PGP verification of clearsigned messages containing armored data gives false invalid.

RESOLVED INVALID

Status

()

--
minor
RESOLVED INVALID
10 years ago
10 years ago

People

(Reporter: alexr, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9) Gecko/2008061015 bees
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9) Gecko/2008061015 bees

The browser based pgp integration is a godsend for those of us who use it (I doubt we're core users), but it doesn't work. That page is just a clearsigned copy of a key I found online (the one I was looking at when I noticed the new features) inside a <p></p> element.

When I wget it and gpg --verify it, the signature verifies fine (the signing key was 0x36E4BDFF)

As a side note, I'd love to see browser support for pgp-signing a webpage, though I can definitely see this would be a lot of work and break compatibility with standards. Could have sig embedded in HTML comment tags in specified position I suppose. For all four of us who'd use it:-)

Thanks,
Alex

Reproducible: Always

Steps to Reproduce:
1. Go to above URI
2. Click verify, watch it fail
3. Wget the page and verify on the command line with gpg --verify
4. ???
5. Profit
Actual Results:  
Signature verifies for command line but not Firefox.

Expected Results:  
Firefox should have verified the signature as valid.

Assuming we classify pgp-support as relevant, this is not the trivial edge case it may seem. I noticed this bug when I was planning to clearsign a Firefox version of my crypto information page (http://www.ugcs.caltech.edu/~alexr/secrecy/) that would be linked to from the main one to provide in-browser signature verification. This page would include versions of my public key for easy browser-based import.

This is relevant because I have an old key and a new one, and sign the page with both.

Comment 1

10 years ago
I'm not really clear what bug you are reporting. Firefox does not verify it sounds like an extension problem which makes this invalid. Bugs with extensions should be reported to the extension's developer. Your other request sounds like bug 357310.
(Reporter)

Comment 2

10 years ago
I'm sorry; I forgot I'd installed FireGPG ages ago and thought I was using regular Firefox and assumed it was a 3.0 feature, since I recently upgraded and noticed a lot of other cool features.

This is an extension bug and I'm throughly embarrassed for the waste of Bugzilla space. I'll let the authors know.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.