Bug #288

PGP signature not verified properly when the message has no newline at the end.

Added by Simeon Simeonov over 1 year ago.

Status:NewStart date:01/28/2018
Priority:NormalDue date:
Assignee:-% Done:


Category:SecuritySpent time:-
Target version:3.6


Sylpheed marks emails with valid signatures as having a bad signature, when
the email doesn't contain (is not composed with) any trailing newline (examples attached).

RFC-2440 section-7.1 states:
"...The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP SIGNATURE-----' line that terminates the signed text is not considered part of the signed text..."

libsylph/utils.c:3265 contains the block:
if (last_linebreak TRUE) {
if (fputs("\r\n", dest_fp) EOF)
err = TRUE;

The signature checking seems to work properly when removing it.

The reason I am not submitting a patch is that canonicalize_file is used and perhaps needed in this form by other part of Sylpheed.

bad_signature.txt Magnifier - Email with good signature that is marked as having bad signature (5.36 KB) Simeon Simeonov, 01/28/2018 10:18 PM

good_signature.txt Magnifier - Email that is verified properly (5.37 KB) Simeon Simeonov, 01/28/2018 10:18 PM

Also available in: Atom PDF