search

shivasrinath / android-privacy-guard

Automatically exported from code.google.com/p/android-privacy-guard
1 stars 0 forks source link

Signing only (no encryption) results in bad signature #13

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Import a secret key for signing
2. Tap Encrypt Message at main menu
3. Enter a message to sign
4. Tap Sign checkbox and select signing key
5. Do *NOT* select any recipients; in my opinion, this *should* prevent the
message from being encrypted and should therefore only sign the message
6. Tap Send via Email
7. Enter passphrase for signing key
8. Select e-mail application and send message to a test address
9. Open test message in any application that can verify signed messages
(including APG), ensuring that the public key of the signing key pair is
present in the key ring.

What is the expected output? What do you see instead?
The verification application should indicate that the signature is valid.
Instead, APG always generates an invalid signature that fails verification,
even when the public key of the signing pair is present on the key ring.
Sending an encrypted and signed message, however, *DOES* produce a valid
signature.

What version of the product are you using? On what operating system?
0.8.1 on Android 2.1 (Motorola Droid)
Attempting to verify signature on both APG 0.8.1 and Thunderbird 3.0.4 with
Enigmail 1.0.1 and GnuPG 1.4.10 on Windows XP

Please provide any additional information below.
If I had to hazard a guess, I think GMail may be messing up the formatting
of the cleartext somewhere between when APG passes the signed message to
the Android mail app and when it reaches the recipient inbox. If the
cleartext formatting changes, that could break the hash and thus break the
signature. I have no idea if this is the case, however, and I'm not sure
how to really go about testing it.

As stated above, the signature comes across valid if the message is also
encrypted to the recipient. This may lend credence to the GMail-munging
theory as the entire message would be obscured and encoded by the
encryption, and it would only be unscrambled when decrypted. Thus, GMail
shouldn't have an opportunity to mess up the cleartext and thus the hash
and signature.

I have no idea if there's anything you can do about this. There may be no
way to prevent GMail from messing with the formatting once the message is
passed to the mail app. For me, however, this is pretty much a show-stopper
to using APG. I rarely actually encrypt messages and mostly use GnuPG for
digital signing. I *wish* those I correspond with used encryption more
often, but I exchange e-mail with a *lot* of people and verifying the
authenticity of my messages is more important. I sincerely hope this
project really takes off, as a port of GnuPG/PGP to Android is something
I've been wishing and hoping for for quite a while.

Original issue reported on code.google.com by jeff.darlington@gmail.com on 20 Apr 2010 at 12:24

GoogleCodeExporter commented 9 years ago 
Hi, Jeff.

Sorry I just saw this now. You are right, I have those problems as well, and it 
is 
definitely GMail's HTML encoding. I already tried to remove multiple spaces and 
newlines, which worked quite well for me.

Is it possible that you have any HTML-troublesome characters in your message? 
Most 
likely the ">" from a message reply. If not, then please provide a message I 
can 
reproduce this with, because plain-text messages DO get signed correctly for me.

Assuming that really is the only issue, it might be enough for now to avoid 
such 
character, which is far from ideal, of course. I also thought about not using 
">" for 
replies EncryptMessageActivity creates, but that'd not go down well with 
clients that 
are used to that "standard".

Another work-around for now might be using k9mail for sending, which leaves the 
message untouched in all cases, so even those ">" messages get a valid 
signature in 
all my test cases.

And maybe someday we can integrate direct encryption and decryption via APG in 
k9mail, which would make the awkward decryption solution via GMail unnecessary 
as 
well.

I'll definitely try to find better ways to make it work with GMail as well, 
tho, 
thanks for the report.

Original comment by thialfi...@gmail.com on 23 Apr 2010 at 5:17

GoogleCodeExporter commented 9 years ago 
I *thought* the HTML might be the problem. I generally avoid HTML mail whenever 
I
can; when I use Thunderbird, I force it to use plain text. That, of course, 
isn't an
option with the built-in Android GMail client. :/

The message was a simple sentence along the lines of "This is a test message 
sent
from my Droid and encrypted using APG." There weren't any unusual characters in 
the
text and certainly no angle brackets. I typed the text directly into the APG
interface. I tried three different attempts, all with the same or similar simple
messages.

I am using the built-in GMail client for Android 2.x to actually send the 
message. I
haven't tried k9mail. I've been looking at it, but didn't see anything 
compelling
enough to make me want to switch. Perhaps I'll get it a try this weekend.

And don't worry about taking a while to notice the issue. I've been pretty busy
myself, so I haven't had a chance to check back. :)

Original comment by jeff.darlington@gmail.com on 24 Apr 2010 at 1:13

GoogleCodeExporter commented 9 years ago 
I just fixed a bug that would show invalid signatures when verifying them in 
cases 
where the clear text message was only one line long. This probably was an 
unrelated 
issue, as you said that other programs also reported an invalid signature, but 
it 
*might* have had something to do with some cases of bad verification results in 
APG.

Original comment by thialfi...@gmail.com on 11 May 2010 at 3:15

GoogleCodeExporter commented 9 years ago 
I seem to have the same issue: If I only sign the mail and do not encrypt it, 
Verification fails with AGP+K9 and Enigmail+Thunderbird. The other way round, 
i.e. verifying a signature made with Enigmail on AGP succeeds. Encryption is 
not an issue both ways.
Also, It does not matter if the message has only one line or several.

Versions:
AGP 1.0.6
K9 Mail 3.001
GnuPG 2.0.14
Enigmail 1.1.2

Original comment by pixelmat...@gmail.com on 15 Aug 2010 at 12:19

GoogleCodeExporter commented 9 years ago 
Same to me.

If I sent an encrypted and signed message the PGP signature is valid. If I only 
sent an unencrypted but signed mail the signature both in K9/APG and 
Thunderbird/OpenPGP is broken.

It looks like the newline characters are not valid. I see an error in 
Thunderbird like - check for the last newline character.
gpg: unexpected armor: -----END PGP SIGNATURE=\n

Versions:
APG 1.0.6
K-9 3001
GnuPG 1.4.10 (Linux)
Enigmail 1.0.1
TB 3.0.6

Original comment by piecha...@gmail.com on 15 Aug 2010 at 12:50

GoogleCodeExporter commented 9 years ago 
Hmm, that last error message there suggests that the armor got corrupted 
somehow. Could one of you two (or both) send me a signed email to thi at 
thialfihar.org?

Original comment by thialfi...@gmail.com on 15 Aug 2010 at 12:54

GoogleCodeExporter commented 9 years ago 
done

Original comment by piecha...@gmail.com on 15 Aug 2010 at 1:04

GoogleCodeExporter commented 9 years ago 
Aye, in both cases there's no newline at the end of the message. APG should add 
one... perhaps 1.0.6 broke that. I'll fix it, but in the meantime this can be 
fix by adding a newline to your email signature or message, if anyone else has 
this problem.

Original comment by thialfi...@gmail.com on 15 Aug 2010 at 1:09

GoogleCodeExporter commented 9 years ago 
I can confirm that. With a newline everything's fine on my end.

Original comment by pixelmat...@gmail.com on 15 Aug 2010 at 1:19

GoogleCodeExporter commented 9 years ago 
This issue was updated by revision r262.

Clearsign signature generation now handles messages correctly with or without 
newline at the end. (This does not fix some other, unrelated issues with HTML 
emails in GMail.)

Original comment by thialfi...@gmail.com on 15 Aug 2010 at 2:58

GoogleCodeExporter commented 9 years ago 
1.0.7 is out, it contains this fix.

Original comment by thialfi...@gmail.com on 15 Aug 2010 at 3:19

GoogleCodeExporter commented 9 years ago 
I am using apg 1.0.8 and the problem seems to persist for me. In my case GMail 
is not involved. When I send an unencrypted but signed Email using K9 and APG 
the result is incomprehensible for Thunderbird/enigmail as well as K9/APG.
Here is an example (The body of the Email is "Test." plus the signature added 
by K9):

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Test.
- -- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. 
-----BEGIN PGP SIGNATURE----- Version: APG v1.0.8 
iHkEAREIADkFAk1ni10yHEphbmlzIERhbmlzZXZza2lzIDxqYW5pc0BzZWMudC1s 
YWJzLnR1LWJlcmxpbi5kZT4ACgkQxK8ZoiVMRDi+pgCgvyVsPJNu8uw/wB9Glq0f 
G6tR7nIAn0yDC21hHuuPpq8Jcz0pdcBGVuSu =hm6t -----END PGP SIGNATURE-----

Original comment by werw...@googlemail.com on 25 Feb 2011 at 11:22

GoogleCodeExporter commented 9 years ago 
I am experiencing the same behaviour as described in comment #12

After some research I turned off html in "send" options of account and am using 
plaintext and this seems to workaround the issue.

Original comment by lcst...@gmail.com on 19 Mar 2011 at 12:40

GoogleCodeExporter commented 9 years ago 
I want to confirm this workaround :

....
I am experiencing the same behaviour as described in comment #12

After some research I turned off html in "send" options of account and am using 
plaintext and this seems to workaround the issue.
....

It works for me too.

Original comment by michal.h...@gmail.com on 27 Apr 2011 at 9:29

GoogleCodeExporter commented 9 years ago 
The workaround of the previous comment (#14) works for me. k9 + AGP on android 
2.2 htc desire Z

Original comment by lambd...@gmail.com on 13 May 2011 at 8:32

GoogleCodeExporter commented 9 years ago 
This issue was updated by revision bca9fe1f2831.

Clearsign signature generation now handles messages correctly with or without 
newline at the end. (This does not fix some other, unrelated issues with HTML 
emails in GMail.)

Original comment by thialfi...@gmail.com on 17 Sep 2011 at 6:57