[ale] testing firegpg with mailman

Tim Watts timtw at earthlink.net
Sun Nov 29 00:58:11 EST 2009 

On Sat, 2009-11-28 at 23:08 -0500, Jim Kinney wrote:
> OK. Since this began I've sent several messages as well others through
> the entire ALE mailman process. I am receiving valid signatures on
> messages. During this time, nothing has changed with mailman or
> mailscanner. 
> 
> What email cleaners are you using? procmail filters? thunderbird
> autosort filters?
> 
I'm using Evolution 2.28.1. I'm *not* using firegpg. No cleaners. The
only filters are inbound in evolution to move ALE stuff to my ALE
folder. I only tested with firegpg earlier because I saw that your sig
got invalidated and I wanted to dig into why.

Are you saying you're seeing good signatures now on ALE from firegpg?
Because those are still showing as invalid to me. For instance, your
previous response to Michael shows an invalid signature. But Jeremy's
sig is fine. You're using firegpg, Jeremy is using Thunderbird/Enigmail
as far as I can tell.

Just to be clear: the claim has never been that all sigs get corrupted
when sent from mailman, only those originating from firegpg. And,
apparently, it's because something along the way is changing one of the
headers in the message firegpg signed. Are we on the same page?


> On Sat, Nov 28, 2009 at 7:04 PM, Tim Watts <timtw at earthlink.net>
> wrote:
>         On Sat, 2009-11-28 at 16:06 -0500, Jeremy T. Bouse wrote: 
>         > 	I've been sending gpg signed messages through Thunderbird using
>         > Enigmail without problems. Further I've sent emails to myself from Gmail
>         > using FireGPG and the signature was come through fine. I just hadn't
>         > sent anything to the list from my Gmail account and using FireGPG.
>         > 
>         > 	As I noted though FireGPG was base64 encoding the messages themselves
>         > along with the MIME encoding so I don't know if it's that combination
>         > that's causing a problem for the ALE mailing list software. It has been
>         > isolated to email sent via FireGPG though it seems. Whether the fix
>         > should be found in the mailing list software or FireGPG itself could
>         > probably be debated in great length.
>         > 
>         In this particular case it's being caused by something
>         wrapping a header in the signed portion of the message body.
>         
>         If you use Evolution try this experiment:
>         1. Export Jim's email with the invalid sig (File / Save
>         Message)
>         2. Change lines 57-58 from this
>         
>         Content-Type: multipart/alternative;
>         boundary="firegpg0710eqg2kkoajgv6vsvmxiqq1"
>         
>            to this:
>         
>         Content-Type: multipart/alternative;
>         boundary="firegpg0710eqg2kkoajgv6vsvmxiqq1"
>         
>         (i.e. unwrap the header and leave a single space before
>         "boundary=")
>         3. Import it.
>         4. Enjoy the valid signature!
>         
>         (You can probably do something similar w/ Thunderbird.)
>         
>         Conclusion: the wrapped header caused the sig to be
>         invalidated.
>         
>         Open question: Who wrapped it, Mailman, firegpg or gmail?
>         
>         My answer: probably mailman. On what grounds? Using a message
>         sent to ALE via gmail/firegpg, I compared the raw message sent
>         by mailman to the one stored in my gmail Sent folder. Firegpg
>         sends messages by going around the gmail web interface and
>         sending them to gmail directly via smtp. Thus the copy in my
>         gmail Sent folder would reflect what firegpg sent whereas the
>         one in my inbox from ALE reflects what mailman sent. The
>         difference (apart from an additional envelope) was in that one
>         header, which when corrected, gave a valid sig.
>         
>         Now what I haven't seen is the raw message as it arrives at
>         the ALE mail server. That would be interesting because it
>         would tell us whether mailman or gmail wrapped the header.
>         Also looking at the message just before it leaves the server
>         could help. Perhaps there's another layer after mailman (as
>         Jeremy suggests below).
>         
>         
>         > 	If anything running on the ALE mail server that would affect mail going
>         > through the list could be a cause. If it's not repacking the message
>         > back exactly as it was received this would invalidate the signature very
>         > easily...
>         > 
>         Which seems to be what's happening.
>         
>         
>         
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
>         
> 
> 
> 
> -- 
> -- 
> James P. Kinney III
> Actively in pursuit of Life, Liberty and Happiness         
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


________
It's not foresight or hindsight we need. We need sight, plain and
simple. We need to see what is right in front of us.
-- Real Live Preacher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20091129/ee070433/attachment.bin

More information about the Ale mailing list