Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can I ignore a list signature, so that full message is signed? #4228

Open
scottkosty opened this issue Apr 1, 2024 · 9 comments
Open

How can I ignore a list signature, so that full message is signed? #4228

scottkosty opened this issue Apr 1, 2024 · 9 comments
Labels
type:question Question

Comments

@scottkosty
Copy link
Member

I use GPG and validation of signatures often. On a certain mailing list, I always get the following warning when opening a message:

Warning: Part of this message has not been signed

I believe it's because the mailing list appends the following signature to every message:

--
lyx-devel mailing list
lyx-devel@lists.lyx.org
http://lists.lyx.org/mailman/listinfo/lyx-devel

I think there are ways in NeoMutt to filter, etc. How can I ask NeoMutt to either not show me that signature, or to ignore it when checking the signature? This way, the warning would not show, and I would not be insensitive to it (as I currently am) if there is ever a non-trivial part of the message that wasn't signed.

Thanks!
@scottkosty scottkosty added the type:question Question label Apr 1, 2024
@alejandro-colomar
Copy link
Member

alejandro-colomar commented Apr 1, 2024
edited

I wonder why (some) lists inject a signature, instead of adding a header field. By adding a header field, they wouldn't be destructive to the message, and wouldn't cause problems like this one.

They could do something like:

Mailing-List-Archives: <http://lists.lyx.org/mailman/listinfo/lyx-devel>
Mailing-List: lyx-devel mailing list <lyx-devel@lists.lyx.org>

(I completely made up those header field names.)

@scottkosty
Copy link
Member Author

That would indeed make a lot of sense! My university also injections messages, like prepending "[External Email]". In theory they would argue it makes it more secure, but I would disagree. I suppose it depends on the user.

@alejandro-colomar
Copy link
Member

alejandro-colomar commented Apr 2, 2024
edited

Does your university add "[External Email]" to the body or to the Subject? If it's done on the subject, I hope they do it only on the unprotected subject. If they don't edit the protected subject, the signature should remain valid.

However, they may have a bug, and replace also the protected Subject. Yesterday, I had to report a bug to my mail provider, which seemed to be injecting a header before any From header field, and since mutt(1) has a bug by which it protects the From header field (among others), my mail provider was injecting a header field in the protected header, and thus invalidating my signature (for some reason, either my provider or mutt(1) only reproduce this bug sometimes, so my signature remained valid most of the cases). The mail provider fixed the bug in a few minutes after my report, though, so they were nice. :-)

Anyway, you could report a security bug (especially to the mailing list). Maybe they fix it.

@dcpurton
Copy link
Collaborator

dcpurton commented Apr 2, 2024

Editing the message body is a "feature" of MS Exchange...

@scottkosty
Copy link
Member Author

The mail provider fixed the bug in a few minutes after my report, though, so they were nice. :-)

Wow, it's nice to hear stories like this :)

Indeed, my university moved to MS Exchange, and it is an edit of the message body. In any case, thanks for your issues on protecting headers and signatures. I hope to use PGP increasingly more.

@alejandro-colomar
Copy link
Member

The mail provider fixed the bug in a few minutes after my report, though, so they were nice. :-)

Wow, it's nice to hear stories like this :)

It's migadu, in case you might be interested: https://migadu.com/.
I can only say good things about them. :)

Indeed, my university moved to MS Exchange, and it is an edit of the message body.

Heh, if it's recent, maybe you can push with bug reports that it's trashing security. They'll probably ignore them, but there might be a chance.

In any case, thanks for your issues on protecting headers and signatures. I hope to use PGP increasingly more.

Thanks! :-}

@scottkosty
Copy link
Member Author

It's migadu, in case you might be interested: https://migadu.com/.
I can only say good things about them. :)

Actually I am interested. Thanks! I'll check them out.

@alejandro-colomar
Copy link
Member

I've found a few headers that are used by mailing lists:

List-Archive, List-Help, List-ID, List-Owner, List-Post, List-Subscribe, List-Unsubscribe, List-Unsubscribe-Post.

Please ask that mailing list to use these instead of editing the mail body.

See https://www.iana.org/assignments/message-headers/message-headers.xhtml

@scottkosty
Copy link
Member Author

Thanks, I will look into those. It would be nice if they can use better practices. Even without the signature issue, it is annoying that the message is edited.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:question Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@scottkosty @dcpurton @alejandro-colomar