Content filtering breaks some PGP Mime signed messages.

Bug #1551075 reported by Mark Sapiro
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Medium
Mark Sapiro

Bug Description

In some cases it is inevitable that Mailman's content filtering will break a PGP MIME signature. I.e., if content filtering removes signed content, the signature will be broken.

For example, assume an original message is multipart/alternative and it is then wrapped in a multipart/signed outer message along with a signature part. If content filtering collapses alternatives, the signature will be broken. Likewise, if the original has an attached image/png part or any MIME type part which content filtering removes, the signature will be broken.

These are inevitable results of content filtering, and content filtering should override signature preservation or people could avoid having their content filtered just by signing their posts.

There is however a situation that has developed where signature breaking can be avoided. The latest (at the time of writing) versions of enigmail will sign a message in the following way. Assume the original unsigned message is just text/plain. It could be more complex, but the following still holds.

The text/plain (or whatever) message is first recast as multipart mixed like:

Content-Type: multipart/mixed; boundary="bbbbbb"
From: (Original from)
To: (Original to)
Message-ID: (original message-id)
Subject: (original subject)

--bbbbbb
Content-Type: (original message's content-type)
Content-Transfer-Encoding: (original message's content-transfer-encoding)

(remainder of original message)

--bbbbbb--

Then the signed message is created with structure

multipart/signed
    multipart/mixed
        text/plain (or whatever the original was)
            (original message)
    application/pgp-signature
        (signature of the multipart/mixed part)

The problem is Mailman has logic to detect multipart parts with only one sub-part and collapse them to just the sub-part, so in this case, even though content filtering doesn't remove anything, it still collapses the above to

multipart/signed
    text/plain (or whatever the original was)
        (original message)
    application/pgp-signature
        (signature of the multipart/mixed part)

and the signature is no longer valid. This can be fixed by short-circuiting the "collapse multipart parts with only one sub-part" logic when encountering a multipart/signed part and not collapsing anything below it.

Related branches

Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers