Re: T350 test failures with gnupg-2.1.16

Subject: Re: T350 test failures with gnupg-2.1.16

Date: Wed, 23 Nov 2016 00:20:53 +0100

To: Daniel Kahn Gillmor, notmuch@notmuchmail.org

Cc:

From: Marius Bakke


Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> On Tue 2016-11-22 15:49:37 -0500, Daniel Kahn Gillmor wrote:
>> On Tue 2016-11-22 14:22:09 -0500, Marius Bakke wrote:
>>> T350-crypto: Testing PGP/MIME signature verification and decryption
>>>  PASS   emacs delivery of signed message
>>>  FAIL   signature verification
>>>         --- T350-crypto.2.expected      2016-11-22 18:59:48.341851653 +0000
>>>         +++ T350-crypto.2.output        2016-11-22 18:59:48.341851653 +0000
>>>         @@ -11,7 +11,7 @@
>>>                                          "id": 2
>>>                                      },
>>>                                      {
>>>         -                                "content-length": 280,
>>>         +                                "content-length": 312,
>>>                                          "content-type": "application/pgp-signature",
>>>                                          "id": 3
>>>                                      }
>>
>> If you could get me a copy of the actual application/pgp-signature part,
>> i'd be interested in looking at it.  Unlike bremner, i'm actually able
>> to duplicate this problem on debian sid, so i'll see what i can figure
>> out.
>
> OK, the difference here is that 2.1.16 is automatically including the
> full OpenPGP v4 fingerprint in the message signature.  This is part of
> the ongoing discussion around revisions to the OpenPGP standard, and it
> makes it easier for a mail user agent to tell whether it's missing the
> key for verification or whether the signature is just bad.
>
> so the length of the signature is extended by about 23 octets (1 octet
> of subpacket length; 1 octet of subpacket type, 1 octet of fpr versio
> number, and 20-octets of fingerprint), which becomes about 32 octets
> after base64 encoding, hence the increase in content-length from 280 to
> 312 octets.
>
> As for how to fix it -- i guess the right thing would be to make that
> number variable -- as long as the signature is non-zero and it
> validates, i think it'd be fine.

Wow, good catch. I was about to bisect gnupg to figure out what changed
this behaviour..

I'm not familiar enough with the notmuch test framework to suggest a
fix, but glad to know this is not specific to Guix.

Thanks a lot for your help!
signature.asc (application/pgp-signature)

Thread: