diff options
| author | Robin Jarry <robin@jarry.cc> | 2024-03-04 23:27:00 +0100 |
|---|---|---|
| committer | Robin Jarry <robin@jarry.cc> | 2024-03-10 17:28:16 +0100 |
| commit | 7b8fbe2a3d7c454c030cabdf5de65b84c3383a7f (patch) | |
| tree | 5e443bce66f12447241196e38f5c93a7f9a51a72 /app | |
| parent | 6a84f1331f1c18dccfbe58601a4243995ac5c7d2 (diff) | |
| download | aerc-7b8fbe2a3d7c454c030cabdf5de65b84c3383a7f.tar.gz | |
gpg: fix mime-version header position
Some MTAs try to normalize the case of all headers (including signed
text parts headers). Unfortunately, Mime-Version can be normalized to
different casing depending on the implementation (MIME- vs Mime-).
Since the signature is computed on the whole part, including its header,
changing the case can cause the signature to become invalid.
Due to how multipart/signed messages are constructed, we need to hack
around go-message writers to intercept the writing of a text part,
compute its signature and write the actual message with the proper
headers.
Unfortunately, go-message does not allow creating a message writer that
does not insert a Mime-Version header. This causes the Mime-Version
header to be inserted in the wrong place: it is put inside the signed
text part header instead on the top level header. Thus, included in the
signed content.
Make sure to remove any Mime-Version header from the signed part header.
Finally, ensure that Mime-Version is set on the top-level header so that
messages are compliant with RFC 2045.
Fixes: https://todo.sr.ht/~rjarry/aerc/143
Link: https://github.com/emersion/go-message/issues/165
Link: https://github.com/emersion/go-pgpmail/pull/15
Link: https://lists.sr.ht/~rjarry/aerc-devel/%3CCQRPF5EA0TF8.PEJ4AKCEGMFM%40fembook%3E
Changelog-fixed: `Mime-Version` is no longer inserted in signed
text parts headers. MTAs normalizing header case will not corrupt
signatures anymore.
Reported-by: Coco Liliace <chloe@liliace.dev>
Reported-by: Kirill Chibisov <contact@kchibisov.com>
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Tim Culverhouse <tim@timculverhouse.com>
Diffstat (limited to 'app')
| -rw-r--r-- | app/compose.go | 8 |
1 files changed, 0 insertions, 8 deletions
diff --git a/app/compose.go b/app/compose.go index 451981cd..6cdc3458 100644 --- a/app/compose.go +++ b/app/compose.go @@ -942,14 +942,6 @@ func (c *Composer) WriteMessage(header *mail.Header, writer io.Writer) error { } } - if header != nil && !header.Has("MIME-Version") { - // sign and encrypt will create multipart/* messages - // without setting the MIME-Version header. Set it - // manually at the top level to be compliant with RFC - // 2045. - header.Set("MIME-Version", "1.0") - } - if c.encrypt { rcpts, err := getRecipientsEmail(c) if err != nil { |