Re: [gmime-devel] GMime gets support for inline PGP

[Jeffrey Stedfast <fejj gnome org>]

On 3/16/2017 9:28 AM, Jeffrey Stedfast via gmime-devel-list wrote:
> > With respect to Inline PGP, though, there are lots of potential bugbears.
> > Some questions to make sure these functions are safe to use:
> >
> >   0) How does GMime deal with data *outside* the OpenPGP signed stanza?
> >
> >      For example, what happens if Mallory takes an inline-signed message
> >      from Bob, appends some text $foo to it outside the message
> >      signature, and sends it to Alice?  If Alice calls
> >      g_mime_part_openpgp_verify() on the message part, will she see Bob's
> >      signature? if so, will $foo will appear in the un-encapsulated
> >      message or will it be stripped?
> Text outside of the PGP begin/end markers will be stripped.
>
> Not sure that's the best solution, but... it's simple.

FWIW, one of the Balsa devs suggested that perhaps 
g_mime_part_openpgp_verify() could keep the surrounding text segments 
but return a GMimeVerifyResults-type of object that has both the 
GMimeSignatureList and the begin/end byte offsets of the verified text 
so that the client could use those begin/end offsets to somehow indicate 
to the user that only that portion of the text has been verified.

Just something I *may* think about...

Jeff