Comment 5 for bug 894045
Revision history for this message
| Martin Pool (mbp) wrote Re: [Bug 894045] Re: invalid crc PHP MESSAGE sent by editpgpkeys | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
e3ace39
(Get the code!)
Launchpad sends you a gpg encrypted message when you add a gpg key.
Just to avoid any possibility of corruption while passing it around,
please click 'view original', save that to a file, then attach the
file to this bug.
I think this is a problem with copypaste and mime encoding, similar to
bug 1520. I'm not sure where in the chain the actual problem is.
'=3D' is a quopri escape of a '=' character. If you change it back
to an equals, the mesage can be unpacked correctly.
My guess is that graingert copied this out of the gmail 'view
original' view, which will show the quopri form, which gpg will not
accept. If he/she copies out of the displayed form it should be ok.
If my analysis is correct this is user error but there are a few
things lp could do to avoid the error:
1 - Send the gpg blob as an attachment rather than inline in a text/plain mail.
2 - Not require that people read and respond to an encrypted mail when
they add a gpg key - it's not clear to me that doing so is adding a
great deal of security. I suppose it makes it a bit less likely
someone will blindly confirm addition of a key they don't actually
have, but if an attacker has their web token and if the user confirms
without thinking about it, all is lost anyhow. Instead just send a
plain text mail saying "at $date you added $gpg key foo; if you didn't
do this click here; if you did do this click here to confirm."