Re: queston on reportedly invalid PGP signature

[Jack <ostroffjh users sourceforge net>]

Hi Albrecht,

On 2018.11.28 15:28, Albrecht Dreß wrote:
> Am 28.11.18 18:38 schrieb(en) Jack via balsa-list:
> > If I explicitly look at the signature part, the first line says PGP:  
> > signature: The signature is invalid.
> This is the result of comparing the (I guess detached, i.e.  
> multipart/signed) signature with the signature calculated by Gpg:  
> they differ.  Typically caused by some intermediate agent tampering  
> with spaces, line endings, or similar.  In short, this message  
> indicates that the message is different from what has been signed.
In that message, the parts are 1. signed parts, 1.1 plain text document  
and 1.2 PGP signature: The signature is invalid.

> > The following line is "Signature validity: The user ID is of unknown  
> > validity."  I expect there is a difference between unknown validity  
> > and invalid.
> Gives the validity of the user ID (calculated by the Web Of Trust,  
> plus you can change validities of the UID youself, by using gpg, gpa,  
> seahorse, etc.).  As the signature is invalid, it is always set to  
> unknown by gpg.  Maybe we should omit this information if the  
> signature is invalid, as this information is somewhat confusing.   
> Note that the signature validity may be different if the key used for  
> signing has expired or been revoked, though, so this information may  
> be useful in other cases when the padlock is red.
It is correct that the user ID is unknown validity, as I have not  
indicated anything better, so I understand the web of trust may well  
not come up with any better connection.  I suppose it doesn't really  
matter whether it gets unknown because it really is or because the  
signature is invalid.

> > The key fingerprint does match the key ID of one of the RSA subkeys  
> > (using kgpg to check).   Two odd things are that it also says  
> > "Signed on: never" and the "Subkey used" doesn't show any additional  
> > lines, whether the little triangle points right or down.
> This information is provided by gpg only if the signature is valid  
> (also for an expired, but otherwise valid signature).
This key has lots of expired subkeys, but it does have current ones  
also.

> Actually, we should remove the confusing “missing” information from  
> the widget.
>
> Thanks a lot for pointing me to that, I'll provide a fix (will be  
> easy).
>
> > So - is there a problem in the signature, or might I have something  
> > misconfigured?
> No, everything is normal, apart from that the message has somehow  
> been tampered with.  IIRC, Peter had a similar problem, caused by a  
> provider's MTA modifying the massage in mid-air against the  
> standards.  Would be interesting whether /this/ message has a valid  
> signature or not – if it is valid, it is more likely that the issue  
> is with the sender's provider, not yours…
Your message shows good signature with insufficient validity/trust,  
which is what I expect.  The original message that started this came  
through an official KDE mailing list, and I have other messages from  
that list that show good signature with insufficient validity/trust.   
However, I now also see one other messages from the sender of the  
message that started this and a message from someone else with the same  
invalid signature.  So - I don't think the mailing list mucked with the  
content, or I would expect it to do so consistently.  I suppose I'll  
check with the original sender to see if he has had any other hints of  
similar issues.  I'll report back here if I find anything useful.

> Hope this helps
> Albrecht.
It's a good start.

Jack