I noticed that GpgOL hides the entire text of the body of emails I receive that contain a row of “-” characters. I know this because these emails are readable once I disable the GpgOL add-in for the Outlook desktop app (not the new Outlook). Is there a workaround for that without having to unload the GpgOL add-in?
Hi Andrew,
just guessing here, it could be that GpgOL tries to check the email for an old style no-mime OpenPGP use (sometimes called “in-line PGP”). It could be a defect, because I am not sure if this can be switched off.
@cklassen can you check if we can reproduce this?
I made an error. The characters involved are a line of “-” characters. I corrected the post text.
If I copy the body of an affected email to my clipboard and then verify through Kleopatra, then Kleopatra cannot find the signature and I see this in the audit log:
gpg: WARNING: no command supplied. Trying to guess what you mean …
gpg: unexpected armor: ---------------------------------------------------------------------\n
gpg: invalid armor header: Authenticated command injection vulnerabilities exist in\n
Evidently GnuPG is detecting the “-” characters as a part of a signature block.
This seems to strengthen my assumption. However it probably should be an option to turn this deprecated no-mime handling off or a second pass to show the contents if the detection fails.
A next step would be to open a report on dev.gnupg.org with a way how to reproduce this easily.
I can reproduce it when I send a signed email from Outlook and the option Send OpenPGP emails without attachments as PGP/Inline in GpgOL is enabled and open it in Outlook.
When I send a signed email from Outlook and the option is disabled in GpgOL I don’t face this problem.
So it seems that the person who sends you emails is using PGP/Inline (or “in-line PGP” as Bernhard said) and combines it with a row of “-” which leads to this error.
Ok. I’ll open a bug report in the dev. The email in question is from the Aruba Networks security team; they use these PGP signatures as a message verification for the different security vulnerability announcements.
1 Like
@cklassen thanks for testing.
Did you also try to reproduce this with a regular email and just a row of - in there and could not reproduce it? Because that would be the bad case.
Or do you say that the contents of an email with a deprecated no-mime OpenPGP signature does not get displayed?
Yes I also tested the case with a regular email and there I didn’t have this problem.
@abosch I have the same problem as you.
Have you already filed the bug report?
So far, I was not able to find the bug.
Regards
Markus