[Enigmail] Unverified signature error

Charly Avital shavital at mac.com
Wed Jul 15 09:39:29 PDT 2009 

[...]

> If you mean 'with Enigmail disabled' does it look like (this is mine) a
> signed message beginning with:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> and ending with:
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Comment: --batch
> 
> iEYEARECAAYFAkpd7MYACgkQzrAMrEP3F1pRAACgguV3fOwt7fFBxKVtLDkewJnA
> 4rEAmgOjScJ/XmBn666YX5ZnVO/EGSG9
> =CtU2
> -----END PGP SIGNATURE-----
> 
> No. It does not.
> 
> It looks like an ordinary email with this as an attachment:
> 
> signature.asc  and  Part 1.2
> 
> These attachments are also visible with Enigmail enabled.
> 
> Screenshots here:  http://www.box.net/shared/bhzvud7mv4

I apologize in advance to the list for the following long post. Maybe
it's time to pursue this thread OFF LIST?

I believe that "with Enigmail disabled" means *before* verifying the
signature, and that "with Enigmail enabled" means *after* trying to
verify signature.

The e-mail you describe, multipart with an attached signature file might
be an OpenPGP/MIME signed e-mail (please compare with Ludwig' post).

OpenPGP/MIME signed e-mails do not display visible PGP headers, footers,
nor a Hash line.

But if you View that e-mail's source, the latter should display,
somewhere near the bottom of the source, something similar but *not
identical* to:
=======================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCgAGBQJKXermAAoJEA52XAUJWdLjWF4IAJc3Vf94HlaXyMwa2rnCkPne
wU5uwoQSY/1TNcngnRXk8u2JArEzWNlJLRfldDYwaj7DToDSc5wIEczFcltiTvwf
HZTYCdf/F0HjrjL7MbF182qUWOH/9AiL297AuOr+N8unC5ysanHZiSU7dfpqr9n0
fR0Dcpj5eTi457iIwhvusy0lBCPEKQjl081VmEXb1T79NqnnHp51G12TLjCSPej6
f/9o/lUErscgwoFOP6zVhB3SzkX7ciXDokN8cA+QsfHZwqmJ8o941H2ZOf7kCg3b
YGYB0pbh9nqk9FfVlJF8mKgP80NrpzB4qmopP7RZURzGWPe5vGVyaP3xp1idBB0=
=qtVD
-----END PGP SIGNATURE-----
=======================

Moreover, in the link I sent you, one can read:
"If one uses detached signatures, the gpg correctly guess hash used
from the signature, uses that, and correctly verifies message."

Some more information:
- the originator of the e-mail whose screen shots you have uploaded to
www.box.net shows as "Till Maas <opensource at till.name>".
I have found a public key that seems to belong to that user:
=======
pub  4096R/1C109517  created: 2007-06-22  expires: 2012-05-22  usage: SC
                     trust: unknown       validity: unknown
sub  4096R/B5098148  created: 2007-06-22  expires: 2012-05-21  usage: E
[ unknown] (1). Till Maas <till.maas at till.name>
[ unknown] (2)  Till Maas <opensource at till.name>
========

It's a 4096 bits RSA key, therefore I believe this precludes the
possibility suggested by John, that the sender might be trying to
"force" a SHA2 signature with a DSA Key that is _not_ DSA2 enabled.

My very wild and uneducated guess is that Till Maas
'personal-digest-preferences' are set to a digest value that conflicts
with your own personal digest preferences settings.

Did other members of the "Development Discussions related to Fedora"
report this same problem, or are you the only one who is experiencing it?

As I indicated at the beginning of this post, maybe it's time to take
this thread OFF LIST?

Charly

More information about the Enigmail mailing list