unable to verify any message, since signatures are attachments

Yeah, if FireGPG could read attached signatures as well as the typed-in-email signatures that would be really nice, because not everyone in the GPG community uses FireGPG (yet)

I just did some testing to see what exactly the problem is... it's not just with FIREGPG... it happens with other PGP software and gmail as well.

It seems that when you write a message in gmail with text that exceeds 80 characters (and wraps with soft carriage returns) gmail will rewrap the line by cutting it back as much as 10 characters after it's sent (or you click the send button anyway). This changes the signed texted enough to fail the signature.

The only fix I can see is to manually wrap lines (hard carriage return) at the 80th character to prevent google from re-wrapping itself and breaking the signature. Teh Ghey!

Oh yea... and the proportional font used in the message body text box makes this near impossible!

Last edited by AdmiralBeotch (2007-06-08 14:37:56)

There is more to it than that.  I just concluded an exhaustive test and finally mixed the  AOL email program into the mix.  Believe it or not, AOL (Netscape) is the first WebMail I have ALWAYS had success in sending signed messages from AOL to Thunderbird. That is a FIRST!  Thunderbird doesn't like the trailers attached by AOL, but it always verifies signed mail fromAOL.  Here are the results of the tests:

http://www.securemecca.com/FireGPG.zip
http://www.securemecca.com/AOL_FireGPG_SignTest.zip

At first it looked like you were going to say that you sent from Evolution or Mac's Mail App.  They only use OpenPGP/MIME.  In general, FireGPG only handles INLINE signing. It can handle some OpenPGP/MIME encrypted messages, but whether FireGPG encrypts or signs, it is only using INLINE.

Wrapping shouldn't cause a problem for signing because if done right, all CR and LF characters are tossed out in both making the signature and in verifying it.  What I think is happening is that the WebMail itself is mucking things up on signing.  I have had EXCELLENT results in encrypting and decrypting as long as I stick to INLINE from a POP email client (it ALWAYS works).

An INLINE signed email message really looks like this internally:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

MESSAGE GOES HERE

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org

iD8DBQFGa/crr3QZv1upb6wRCskaAJ0VX96Lnhb9fUHsFhV5JuuzykHPiACaA7D+
gFvixJ3fxvPdaeh7DXzmpwE=
=d8VJ
-----END PGP SIGNATURE-----

Many people confuse the external appearance in a particually email client with what  is really there.  The best way to see some of this is to use POP mail and save the message to a file.  You can see everything if you edit any of my *2tbd*.txt files in the above two zips, since Evolution saves the message AS IS with none of the internal processing that Thunderbird does, since Evolution doesn't even know what INLINE signing or encrypting are and it makes NO attempt to do ANYTHING with INLINE signed or encrypted message.

PS  Yes, I really do use SHA-512.  I haven't had any problems yet with POP mail using it so these signing problems are a Web Mail only problem.  People are not diving deep enough into looking at the bottom level series of ASCII characters which are what are REALLY used at the SMTP file level.  Also, all email is sent with CR+LF.

What I suspect is happening is that the WebMail program is perhaps signing one set of data, and then sending another, but since ALL of my tests have been only 65 characters per line max, the 80 characters aren't even an issue.