• Registered: 2008-09-08
  • Posts: 2

Topic: FireGPG incorrectly marks invalid signature as valid

On this page, FireGPG offers to verify the quoted inline-PGP message. I click on "Verify" and it says:

PGP Signed Message, This message has been signed with the valid key ID null

and turns the box green. On the previous page in the same thread (where the message was not quoted), FireGPG correctly (as I don't have the appropriate public key) says

PGP Signed Message, could not be verified.

Also, is there any way to be sure I'm actually receiving an authentic copy of FireGPG without compiling it myself? There are no detached signatures and the download page isn't even protected with SSL.

Thanks,
Bruce

  • From: Geneva
  • Registered: 2007-04-04
  • Posts: 1,040

Re: FireGPG incorrectly marks invalid signature as valid

Hi,

The first part is a bug. Added to the todo list wink.

Then for the authenticity of the copy :

There an sign inside the xpi who protect the addon again 'false' update (and let's it to be installed widhout ssl). But you're right, when you install firegpg for the first time, nothing let's you check if it's a good sign.

So I will add a sign on the download page asap (I plan to work a little bit on firegpg in next days).

Regards,

the_glu's Website

  • From: Geneva
  • Registered: 2007-04-04
  • Posts: 1,040

Re: FireGPG incorrectly marks invalid signature as valid

Hi

Sign add on the install page wink

the_glu's Website

  • Registered: 2008-09-08
  • Posts: 2

Re: FireGPG incorrectly marks invalid signature as valid

Brilliant! Merci beaucoup smile

  • From: Geneva
  • Registered: 2007-04-04
  • Posts: 1,040

Re: FireGPG incorrectly marks invalid signature as valid

Fixed for the second bug wink

the_glu's Website