Hi

I've been using KMail for quite some time now, but one thing that's always bothered me is the sending and receiving of OpenPGP/MIME signed messages.
(KMail sends right hash for inline pgp)

I spendt some time googling around but couldn't find any good answer, so I thought I'd try this forum.

I was always using SHA-1 hashing when using KDE 3.x, so I can't verify this issue applies there, but any KDE 4.x version of KMail I've tried has this problem, currently using KMail 4.1.4 on Gentoo linux.

The most annoying part is the sending of signed messages if you are not using SHA-1 hash for message signing.

Sending a mail with thunderbird gives a header such as this:

Code: Select all

Content-Type: multipart/signed;
  micalg=pgp-sha256;
  protocol="application/pgp-signature";
  boundary="------------enig6C27345EB16199DD8B1DCF31"

Sending a mail with KMail gives this header instead, but same key is used:

Code: Select all

Content-Type: multipart/signed;
  boundary="nextPart3110028.RrybVz1ln4";
  protocol="application/pgp-signature";
  micalg=pgp-sha1

This is of course wrong, as the hash is actually SHA-256, and this breaks most clients (claws-mail works wonders tho, why couldn't it be more like KMail in other aspects?...)
(Any message signed in the same KMail instance comes up good regardless tho)

Any tips on how to resolve this, without using inline signatures, would be much appreciated.

This sounds like a bug. Try searching for an existing one, it more than likely exists given the type of functionality this is.

bcooksley wrote:This sounds like a bug. Try searching for an existing one, it more than likely exists given the type of functionality this is.

Yeah I've tried searching for a similar bug but found none.

I'm wondering tho, should the client honor the micalg header or draw it's own conclusions from the actual signature? I mean, there isn't that many standard algorithms, if it fails SHA1 how come it doesn't check SHA256 etc...? (and signature lengt gives a good pointer as to what hash alg was used or which algorithms should be tried)

claws-mail seems to ignore the micalg field, but it's the only client I've found that manages to validate those messages.

If KMail is creating a SHA-256 hash, but then writing to a key that it is SHA1 then many applications would I have problems. Claws mail likely just generates all possible sums and looks for a match, ignoring the key.

Please file this so that the developers can correct the bug.

bcooksley wrote:This sounds like a bug. Try searching for an existing one, it more than likely exists given the type of functionality this is.

My bad, there is a bug reported but for 3.x and with RIPEMD160
Bug ID 128784 - It's been dead in the water since 2006 sometime tho it seems