GNU bug report logs - #26587
26.0.50; Gnus signs with false S/MIME key

Previous Next

Packages: emacs, gnus;

Reported by: Torsten Bronger <bronger <at> physik.rwth-aachen.de>

Date: Fri, 21 Apr 2017 11:42:02 UTC

Severity: normal

Tags: fixed, security

Found in version 26.0.50

Fixed in version 27.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #16 received at 26587 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Torsten Bronger <bronger <at> physik.rwth-aachen.de>
Cc: 26587 <at> debbugs.gnu.org
Subject: Re: bug#26587: 26.0.50; Gnus signs with false S/MIME key
Date: Wed, 09 Oct 2019 21:59:34 +0200

Torsten Bronger <bronger <at> physik.rwth-aachen.de> writes:

> When writing the message, I call (mml-secure-message-sign-smime).
> The "From:" field contains "Torsten Bronger
> <bronger <at> physik.rwth-aachen.de>".  My secret keys are:

OK, my first attempt at this ended up with Message not complaining at
all, but sending out a "signed" message with the following empty
signature:

--=-=-=
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7s


--=-=-=--

I've now made it bug out if it can't find any identity to sign with.

Now, for the bug you're seeing...  If I'm tracing the code right (and I
may well not be), this is what's used to find what name to sign with:

(defun mml-secure-signer-names (protocol sender)
  "Determine signer names for PROTOCOL and message from SENDER.
Returned names may be e-mail addresses or key IDs and are determined based
on `mml-secure-openpgp-signers' and `mml-secure-openpgp-sign-with-sender' with
OpenPGP or `mml-secure-smime-signers' and `mml-secure-smime-sign-with-sender'
with S/MIME."
  (if (eq 'OpenPGP protocol)
      (append mml-secure-openpgp-signers
	      (if (and mml-secure-openpgp-sign-with-sender sender)
		  (list (concat "<" sender ">"))))
    (append mml-secure-smime-signers
	    (if (and mml-secure-smime-sign-with-sender sender)
		(list (concat "<" sender ">"))))))

mml-secure-smime-sign-with-sender defaults to nil, so it's normally not
used.  So this returns just the value of mml-secure-smime-signers.
What's that variable for you?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
This bug report was last modified 4 years and 296 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.