Open gordin123 opened 10 years ago
lazlolazlolazlo
commented
10 years ago This is fixed in an experimental version of this plugin which uses OpenPGP.js v0.5.1 and makes use of web workers for signing, encrypting and decrypting: https://github.com/lazlolazlolazlo/roundcube_openpgp
Versions of OpenPGP.js lower than v0.5.1 have critical security issues found in the security audit performed by Cure53: https://cure53.de/pentest-report_openpgpjs.pdf
gordin123
commented
10 years ago Thanks for the info. I will try roundcube_openpgp. Where is the difference between rc_openpgpjs and roundcube_openpgp? Is it the same code base or two seperate projects?
lazlolazlolazlo
commented
10 years ago It was the same code base, but it is refactored to make it work with v0.5.1 and web workers.
When writing a new mail roundcube inserts the signature of the current identity at the bottom of the mail. Roundcube inserts "-- " as a seperator at the beginning of the signature which will automatically be altered to "- --" after pgp signing and before sending. Consequently the pgp signature can not be verified. This does not happen when pgp signing is turned off. If I remove the space char after "--" manually before sending, pgp signing works as expected.
Roundcube 1.0 rc_openpgpjs master a4984bffd9369133db4ec4efdb2d3db24f678d15