Closed danc86 closed 4 years ago
As a workaround I have just patched micalg=pgp-sha256
back into the Content-Type, which is okay since my gpg happens to be using SHA256 for signatures by default. But I guess this is not a good general solution since gpg wants to decide for itself what hash algorithm to use, and the defaults will presumably change in future or across different gpg installations.
This is enough to make my mails readable to Enigmail 1.9.x users though.
diff --git a/lib/sup/crypto.rb b/lib/sup/crypto.rb
index 5befeaa..68b9589 100644
--- a/lib/sup/crypto.rb
+++ b/lib/sup/crypto.rb
@@ -150,7 +150,7 @@ EOS
end
envelope = RMail::Message.new
- envelope.header["Content-Type"] = 'multipart/signed; protocol=application/pgp-signature'
+ envelope.header["Content-Type"] = 'multipart/signed; protocol=application/pgp-signature; micalg=pgp-sha256'
envelope.add_part payload
signature = RMail::Message.make_attachment sig, "application/pgp-signature", nil, "signature.asc"
Amusingly, I just found an old Enigmail discussion where the developers wonder how to handle mails with micalg=php-sha1
but the signature is actually using SHA256 -- the messages were ironically produced by sup. :-)
Regardless, Enigmail definitely has regressed in how it reports such errors and so I'm off to try and file an Enigmail issue on Sourceforge about that...
Enigmail bug about the bad error handling when micalg
is missing:
https://sourceforge.net/p/enigmail/bugs/588/
BTW the same bug probably applies to multipart/encrypted
as well but I haven't bothered to investigate that since I don't normally send encrypted mails.
When sup signs a mail it uses the
multipart/signed
Content-Type withprotocol=application/pgp-signature
but it doesn't set themicalg
("Message Integrity Check Algorithm") parameter in the Content-Type.According to RFC1847,
micalg
is mandatory:RFC3156 covering application/pgp-signature defines the values for
micalg
:Sup actually did previously set
micalg=pgp-sha256
, but it was dropped in commit d1911d43 with no explanation given -- maybe by accident, or maybe because the gpgme gem doesn't allow specifying--digest-algo
?I also found this older patch about switching sha1 to sha256: http://supmua.org/community/sup-devel/msg00919.html
The
micalg
parameter seems to be superfluous for PGP signatures since the hash algorithm is part of the signature already and there's no reason I can see why it needs to be specified in the Content-Type. I guess for that reason, most other mail clients tolerate its absence.However Enigmail considers the missing
micalg
parameter to be an error, and it doesn't handle it very well either. Enigmail 1.8.x claims (incorrectly) that the mail has a bad signature, in 1.9b1 it gives a generic error about signature verification, and starting from Enigmail 1.9b2 the user just sees a blank message body with no error or signature info at all. The reason I started digging into this issue is because a bunch of Enigmail users complained to me that my mails were blank. :-)