GpgOL hides message body that is signed with a PGP key and contains a line of "-" characters

I noticed that GpgOL hides the entire text of the body of emails I receive that contain a row of “-” characters. I know this because these emails are readable once I disable the GpgOL add-in for the Outlook desktop app (not the new Outlook). Is there a workaround for that without having to unload the GpgOL add-in?

Hi Andrew,
just guessing here, it could be that GpgOL tries to check the email for an old style no-mime OpenPGP use (sometimes called “in-line PGP”). It could be a defect, because I am not sure if this can be switched off.

@cklassen can you check if we can reproduce this?

I made an error. The characters involved are a line of “-” characters. I corrected the post text.

If I copy the body of an affected email to my clipboard and then verify through Kleopatra, then Kleopatra cannot find the signature and I see this in the audit log:

gpg: WARNING: no command supplied. Trying to guess what you mean …
gpg: unexpected armor: ---------------------------------------------------------------------\n
gpg: invalid armor header: Authenticated command injection vulnerabilities exist in\n

Evidently GnuPG is detecting the “-” characters as a part of a signature block.

This seems to strengthen my assumption. However it probably should be an option to turn this deprecated no-mime handling off or a second pass to show the contents if the detection fails.

A next step would be to open a report on dev.gnupg.org with a way how to reproduce this easily.

I can reproduce it when I send a signed email from Outlook and the option Send OpenPGP emails without attachments as PGP/Inline in GpgOL is enabled and open it in Outlook.

When I send a signed email from Outlook and the option is disabled in GpgOL I don’t face this problem.

So it seems that the person who sends you emails is using PGP/Inline (or “in-line PGP” as Bernhard said) and combines it with a row of “-” which leads to this error.

Ok. I’ll open a bug report in the dev. The email in question is from the Aruba Networks security team; they use these PGP signatures as a message verification for the different security vulnerability announcements.

1 Like

@cklassen thanks for testing.

Did you also try to reproduce this with a regular email and just a row of - in there and could not reproduce it? Because that would be the bad case.

Or do you say that the contents of an email with a deprecated no-mime OpenPGP signature does not get displayed?

Yes I also tested the case with a regular email and there I didn’t have this problem.

@abosch I have the same problem as you.
Have you already filed the bug report?
So far, I was not able to find the bug.

Regards
Markus