Submit Request Failure: Signature couldn't be verified: (7, 8, u'Bad signature') - with email signed and sent from sup-mail

Hi Mathias, did you sign the email that served as the comment for the merge proposal?

Excerpts from Paul Hummer's message of Mon Aug 09 20:01:46 UTC 2010:
> Hi Mathias, did you sign the email that served as the comment for the
> merge proposal?
>
Yes. The signature is the last mime part in the attached email.

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Have you tried it since then? It's almost impossible for me to try and verify the signature based on that file, since gpg doesn't verify well in copy/paste scenarios. Was this a transient issue, or can you not comment on merge proposals at all?

Happened again. This time I was trying to update the status of a bug.

I was trying to comment on bug 615736. I've attached the email I sent to LP.

Happened again while commenting on a bug. It may related to the mailer I'm using: sup-mail.

Moving back to launchpad-code, where it belongs.

I've been getting this quite frequently after upgrading to Thunderbird 3.

I've verified my messages, and I've had Vincent Ladeuil also verify them (he was CC'd on the original messages, which Launchpad failed to validate.)

I can include copies if it helps.

Also note that the email which is sent back to me has the original message in it, and my mail client validates that section just fine. (So the attached message which Launchpad says is invalid, my mail client says is valid, and I can copy & paste the gpg block into a text editor, and it also claims it is valid.)

I'll try to attach the content of one of these.

I've been getting this quite frequently after upgrading to Thunderbird 3.

I've verified my messages, and I've had Vincent Ladeuil also verify them (he was CC'd on the original messages, which Launchpad failed to validate.)

I can include copies if it helps.

Also note that the email which is sent back to me has the original message in it, and my mail client validates that section just fine. (So the attached message which Launchpad says is invalid, my mail client says is valid, and I can copy & paste the gpg block into a text editor, and it also claims it is valid.)

I'll try to attach the content of one of these.

Paul thought on IRC that this is a foundations issue, so I'm redirecting it there.

Any chance I can get some help on this? Basically, the email interface now rejects *everything* I send, which is a big interruption to my workflow.

Do we know if gpg-signed incoming mail is broken entirely, or is it
something specific to John?

Benji changed this recently to check gpg signature timestamps, though
as it happens not on mp mails. It's possible a side effect of that
has broken this.

We do get some log output into process-mail.log, but I suspect it's
not very verbose about gpg.

--
Martin

The annoying thing is that SubmitRequestFailure doesn't tell me anything about what is wrong, just that something is wrong.

Even further, inside that message I get back Thunderbird tells me that the signature is correct...

Which leads me to think the timestamp issue is what we need to focus on.

Though the one I just submitted had what looks to be a valid timestamp.

In the message header:
Date: Wed, 22 Sep 2010 09:49:11 -0500

from gpg --verify:
gpg: Signature made Wed Sep 22 09:49:11 2010 CDT using DSA key ID 848D0003
gpg: Good signature from "John A Meinel <email address hidden>"
gpg: aka "John F Meinel Jr <email address hidden>"
...

The datestamp in the mail header seems to match exactly the datestamp returned by gpg. Is there maybe an issue about CDT that is causing problems?

Assigning to Benji for a preliminary look.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The timestamp checking is only used for email to bugs that include
commands. The timestamp checking also generates error messages that
describe exactly why the mail was rejected.

I tried to check the message in review_failure.txt by hand with no luck.
I put the signature in one file and the content of the MIME section
containing the message itself in another file. At first GPG complained
that it couldn't find the public key:

gpg: Signature made Thu 29 Jul 2010 10:59:29 PM EDT using DSA key ID ECF7A558
gpg: Can't check signature: public key not found

...so I added the key:

gpg --search-keys ECF7A558
gpg: searching for "ECF7A558" from hkp server keys.gnupg.net
(1) Mathias Gug <email address hidden>
        Mathias Gug <email address hidden>
        Mathias Gug <email address hidden>
        Mathias Gug <email address hidden>
        Mathias Gug (Ubuntu key) <email address hidden>
        Mathias Gug (Ubuntu key) <email address hidden>
        Mathias Gug (Ubuntu key) <email address hidden>
        Mathias Gug (Ubuntu key) <email address hidden>
          1024 bit DSA key ECF7A558, created: 2007-05-21
Keys 1-1 of 1 for "ECF7A558". Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key ECF7A558 from hkp server keys.gnupg.net
gpg: key ECF7A558: public key "Mathias Gug <email address hidden>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1

...and tried again:

gpg: Signature made Thu 29 Jul 2010 10:59:29 PM EDT using DSA key ID ECF7A558
gpg: BAD signature from "Mathias Gug <email address hidden>"

I couldn't get GPG to validate the signature with any amount of fiddling
with the message (removing leading/trailing newlines, including or
removing the headers, including or removing the Multipart MIME
separator, etc.).

It would be helpful if one of the people experiencing this problem would
clearsign a small text file with the same key they normally use and
attach it to this bug. Like so:

gpg --clearsign message

(The signed file will be message.asc.)

It would also be informative if you can sign an email message in the
same way as above and paste it into the body of an email to one of the
destinations that is having the problem. Be careful not to sign the
email a second time with your mail client.

By way of a small test I've signed this message in the way described
above and emailed it to Launchpad.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJMpjO8AAoJEM45TM4qdG169rgH/3NDM0LWpA6U2pl8+Y7pS1Vf
o21vSLo1DzOqgBvulPMxjyTekSHtgstOKryBu14iQyt7m0nbjr5xoMe62ZMHoMaK
MUlvIU9j3AQHj8dTcAyiwSfqqnz0nzS2+PxbQgSo2WeKIj6SQPAwMX97qtEAr2Xv
FO5TboZse/CctN/BeS2H8z6kLH0jy0aTYIf23RdbTQ9FYlz6UnM56kUREyTIZS8x
9Gl9zDqpKZe9YlMfL86Q9XqNDOScuL9T11kX36OEo7rl1CMZzRiXtDyJYUDfxN2V
Sc/b8TFLMNpVahSXgg/GafPm6L3x2x8m2yX317DuwGkwLzGIs3COHHbpkFj82rM=
=Vbg5
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Replying to this bug, expecting a failure.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyqQdcACgkQJdeBCYSNAAMT3QCfQcg5hg1Ab2VVlmU7QWoxuR+t
xBsAoKFmS4kxLsAZfLxajRmgcWXPqcWm
=tw0I
-----END PGP SIGNATURE-----

Can you try the "submit_request_failure.txt" ?

That is my complete email, including a successful gpg signature that Launchpad is failing on. It is a cut & paste of the response that Launchpad sent back to me. It does seem to include verbatim the message it received (as a mime attachment).

I also just sent another email, which I will attach here. (sent_email.txt)

I'll also attach the response from Launchpad once I get it (prob in about 10min).

This is a simple message per your request.

The actual email sent to Launchpad in reply to this bug (with gpg signature, etc)

Also see comments (esp. # 12) in dupe bug 651128

Fixed in stable r11744 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/11744>.

Is there an expected deployment date for the committed fix?

It's dependent on successful QA, but my guess is that it will be deployed within the week, next week at the latest.