On Tue 2016-11-22 15:49:37 -0500, Daniel Kahn Gillmor wrote:
> On Tue 2016-11-22 14:22:09 -0500, Marius Bakke wrote:
>> T350-crypto: Testing PGP/MIME signature verification and decryption
>>  PASS   emacs delivery of signed message
>>  FAIL   signature verification
>>         --- T350-crypto.2.expected      2016-11-22 18:59:48.341851653 +0000
>>         +++ T350-crypto.2.output        2016-11-22 18:59:48.341851653 +0000
>>         @@ -11,7 +11,7 @@
>>                                          "id": 2
>>                                      },
>>                                      {
>>         -                                "content-length": 280,
>>         +                                "content-length": 312,
>>                                          "content-type": "application/pgp-signature",
>>                                          "id": 3
>>                                      }
>
> If you could get me a copy of the actual application/pgp-signature part,
> i'd be interested in looking at it.  Unlike bremner, i'm actually able
> to duplicate this problem on debian sid, so i'll see what i can figure
> out.

OK, the difference here is that 2.1.16 is automatically including the
full OpenPGP v4 fingerprint in the message signature.  This is part of
the ongoing discussion around revisions to the OpenPGP standard, and it
makes it easier for a mail user agent to tell whether it's missing the
key for verification or whether the signature is just bad.

so the length of the signature is extended by about 23 octets (1 octet
of subpacket length; 1 octet of subpacket type, 1 octet of fpr versio
number, and 20-octets of fingerprint), which becomes about 32 octets
after base64 encoding, hence the increase in content-length from 280 to
312 octets.

As for how to fix it -- i guess the right thing would be to make that
number variable -- as long as the signature is non-zero and it
validates, i think it'd be fine.

           --dkg