Why you should not use old-style PGP encrypted / signed messages
Category: Sysadmin.
Just received another mail signed in the the old-style way:
-----BEGIN PGP SIGNED MESSAGE----- ① Hash: SHA1 ② Hello, [...] Cordialement - -- ③ [...] Membre de l'April - « promouvoir et défendre le logiciel libre » - [...] -----BEGIN PGP SIGNATURE----- ④ Version: GnuPG v1.4.9 (GNU/Linux) ⑤ Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org sDJOSYR9U4W6YR8d794Y5f0296J0Fg9847ED904h780592347dJ5F924e3UoiY58 reptup34eo8t9568gdfg8spf2dgj3Fdf =iDPk -----END PGP SIGNATURE----- ⑥
First, it is really painful since a lot a junk prevent the mail from being read easily:
- There are separators for different parts of the PGP signed message ①, ④ and ⑥;
- The first line of the
message
is not part of the message ②; - Lines starting with a dash have
prepended to them. As a consequence, the signature is not a signature anymore ③;- - The message ends with data that is definitively intended to be read by a program ⑤.
Well, most mail user agents will however be able to handle this kind of old-style signed messages. For example, in mutt, the <Esc>P command will process the message through GnuPG.
However, things are still not perfect: the original old-style signed message has the Content-Type set to text/plain; charset="iso-8859-1" and Content-Transfer-Encoding set to quoted-printable. As a consequence, reading the message as raw text displays accents like this:
Membre de l'April - =AB promouvoir et d=E9fendre le logiciel libre =BB -
This is exactly what GnuPG reads when it processes the message. So it basically reads ASCII and output ASCII, the iso-8859-1 charset information being only used by the mail user agent after the message is unquoted. The problem is that the mail part that replaced the original one is of type application/pgp, that is without charset specification. As a consequence, when the mail user agent unquote the message, as no charset is provided, it assumes the message is written in ASCII which is the default (for details, please refer to RFC822).
This results in invalid characters written to the terminal:
Membre de l'April - \253 promouvoir et d\351fendre le logiciel libre \273 -
The message is still painful to read. This is definitively a bug in the sender's mail user agent: it should not be possible to send old-style PGP signed/encrypted messages in a charset different form ASCII since there is no way for the recipient's mail user agent to know the charset of the mail (some user agents will do assumptions though).
There is another way to sign/encrypt messages using MIME types as detail in RFC2015. While some bogus user agents will not handle this very cleanly (under some circumstances, Outlook Express will only display the message as an attachment), the different pieces of the message (message, signature) are different parts of the mail (MIME multipart).
To sum up, I copy/paste here the configuration option of mutt to set the behavior of the user agent regarding old-style signing/encrypting:
pgp_create_traditional
Type: quadoption
Default: no
This option controls whether Mutt generates old-style PGP
encrypted or signed messages under certain circumstances.
Note that PGP/MIME will be used automatically for messages which
have a character set different from us-ascii, or which consist
of more than a single MIME part.
Also note that using the old-style PGP message format is
strongly deprecated.
So, please, configure your mail user agent correctly and use MIME attachments for PGP signed/encrypted messages.
![[RSS]](/images/rss.png){kind=small}
