Re: queston on reportedly invalid PGP signature

From: Albrecht Dreß <albrecht dress arcor de>
To: balsa-list gnome org
Subject: Re: queston on reportedly invalid PGP signature
Date: Wed, 28 Nov 2018 21:28:22 +0100

Hi Jack:

Am 28.11.18 18:38 schrieb(en) Jack via balsa-list:

If I explicitly look at the signature part, the first line says PGP: signature: The signature is invalid.


This is the result of comparing the (I guess detached, i.e. multipart/signed) signature with the signature 
calculated by Gpg: they differ.  Typically caused by some intermediate agent tampering with spaces, line 
endings, or similar.  In short, this message indicates that the message is different from what has been 
signed.

The following line is "Signature validity: The user ID is of unknown validity."  I expect there is a 
difference between unknown validity and invalid.


Gives the validity of the user ID (calculated by the Web Of Trust, plus you can change validities of the UID 
youself, by using gpg, gpa, seahorse, etc.).  As the signature is invalid, it is always set to unknown by 
gpg.  Maybe we should omit this information if the signature is invalid, as this information is somewhat 
confusing.  Note that the signature validity may be different if the key used for signing has expired or been 
revoked, though, so this information may be useful in other cases when the padlock is red.

The key fingerprint does match the key ID of one of the RSA subkeys (using kgpg to check).   Two odd things are that it also says 
"Signed on: never" and the "Subkey used" doesn't show any additional lines, whether the little triangle 
points right or down.


This information is provided by gpg only if the signature is valid (also for an expired, but otherwise valid 
signature).

Actually, we should remove the confusing “missing” information from the widget.

Thanks a lot for pointing me to that, I'll provide a fix (will be easy).

So - is there a problem in the signature, or might I have something misconfigured?


No, everything is normal, apart from that the message has somehow been tampered with.  IIRC, Peter had a 
similar problem, caused by a provider's MTA modifying the massage in mid-air against the standards.  Would be 
interesting whether /this/ message has a valid signature or not – if it is valid, it is more likely that the 
issue is with the sender's provider, not yours…

Hope this helps
Albrecht.

Attachment: pgpfvVNQLCv9D.pgp
Description: PGP signature

Follow-Ups:
- Re: queston on reportedly invalid PGP signature
  - From: Jack

References:
- queston on reportedly invalid PGP signature
  - From: Jack

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]