tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/27882-importing-pgp-key-from-apple-product-security-websiteGPGTools: Discussion 2014-11-02T12:56:20Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/347896732014-10-02T18:51:16Z2014-10-02T18:51:16ZSignature in Apples security newsletter not verifying correctly (apple used —— instead of ----- in the signature rendering it useless)<div><p>Hi vpardue,</p>
<p>please only select the following part:</p>
<p>-----BEGIN PGP PUBLIC KEY BLOCK----- to<br>
-----END PGP PUBLIC KEY BLOCK——</p>
<p>That key imported fine for me in my test. If you selected the
additional key data, you actually did include non OpenPGP data with
which GPG Keychain Access doesn't know, what to do with.</p>
<p>If that still fails, could you please download and install our
latest <a href=
"https://releases.gpgtools.org/nightlies/GPG%20Suite-latest.dmg">nightly
build</a> and see if the problem persists.</p>
<p>You can find sig and SHA1 on the GPGTools <a href=
"https://releases.gpgtools.org/nightlies/">Nightlies page</a>.</p>
<p>Let me know, how all this goes.</p>
<p>All the best, steve</p>
<p>Disclaimer: This is a development version which has not been
thoroughly tested yet - bugs or crashes are to be expected. Thanks
for helping us test.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/347896732014-10-03T07:05:45Z2014-10-03T07:05:45ZSignature in Apples security newsletter not verifying correctly (apple used —— instead of ----- in the signature rendering it useless)<div><p>Hi Steve,</p>
<p>I had tried your suggestion first, but I tried it after
searching for the Apple Key and importing everything that matched
the email. I realized tonight that I should empty what I previously
imported that was associated with Apple, so I would be able to
quickly spot the Apple Key in the GPG Keychain Access list if I was
successful.</p>
<p>I successfully imported the Apple Key using the contextual
OpenPGP service. Now that I have it, I don’t see any change
in the last email I received from Apple Product Security. I
don’t know if a previously downloaded email should give me an
indication that the contents are properly signed or if I can
process the email in some way to verify that the signature is
valid.</p>
<p>I have tried to restart the computer after successfully
importing the Apple Public Key, just in case something needed to
refresh, but no difference is apparent.</p>
<p>I tried selecting the PGP Signature provided in the text of the
email and using the ‘OpenPGP: Verify Signature of
Selection’ service, but received a ‘Verification
failed’ dialog box.</p>
<p>I have decided to send you a copy of the email I last received
from Apple Product Security and a screen shot of my attempt to
verify the signature contained in the email.</p>
<p>I assume the Apple Product Security email to be validly signed,
but cannot understand if I am doing something wrong.</p>
<p>Thanks,<br>
Vern</p></div>vparduetag:gpgtools.tenderapp.com,2011-11-04:Comment/347896732014-10-03T12:16:34Z2014-10-03T12:16:34ZSignature in Apples security newsletter not verifying correctly (apple used —— instead of ----- in the signature rendering it useless)<div><p>Hey Vern,</p>
<p>now we are discussing two things:</p>
<ol>
<li>
<p>The first issue was, that you were unable to import the public
key from apple, which they use to sign their security newsletters.
From what I understand, you managed to get that done now.</p>
</li>
<li>
<p>The new issue now is (if I understand correctly) that the apple
security newsletter you received, does still not verify
correctly.</p>
</li>
</ol>
<p>To take a closer look, we'd need the mail as .eml file. To do
that</p>
<ul>
<li>open a new finder window</li>
<li>drag the mail in question to the finder</li>
<li>attach the resulting .eml file to this discussion</li>
</ul>
<p>All the best, steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/347896732014-10-03T16:22:27Z2014-10-03T16:22:27ZSignature in Apples security newsletter not verifying correctly (apple used —— instead of ----- in the signature rendering it useless)<div><p>Hi Steve,</p>
<p>Following your instructions, I am including the .eml file.</p>
<p>I took the liberty of using Services/OpenPGP:Validate in the
Finder window and received a ‘No Signature found’
dialog. I also tried Services/OpenPGP:Verify which failed, but
I’m not sure what I did to receive a different contextual
command.</p>
<p>If I’m using this service correctly and it’s working
correctly, then either I have an unsigned email or the Public Key I
have from Apple Product Security isn’t a match to the Private
Key it was signed with. I expect the dialog would tell me a
signature is invalid if the keys don’t match or scream
WARNING or something similarly alarming.</p>
<p>I followed the link in this Apple Product Security email to find
and install a BASH update. Normally I never follow links, but go to
the source on my own. The presence of a PGP Signature in this email
was like so many others I have received and made me think it was
genuine. I could have screwed up big time here. This would make a
perfect Phishing exploit. I’m very anxious now.</p>
<p>Thanks,<br>
Vern</p></div>vparduetag:gpgtools.tenderapp.com,2011-11-04:Comment/347896732014-10-10T15:15:55Z2014-10-10T15:15:55ZSignature in Apples security newsletter not verifying correctly (apple used —— instead of ----- in the signature rendering it useless)<div><p>Hi Vern,</p>
<p>not sure what happened there, but Apple messed up their
signature. We've reported this upstream to Apple because this
really should not happen.</p>
<p>If you copy & paste the entire mail into a text editor and
replace the very last two "——" with "-----" you'll then
be able to verify the signature successfully.</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/347896732014-10-12T00:23:54Z2014-10-12T00:23:54ZSignature in Apples security newsletter not verifying correctly (apple used —— instead of ----- in the signature rendering it useless)<div><p>Hi Steve,</p>
<p>Thanks for the help. Again I followed your instructions, using
TextEdit as my test editor. Every time I erased and replaced the
long dashes with standard dashes, the application would replace the
five standard dashes with two long dashes. As it turns out, this is
a feature of the application. In TextEdit, the contextual menu that
appears when you right-click a document (or selection) offers
Substitutions. One of the substitutions offered is Smart
Dashes.</p>
<p>I have no way of knowing if Apple uses TextEdit to prepare the
newsletter they send out, but this problem could be plaguing them
and ruining their PGP signature.</p>
<p>Thanks for all the guidance! The newsletter did verify after I
finally turned off Smart Dashes, replaced the long dashes with
short ones and used the OpenPGP Service in the contextual menu.</p>
<p>Best wishes,<br>
Vernon Pardue</p></div>vparduetag:gpgtools.tenderapp.com,2011-11-04:Comment/347896732014-11-02T12:56:19Z2014-11-02T12:56:19ZSignature in Apples security newsletter not verifying correctly (apple used —— instead of ----- in the signature rendering it useless)<div><p>Let's hope apple security team, get's a grip on this. We
informed apple about the problem. Now let's hope the report reaches
the right person and they prevent this from happening in the
future.</p>
<p>I'm closing this discussion. If you need further assistance or
have questions you can re-open this discussion here or open a new
one any time.</p>
<p>Best, steve</p></div>Steve