Sometimes can't verify signature

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Sometimes can't verify signature

Gnome Evolution - General mailing list
Evolution is able to verify the gpg signature on some messages but on
other messages it says "Error verifying signature: Failed to execute
gpg." I have not been able to get it to tell me any details about the
error. When I run

CAMEL_DEBUG=all evolution > foo.txt

the resulting file does not contain "gpg", "Error verifying signature",
or "Failed to execute gpg". It does contain "GNUPG" in two places which
both only say

status: [GNUPG:] NODATA 4

Is there a way to get it to output the actual gpg command it is
executing and the output from that command?

Also, I don't see a way to export the signature, just to help me
investigate (no attachment bar or anything). Is there one?
(FYI: Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; )

Evolution 3.34.1-2

(Thunderbird/Enigmail verifies the signature no problem)



_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Sometimes can't verify signature

Ángel González
On 2020-05-08 at 00:49 -0400, Jeff Van Epps via evolution-list wrote:
> Evolution is able to verify the gpg signature on some messages but on
> other messages it says "Error verifying signature: Failed to execute
> gpg."

Is it failing consistently on certain messages, or is it sometimes
failing but maybe working for that exact message on the next attempt?


>  I have not been able to get it to tell me any details about the
> error. When I run
>
> CAMEL_DEBUG=all evolution > foo.txt
>
> the resulting file does not contain "gpg", "Error verifying signature",
> or "Failed to execute gpg". It does contain "GNUPG" in two places which
> both only say
>
> status: [GNUPG:] NODATA 4
>
> Is there a way to get it to output the actual gpg command it is
> executing and the output from that command?
>
> Also, I don't see a way to export the signature, just to help me
> investigate (no attachment bar or anything). Is there one?
> (FYI: Content-Type: multipart/signed; micalg=pgp-sha512;
> protocol="application/pgp-signature"; )

You may do Ctrl+U to view the message source (or just save as mbox)

I have debugged this kind of things in the past by placing a wrapper
around gpg earlier in the PATH, which logs how/what is being passed
around.

Kind regards

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Sometimes can't verify signature

Gnome Evolution - General mailing list
On Sat, 2020-05-09 at 21:39 +0200, Ángel wrote:
> On 2020-05-08 at 00:49 -0400, Jeff Van Epps via evolution-list wrote:
> > Evolution is able to verify the gpg signature on some messages but
> > on
> > other messages it says "Error verifying signature: Failed to
> > execute
> > gpg."
>
> Is it failing consistently on certain messages, or is it sometimes
> failing but maybe working for that exact message on the next attempt?

Failing consistently on certain messages.

> You may do Ctrl+U to view the message source (or just save as mbox)
>
> I have debugged this kind of things in the past by placing a wrapper
> around gpg earlier in the PATH, which logs how/what is being passed
> around.

Worth a try.



_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Sometimes can't verify signature

Gnome Evolution - General mailing list
In reply to this post by Ángel González
On Sat, 2020-05-09 at 21:39 +0200, Ángel wrote:

> On 2020-05-08 at 00:49 -0400, Jeff Van Epps via evolution-list wrote:
> > Evolution is able to verify the gpg signature on some messages but
> > on
> > other messages it says "Error verifying signature: Failed to
> > execute
> > gpg."
>
> Is it failing consistently on certain messages, or is it sometimes
> failing but maybe working for that exact message on the next attempt?
>
>
> >  I have not been able to get it to tell me any details about the
> > error. When I run
> >
> > CAMEL_DEBUG=all evolution > foo.txt
> >
> > the resulting file does not contain "gpg", "Error verifying
> > signature",
> > or "Failed to execute gpg". It does contain "GNUPG" in two places
> > which
> > both only say
> >
> > status: [GNUPG:] NODATA 4
> >
> > Is there a way to get it to output the actual gpg command it is
> > executing and the output from that command?
> >
> > Also, I don't see a way to export the signature, just to help me
> > investigate (no attachment bar or anything). Is there one?
> > (FYI: Content-Type: multipart/signed; micalg=pgp-sha512;
> > protocol="application/pgp-signature"; )
>
> You may do Ctrl+U to view the message source (or just save as mbox)
>
> I have debugged this kind of things in the past by placing a wrapper
> around gpg earlier in the PATH, which logs how/what is being passed
> around.

I created ~/bin/gpg2

#!/bin/bash

echo $* > /home/lordbah/args.txt

What appears in args.txt is:

--verbose --no-secmem-warning --no-greeting --no-tty --batch --yes --
status-fd=85 --verify-options show-photos --photo-viewer
/usr/libexec/camel-gpg-photo-saver --state "/tmp/camel-gpg-photo-state-
WDV3J0" --photo "%i" --keyid "%K" --type "%t" --verify /tmp/evolution-
pgp.FCM3J0 -

However ...
- the same stuff appears for both kinds of messages, those whose
signature can be verified and those whose can't
- there is no /tmp/camel* file while this is being executed
- none of those are documented options for gpg2 except --verify and --
verbose!
- I don't know what those percent variables are doing

So I'm kind of bewildered by all this. It's as if evolution is
expecting to run some program other than gpg.

Hmm, the "bad" message has both a text/plain part and a text/html part,
wherease the "good" message has only a text/plain. I wonder if that's
an issue.

gpg version is 2.2.12.



_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Sometimes can't verify signature

Pete Biggs

> I created ~/bin/gpg2
>
> #!/bin/bash
>
> echo $* > /home/lordbah/args.txt
>
> What appears in args.txt is:
>
> --verbose --no-secmem-warning --no-greeting --no-tty --batch --yes --
> status-fd=85 --verify-options show-photos --photo-viewer
> /usr/libexec/camel-gpg-photo-saver --state "/tmp/camel-gpg-photo-state-
> WDV3J0" --photo "%i" --keyid "%K" --type "%t" --verify /tmp/evolution-
> pgp.FCM3J0 -
>

I suspect that not all those are discrete arguments - try doing
something like this

   for word in "$@"; do echo "$word"; done

this will put each argument on a different line.


>
> Hmm, the "bad" message has both a text/plain part and a text/html part,
> wherease the "good" message has only a text/plain. I wonder if that's
> an issue.
>
> gpg version is 2.2.12.
>
In the structure of the message, does the GPG section cover the whole
of the message or just one section?

If you save the message and run it through GPG manually, does it
verify?

Is it possible that GPG is actually telling you the truth and that
something has modified the message in transit - it's not unknown that
ISPs modify HTML in messages to add web bugs, there were some free mail
providers in the past that added their own advertising banners into
HTML mail.

P.


_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Sometimes can't verify signature

Gnome Evolution - General mailing list
On Sun, 2020-05-10 at 12:21 +0100, Pete Biggs wrote:

> > I created ~/bin/gpg2
> >
> > #!/bin/bash
> >
> > echo $* > /home/lordbah/args.txt
> >
> > What appears in args.txt is:
> >
> > --verbose --no-secmem-warning --no-greeting --no-tty --batch --yes
> > --
> > status-fd=85 --verify-options show-photos --photo-viewer
> > /usr/libexec/camel-gpg-photo-saver --state "/tmp/camel-gpg-photo-
> > state-
> > WDV3J0" --photo "%i" --keyid "%K" --type "%t" --verify
> > /tmp/evolution-
> > pgp.FCM3J0 -
> >
>
> I suspect that not all those are discrete arguments - try doing
> something like this
>
>    for word in "$@"; do echo "$word"; done
>
> this will put each argument on a different line.

--verbose
--no-secmem-warning
--no-greeting
--no-tty
--batch
--yes
--status-fd=67
--verify-options
show-photos
--photo-viewer
/usr/libexec/camel-gpg-photo-saver --state "/tmp/camel-gpg-photo-state-
LFSCK0" --photo "%i" --keyid "%K" --type "%t"
--verify
/tmp/evolution-pgp.NI0CK0
-

That may wrap, but --state, --photo, --keyid, --type are all arguments
passed to the camel-gpg-photo-saver program. Everything else is a
separate argument to gpg2. Okay, today I DO find these options
documented in the gpg2 man page, don't know why I didn't find them
yesterday :-(  So just ignore this section. Sorry about that.

>
> > Hmm, the "bad" message has both a text/plain part and a text/html
> > part,
> > wherease the "good" message has only a text/plain. I wonder if
> > that's
> > an issue.
> >
> > gpg version is 2.2.12.
> >
> In the structure of the message, does the GPG section cover the whole
> of the message or just one section?
>
> If you save the message and run it through GPG manually, does it
> verify?

I've figured out how to do that for the message with the good signature
by removing everything above and below the first boundary (including
the boundaries). So the signature is in the separate file passed to the
--verify argument but it is not in the message passed on stdin. I
haven't figured out how to do that for this message with multiple parts
(or maybe I have and it's just not working for another reason).

gpg: CRC error; 04E96D - DC304E
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

But the signature file IS the first argument.

The numbers on the CRC error remain the same no matter what I do to the
message, so maybe it's telling me there is a problem with the signature
file rather than a problem with the message.

> Is it possible that GPG is actually telling you the truth and that
> something has modified the message in transit - it's not unknown that
> ISPs modify HTML in messages to add web bugs, there were some free
> mail
> providers in the past that added their own advertising banners into
> HTML mail.

Thunderbird/Enigmail says the signature is good. I'll see if I can grab
the signature file it is extracting from the message to compare with
the one evolution is extracting.

> P.
>
>
> _______________________________________________
> evolution-list mailing list
> [hidden email]
> To change your list options or unsubscribe, visit ...
> https://mail.gnome.org/mailman/listinfo/evolution-list

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Sometimes can't verify signature

Ángel González
On 2020-05-10 at 09:27 -0400, Jeff Van Epps wrote:

> > In the structure of the message, does the GPG section cover the whole
> > of the message or just one section?
> >
> > If you save the message and run it through GPG manually, does it
> > verify?
>
> I've figured out how to do that for the message with the good signature
> by removing everything above and below the first boundary (including
> the boundaries). So the signature is in the separate file passed to the
> --verify argument but it is not in the message passed on stdin. I
> haven't figured out how to do that for this message with multiple parts
> (or maybe I have and it's just not working for another reason).
>
> gpg: CRC error; 04E96D - DC304E
> gpg: no signature found
> gpg: the signature could not be verified.
> Please remember that the signature file (.sig or .asc)
> should be the first file given on the command line.
>
> But the signature file IS the first argument.
>
> The numbers on the CRC error remain the same no matter what I do to the
> message, so maybe it's telling me there is a problem with the signature
> file rather than a problem with the message.


The official instructions are at
https://tools.ietf.org/html/rfc3156#section-5

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Sometimes can't verify signature

Gnome Evolution - General mailing list
In reply to this post by Gnome Evolution - General mailing list
On Fri, 2020-05-08 at 00:49 -0400, Jeff Van Epps via evolution-list
wrote:
> CAMEL_DEBUG=all evolution > foo.txt

        Hi,
using CAMEL_DEBUG=all is usually too much. I'd not want to read all of
that myself.

> Is there a way to get it to output the actual gpg command it is
> executing and the output from that command?

If you want gpg debugging only, then you can run:

    $ CAMEL_DEBUG=gpg evolution

It doesn't show the exact command, but it shows what gpg thinks about
the data (aka the 'status' stream).

The error you see is a generic error when gpg finishes with an error
code. I do not see any additional debugging for this part of the code.

I'd also need a test message to test it here and see what the libcamel
doesn't like on that particular message.
        Bye,
        Milan

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list