Bug#415088: libmail-gnupg-perl: verify method fails on certain types of messages

[Niko Tyni]

retitle 415088 libmail-gnupg-perl: document how MIME-encoded signatures should be verified
severity 415088 wishlist
thanks

On Thu, Mar 15, 2007 at 08:01:19PM -0400, Celejar wrote:
> Package: libmail-gnupg-perl
> Version: 0.08-2
> Severity: normal
> 
> Mail::GnuPG seems to improperly fail to verify signatures on some
> messages. I am seeing consistent failure on messages with attachments
> encoded in base64. I have attached a sample program along with a sample
> message (and the public gpg key) which illustrate this behavior (feed
> the message to the test program's stdio). Both Sylpheed and Mutt verify
> all the signatures they see correctly, while GnuPG's verify method
> returns (on the problematic messages):
> 
> gpg: BAD signature from "Test User (Test Key 1) <test at localhost>"

Hi,

this is also upstream bug #2718 [1]. The problem is that MIME::Entity
stores the data decoded from base64, and will re-encode it when handing
it to Mail::GnuPG. This breaks the signature, since the re-encoded data
is not quite identical to the original data. The issue is also mentioned
in the upstream README file, under the 'KNOWN ISSUES' section.

However, there are some good news since the last update to the upstream
bug. Starting with MIME-tools version 5.419 (known as libmime-perl
in Debian), MIME::Parser has had the decode_bodies() method to work
around this.

Indeed, if I add

 $parser->decode_bodies(0);

to your test script, I get the desired result:

 Message is signed.
 key id is B1DD4283
 email address is Test User (Test Key 1) <test at localhost>

Clearly this needs to be documented in the Mail::GnuPG manual.
I'm retitling the bug accordingly and setting the severity to
'wishlist'. I'll try to come up with a patch to the documentation and
submit it to the upstream bug as well.

[1] http://rt.cpan.org/Public/Bug/Display.html?id=2718

Thanks for your report,
-- 
Niko Tyni   ntyni at iki.fi