GpgOL hides message body that is signed with a PGP key and contains a line of "-" characters

abosch · March 7, 2024, 7:17am

I noticed that GpgOL hides the entire text of the body of emails I receive that contain a row of “-” characters. I know this because these emails are readable once I disable the GpgOL add-in for the Outlook desktop app (not the new Outlook). Is there a workaround for that without having to unload the GpgOL add-in?

bernhard · March 7, 2024, 11:06am

Hi Andrew,
just guessing here, it could be that GpgOL tries to check the email for an old style no-mime OpenPGP use (sometimes called “in-line PGP”). It could be a defect, because I am not sure if this can be switched off.

@cklassen can you check if we can reproduce this?

abosch · March 7, 2024, 4:38pm

I made an error. The characters involved are a line of “-” characters. I corrected the post text.

abosch · March 7, 2024, 4:50pm

If I copy the body of an affected email to my clipboard and then verify through Kleopatra, then Kleopatra cannot find the signature and I see this in the audit log:

gpg: WARNING: no command supplied. Trying to guess what you mean …
gpg: unexpected armor: ---------------------------------------------------------------------\n
gpg: invalid armor header: Authenticated command injection vulnerabilities exist in\n

Evidently GnuPG is detecting the “-” characters as a part of a signature block.

bernhard · March 8, 2024, 8:02am

This seems to strengthen my assumption. However it probably should be an option to turn this deprecated no-mime handling off or a second pass to show the contents if the detection fails.

A next step would be to open a report on dev.gnupg.org with a way how to reproduce this easily.

cklassen · March 13, 2024, 4:46pm

I can reproduce it when I send a signed email from Outlook and the option Send OpenPGP emails without attachments as PGP/Inline in GpgOL is enabled and open it in Outlook.

When I send a signed email from Outlook and the option is disabled in GpgOL I don’t face this problem.

So it seems that the person who sends you emails is using PGP/Inline (or “in-line PGP” as Bernhard said) and combines it with a row of “-” which leads to this error.

abosch · March 13, 2024, 5:49pm

Ok. I’ll open a bug report in the dev. The email in question is from the Aruba Networks security team; they use these PGP signatures as a message verification for the different security vulnerability announcements.

bernhard · March 14, 2024, 7:56am

@cklassen thanks for testing.

Did you also try to reproduce this with a regular email and just a row of - in there and could not reproduce it? Because that would be the bad case.

Or do you say that the contents of an email with a deprecated no-mime OpenPGP signature does not get displayed?

cklassen · March 15, 2024, 11:50am

Yes I also tested the case with a regular email and there I didn’t have this problem.