[Rt-devel] Mail::GPG vs. Mail::GnuPG

Ruediger Riediger ruediger.riediger at sun.com
Tue Oct 26 12:01:48 EDT 2004 

I noticed that RT 3.2 now makes use of Mail::GPnuG.
Actually, there are *two* modules to handle email messages with GPG:
* Mail::GPG
* Mail::GnuPG

The first one claims:

"I know the Mail::GnuPG module. I worked a long time with it and 
submitted a few patches adding features and fixing bugs. The problems 
with MIME signed messages mentioned above led me to my own 
implementation. In the meantime I know, that regarding the implemented 
RFC's Mail::GnuPG works as correct as Mail::GPG does. Only that 
Mail::GnuPG's documentation is not aware of these MIME signature 
problems resp. encoded vs decoded data storage."


Anyone aware of this problem? What is the current status, is this fixed?
Thanks for your support!


The reference above to the problems with MIME signed messages is:

"MIME-tools PATCH

Some words about MIME-tools: MIME::Entity internally stores all data in 
decoded form, that is without any content transfer encoding like 
quoted-printable or base64 applied. In particular if you parse with 
MIME::Parser, e.g. a MIME signed mail, the entity will always be stored 
that way.

But RFC 3156 requires the encoded version of the MIME entity, because 
the signature is calculated based on the encoded form. Some content 
transfer encodings are ambigious and you can't reverse the process and 
get back the correct encoded version without breaking the signature.

The shipped MIME-tools patch adds the ability of having encoded data in 
a MIME::Entity object and a method to advise MIME::Parser to use this 
ability and store the parsed data in encoded form.

Additionally MIME-tools does not reproduce preambles which consist only 
of empty lines. This also invalids signatures. E.g. mutt and sylpheed 
are known to add such empty preambles. The patch fixes this problem.

Mail::GPG generally works without this patch, but it's strongly 
suggested that you apply it. Otherwise you have no guarantee that MIME 
signed messages are verified correctly by Mail::GPG.

Unfortunately the maintainer of MIME-tools currently seeks for a new 
maintainer and stopped development, so there is no chance to get the 
patch into an official CPAN version of MIME-tools. That's why you have 
to apply the patch manually."

http://cpan.uwinnipeg.ca/htdocs/Mail-GPG/Mail/GPG.html

Best regards,

	Ruediger Riediger

-- 
Dr. Ruediger Riediger                              Sun Microsystems GmbH
NSG - SunCERT                                             Komturstr. 18a
mailto:Ruediger.Riediger at Sun.com                          D-12099 Berlin
------------------------------------------------------------------------
NOTICE:  This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
------------------------------------------------------------------------
PGP 2048RSA/0x2C5020E9          964C E189 0FF0 8882  2BAB 65E2 6912 1FF2
------------------------------------------------------------------------

More information about the Rt-devel mailing list