PGP bug; can you reproduce?

Trevor Smith pmmail@rpglink.com
Thu, 23 Mar 2000 01:04:19 -0400 (AST)


Tonight I discovered a PGP bug in PMMail/2.

I received PGP signed and encrypted mail from a correspondent whose
public key I did not have in my PGP keyring. (He was using PMMail
2000's built-in PGP version, I'm using PGP 5.0i for OS/2, but that
should not be relevant to this discussion.)

When I tried to open the message, PMMail/2 asked for my passphrase. I
entered it.

PMMail/2 tried to decrypt the message (which required my private key)
and check the signature (which required the sender's public key).
However, since I didn't have the sender's public key, PGP failed on
the signature check and generated an error message (the actual error
messages said "Signature check got an error") which PMMail/2 properly
displayed in a dialog window for me.

Unfortunately though, instead of opening the *properly* decrypted
message and saying "could not verify signature because key is not in
keyring" as I expected, PMMail/2 simply displayed the raw PGP
encrypted message.

I verified that the message *could* be decrypted, despite not being
able to check the signature by doing:

pgp v testmessage

at the command line. I received the same error message about the
signature but the message *was* decrypted and I was then able to read
it. Obviously PGP had no problem, PMMail/2 just "forgot" to decrypt
the message when it saw the signature failure message.

Can anyone try to reproduce this for me?

You will need to receive mail encrypted to you and signed by someone
whose public key you do NOT have.

Send a note to this list or to me indicating your volunteer status
and include your public key and I'll send a signed and encrypted
message to you. (Remember though, on the off chance you already have
MY public key in your keyring, this test will not work.)

I would like to test this with PMMail/2 and PMMail 2000 users.


-- 
 Trevor Smith          |          trevor@haligonian.com
 PGP public key available at: www.haligonian.com/trevor

PGP Public Key Fingerprint= A68C C4EC C163 5C0A 6CFA  671F 05D4 0B30 318B AFD6