Bug#415088: libmail-gnupg-perl: verify method fails on certain types of messages

Celejar celejar at gmail.com
Fri Mar 16 01:01:19 UTC 2007 

Package: libmail-gnupg-perl
Version: 0.08-2
Severity: normal

Mail::GnuPG seems to improperly fail to verify signatures on some
messages. I am seeing consistent failure on messages with attachments
encoded in base64. I have attached a sample program along with a sample
message (and the public gpg key) which illustrate this behavior (feed
the message to the test program's stdio). Both Sylpheed and Mutt verify
all the signatures they see correctly, while GnuPG's verify method
returns (on the problematic messages):

gpg: BAD signature from "Test User (Test Key 1) <test at localhost>"

Verifying a signature on a message composed within my perl script by
MIME::Entity->build and signed by GnuPG works fine (even with the above
mentioned message structures); I have only seen the problem on messages
created and signed by Sylpheed and Mutt.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-lizzie
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libmail-gnupg-perl depends on:
ii  libgnupg-interface-perl       0.33-6     Perl interface to GnuPG
ii  libmailtools-perl             1.74-1     Manipulate email in perl programs
ii  libmime-perl                  5.420-1    Perl5 modules for MIME-compliant m
ii  perl                          5.8.8-7    Larry Wall's Practical Extraction 

libmail-gnupg-perl recommends no packages.

-- no debconf information

*** test.pl
#! /usr/bin/perl -w

use MIME::Parser;
use Mail::GnuPG;

my $parser = new MIME::Parser;
$parser->output_under('/tmp');
my $entity = $parser->parse(\*STDIN) or die "Failure parsing standard input - are you passing in a valid email?\n";
my $mg = new Mail::GnuPG;
if ($mg->is_signed($entity)) {
	my ($status, $keyid, $email) = $mg->verify($entity);
	!$status or die "@{$mg->{last_message}}\nSignature verification failure - gpg return code $status.\n";
	print "Message is signed.\nkey id is $keyid\nemail address is $email\n";
}

*** msg
Return-Path: test at localhost
Return-path: <test at localhost>
Envelope-to: root at localhost
Delivery-date: Thu, 15 Mar 2007 18:27:26 -0400
Received: from test by lizzie.villette with local (Exim 4.63)
	(envelope-from <test at localhost>)
	id 1HRyPu-0001PE-1P
	for root at localhost; Thu, 15 Mar 2007 18:27:26 -0400
Date: Thu, 15 Mar 2007 18:27:26 -0400
To: root at localhost
Subject: test
Message-ID: <20070315222726.GA5324 at localhost>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="H+4ONPRPur6+Ovig"
Content-Disposition: inline
User-Agent: Mutt/1.5.13 (2006-08-11)
From: Test User <test at localhost>


--H+4ONPRPur6+Ovig
Content-Type: multipart/mixed; boundary="ReaqsoxgOBHFXBhH"
Content-Disposition: inline


--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Some text.
Some more text.


--ReaqsoxgOBHFXBhH
Content-Type: image/png
Content-Disposition: attachment; filename="emblem-symbolic-link.png"
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAAAgAAAAICAIAAABLbSncAAAACXBIWXMAAAsSAAALEgHS3X78
AAAAB3RJTUUH0woHARYYgS+jjwAAAD50RVh0Q29tbWVudABDcmVhdGVkIHdpdGggVGhlIEdJ
TVAKCihjKSAyMDAzIEpha3ViICdqaW1tYWMnIFN0ZWluZXInM+9YAAAAo0lEQVR42mWOoQoC
QRiE547dfy4YDAYxme8lfCHbRV/jsm+gYrhiEYtFwUuiHIpFVNiwqMitF86woMGJ33wDEyRZ
jr9YYxSAxWSkSS0UUlM0I9S1AqDJZTrw7s0++sPsXZYhABF6erXP8XqvSAChXwCYb0/tZiPu
tETkVxQXM13t0tmqF3e9FyRZXuQbTWpSGAlFC8/Hg7LGAKicq5x74f59/AE+OTTczG1wFAAA
AABJRU5ErkJggg==

--ReaqsoxgOBHFXBhH--

--H+4ONPRPur6+Ovig
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF+chNtfPFArHdQoMRAgPcAKCLFMOlMQY+8ia+py9gi3DBKWnRxACfTGDC
Uf/GyFjomCH+HBZJdw0uzHA=
=lnD+
-----END PGP SIGNATURE-----

--H+4ONPRPur6+Ovig--

*** /home/test/key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (GNU/Linux)

mQGiBEXc5hMRBACpikiw8dXthrIJtnA9g+bA5C/9tbSzTXAaUuoxcETUisD18S5n
BMmveRyvzC9feOnoFY0oUI+5d3x5Z7SYjnX5tKzQZ8zfPZCnmMe0nnvNoA91kL1e
tT8tmdTIe+tks03raqakL64+FhzLhidQ5kKPPGq2Qad6Mwy9v6Tld365TwCg1B1G
ZT3zNCrn6AM8AbJEk+KDqCED/jE15XQWzh27eiEJyleO41KB0xJe2QMoJpuKcJk4
ubjcpjXBfNqZXn5WXehnSUje3WcL9QkPfbs0OuMi0HOfSa8u4+GFr4oD2b/mdzhr
jh+7Gzb6f1BqbOA/QGgjRWm8xWFjAn5K8qWLdANnZBGzUyUrxj/zUhWVAw5xUul4
/WUMA/4qU/67m3KCTFlqAibdHO89ZUlGrX5AUX02bVgg8HwDJj/dqc6eaAESVs7l
hoAK3EywTCogIU6b4e3KyGnxp8/DM7iHDBcNNxW6u+Az3MSltDSsxdAf2GsgBwtB
TThITOXyvQH00iWNvwDrD6zLkkuP/7z5MERYHy1tSUCY2+OvDbQnVGVzdCBVc2Vy
IChUZXN0IEtleSAxKSA8dGVzdEBsb2NhbGhvc3Q+iGAEExECACAFAkXc5hMCGwMG
CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRC188UCsd1Cg3c/AKC5+l79GfQxM63Q
qOBGW/fEeWLhRQCfZzfDwYt9L/DvcJCK1aTYi1ZWUbG5Ag0ERdzmKhAIALDglb9B
o8jHLeTlff2/A//0LqKhy+281cHHvEuvVH7VW/GeOv+dS0S0U9jhWJcgGquLOktC
klpbAxw4VggqgX49wIvz46xWG44xiZ3nf/1/9S+1K94AuxD6/+MZERCyntTQrvUO
igNkt/Lgq9BDJvG+Ni4LWOxlvhh4SzOVJZrBVIZV1PZLFFUI2KOkyH19vFuVXoYi
RQllkWustyBk4d3lbrQJyL7JHtAiM3PDFvMGWhOGqMLsy8sFutf6NrzEQAnIHAqS
BFeY7RrHHG9Iwqd/LdUt8DUACNhEWn15CmMuUl3d4pqoU6iubHt7FOE8U0Fm/vaD
ZOkIsrTbT7O8/QcAAwUH/iL2jXp9Yr03jv1qGAftfjZIQ3uJ1PIiVjR9e6GbXRXV
AewwQLP9wh8iCwzYIq730Wxv17DQq+yZDhrhCXHcOp4+5q3PZIIKCmpwQIMMtVVg
OcIOiE7er8rbAzHut+DnOy+mq28FZ4Ko9/gVrJINly3u4nVSiAtkvEAQiCAc+dce
/wkCbOmqAG4oLbEbMbT1u/0teA9DmNBiIWydZ7fiYCho0KzvCLt8WP8BZlvN85DN
i2DF+vX8zGKTv4aPmomgb/EwoXHodS/g7rceK3GOE3euMXifApU6K9+YQPs7RVQ0
aRWknssHf99Y/gFfXL/INdey3H1rBW4OsMo16dBsZL2ISQQYEQIACQUCRdzmKgIb
DAAKCRC188UCsd1Cg4cfAKCfvaIYt9lfUKFJclI72tTU46+xcgCgsmQhV1pL1UN/
Dy6Cxop4+CZ9rus=
=KFhz
-----END PGP PUBLIC KEY BLOCK-----

More information about the pkg-perl-maintainers mailing list