T4026 is a bit related. I'm suprised that the signature check for mailman mails works at all for you ;-)

Hi Andre!

In outlook what is shown to theuser is 'puppets-bounces@lists.example.com on behalf of Info <info@example.org>' (as mentioned in the original ticket).

and yes, the reasoning does make sense (so that an attacker can't just SMTP spoof a legit sender, sign the message with his own key which is completely different and make it appear like its a valid PGP signed email sent from said legit sender.

However - what you really want to check is that the 'From' and the signature match up. And armed with the knowledge that what Outlook displays in the 'From' field, and what is present in the RFC5322.From field might be different (but as far as I know it will always say 'on behalf of <RFC5322.From>'), then it should (I would think) be acceptable to also allow it to match on the RFC5322.From. The other option is that you essentially effectively break PGP signing on messages sent to a mailinglist (that is what is happening today).

To the best of my knowledge there should never be a situation where what is present in the RFC5322.From header is not present in what outlook displays as the sender.

One other possible (but obviously very bad) solution would be to scan the display name for valid mail addresses, but this can easily go wrong, e.g. if the display name says "info@example.org <info@evil.org>" or similar stuff.

Can you come up with a scenario where an attacker could fake validity info when checking against the RFC5322.From header as opposed to the first address outlook presents (puppets-bounces)?
Not trying to be a douchebag, just genuinely curious as I have thought rather hard on this without being able to think of any.

Normally outlook will show what is in the RFC5322.From field in the 'outlook from' field - I am not entirely sure why it doesn't for mailinglists (if they did, then this wouldn't be an issue). Tried googling why it tacks on the 'mailinglist-bounces@ on behalf of <RFC5322.From>' but sadly did not have much success.

T4026 is somewhat related and also not at all (or at least a completely different problem). The signature in my case is done inline, so there is no additional signature file, but rather like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: xxx
<text>
-----BEGIN PGP SIGNATURE------
Version: yyy
<signature>
-----END PGP SIGNATURE-----

Ok! If outlook shows it we should verify it.

Could you attach such a mail as .mbox or even as an outlook .msg ? That would help me a bit as I would not have to come up with a testcase myself.

Actually, I can add you to a test mailinglist and send you a signed message tomorrow, would that work?

pulled your address from the PGP key 0x94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1

Yes that would work for me and the pgp key is the right one. Thanks!

Sent two messages to the test mailinglist. Please let me know if you need / want more.

Thanks. I can work with that. It is indeed clearly visible what the "Sent on behalf of" address is. So it makes sense to check that, too.

excellent - will this be includedin gpg4win 3.1.3?

yes

Sweet, thank you! Any estimate on when that might come out?

We are actually in the final release preparation and just waiting for GnuPG 2.2.10. If everything goes well it will be released this week. If not, next week.

Hooray!

https://www.gpg4win.org/version3.1.3.html < beta28 has the fix. If nothing untoward happens this will be the final version to be released tomorrow.