On Saturday 22 Mar 2003 6:36 am, Martin Schulze wrote: > Nick Boyce wrote : > > > I get a bad signature reported by Kmail on this announcement. > > Saving the message out to a text file and verifying manually also > > fails : > > Ditch KMail, it is a permanent source of problems when it comes to > digital signatures.
Jeez .. that's disturbing to hear .. > Also read http://www.debian.org/security/faq#signature OK - thanks for the pointer - I just read that page and am now enlightened :) 1) The following is good to know : "The debian-security-announce list has a filter that only allows messages with a correct signature from one of the security team members to be posted." 2) but this bit is not : "Most likely some piece of mail software on your end ... breaks the signature. Known culprits are fetchmail (with the mimedecode option enabled), formail (from procmail 3.14 only) and evolution." (and Kmail it seems) It seems to me we have a biggish problem with some major mail clients here - we should not just live with this situation. I'm particularly bemused by the way Kmail handles your signatures fine for me, for all other DSA's from you that I've ever received - and also handles other people's signatures without apparent problem - and yet it screwed this one up. An even more disturbing thought is that in contrast to rejecting signatures that are in fact good, Kmail may validate signatures that are in fact bad ... > Feel free to fetch the message from the list archives on the > web and verify that one instead of the local copy. I did that, and, as you suggest, it verifies ok; I selected all text on http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00048.html and saved it to a file using Kate, and manually ran gpg : [EMAIL PROTECTED]:~$ gpg --verify DSA-265-1-3.txt gpg: Signature made Fri 21 Mar 2003 14:01:16 GMT using DSA key ID 801EA932 gpg: Good signature from "Martin Schulze <[EMAIL PROTECTED]>" gpg: aka "Martin Schulze <[EMAIL PROTECTED]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B53F E57B D0C1 F689 FCE2 5623 5B9A A5F8 801E A932 Thanks for calming me down again :-) Cheers Nick Boyce Bristol, UK -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
