG I would assume
that the ALE list is seeing the text/plain+text/html PGP/MIME and
possibly base64 encoding it. You could verify this by ensuring that the
email you sent from Gmail to your elink acct that verified good isn't
base64 encoded. You can also possibly check your Gmail sent folder and
look at the raw message to see if the one you sent to ALE is base64
encoded or not. If it's not base64 when being sent then it's being done
by the ALE list software.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 306 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20091127/17ecd659/attachment.bin 


More information about the Ale mailing list