I agree. It also happens to me. But only with mails coming from "Microsoft security update releases". Mails coming form "Microsoft security advisory notification" and Microsoft security update summary for..." are ok and are signed by the same key. It could be some trouble in MS automated email treatment.

I checked my mails in detail, and I can confirm that the error occurs only with "Microsoft security update releases". Indeed "Microsoft security advisory notification" and "Microsoft security update summary for..." will be verified correctly.

Is it possible that you upload or send me a copy of such a mail (wk gnupg.org)? ZIP or tar the eml file and send it in an encrypted mail to me to make sure it won't be modified on the transport.

Sure, I zipped the eml which failed and I´ll send it by e-mail to you

Thanks. The mail is a standard, non-crypto mail with one attachment. That attachment is a TNEF file which has according to ytnef(1) just one file. That file has the name gpgolPGP.dat and contains a clearsigned message.

I don't know why Microsoft sends it this way but I have seen several private mails in the last time which had a TNEF attachment instead of a regualr attachment. Usually I don't bother to look into this. I am not the Outlook expert, though.

@aheinecke: Any more ideas?

What are MS doing when they get it right, though? I'd look at the differences between those two to identify what they've messed up here.

I contacted Microsoft Security Response Center (MSRC) in regard to this matter. They confirmed the failed PGP key verification, but have not yet any explanation for that.

Yes, GpgOL in version 2.3.2 fails to verify the original message, it is labeled as "not-secure". But it happens only to "Microsoft security update releases", not to other Microsoft Security Notifications which I receive on regular base. I contacted Microsoft Security Responce Center (MSRC) and they confirmed the failure of signature verification in this case. They were not aware about it, but checked it by them self after my mail. They had no explanation for that. Labeling the message as "not-secure" would may indicate that it would be altered in transport, but MSRC did not say that. Therefore, I still assume, that we have a bug in GnuPG.

I want to stress, that this problem occurred not only once, it happened with all "Microsoft security update releases" in the past months. If you provide me with your e-mail address, I´ll send two files EML format to you. In one, the Microsoft signature can be verified, in the other not. So you can test it by yourself, but MSRC confirmed it already in December.

@JW-D thanks. Please send them to aheinecke@gnupg.org

I somehow can't subscribe to the newsletters myself under:

https://www.microsoft.com/en-us/msrc/technical-security-notifications

clicking on the security notification service link just redirects me to https://www.microsoft.com/isapi/gomscom.asp?target=/404.htm which shows an empty page,... :-/ I even tried with edge on Windows but it didn't work either.

Very strange, but I tried it by myself, after your mail. The same for me. However, I can offer you to send two mails to you as EML files, one works, the other not. I using GnuPG also for verification from BSI newsletter, it works fine there. The problem is only with newsletters from "Microsoft security update releases", other Microsoft security notifications can be verified as well.

Yes, please send the mails. Maybe they will show me the problem already. :-)

The BSI newsletters work for me, too. But that is proper PGP/MIME so it's a bit different and better.

Please, provide e-mail address, then I´ll send it asap

I did in my first comment here ;-)

aheinecke@gnupg.org

Yesterday Microsoft issued three PGP signed mails. It is the first communication after MSRC confirmed failure of verification and promised to have internal procedures changed. I received those mails on two different machines, one equipped with Outlook 2016, the other with Thunderbird. Last year all messages failed on Outlook and Thunderbird, if the were issued from "Microsoft Security Update Releases".

Situation is now different, the PGP can be verified with Thunderbird, but Outlook 2016 still fails. BUT, Outlook can confirm PGP signatures from two other mails sent by Microsoft yesterday; adn does it generally well by other senders (like BSI). It is a little bit a miracle for me. Because on Outlook all other sender working fine with PGP!

I´ll send asap some screenshots and the EML file to A. Heinecke by e-mail and I´ll contact MSRC again on this matter.

I'll work on this right now. Please wait with contacting MSRC before I have a chance to find out what the problem is.

I must make a correction of my earlier statement from today. The three Microsoft messages were not displayed in the same order on the screen on both machines. I must say, that on Outlook 2016 AND Thunderbird PGP verification still fails by "Microsoft Security Update Releases". It is the same situation as last year, nothing has been changed. I sent two files in EML format and some screenshots to A.Heinecke today.

The tooltip:

Does it say the same for you that the mail address could not be matched?

I think that is a problem on our side. We try to match the mail address of the sender with the mail address from the key. Here it fails somehow.

No, I can´t confirm it, I get no reason displayed. The key which I use is shown in my screenshot (I´ll send by e-mail)

Ok. So the tooltip was another issue. Which I've fixed now.

The signature is indeed marked as just bad. Meaning that the checksum calculated for the message does not match the signature.

If I copy it out of the gpgolPGP.dat attachment and try to verify it manually it fails, too (this works with the good message). So that message was either broken in transfer or when GpgOL created the attachment containing the original message.

I can't really say where the problem is without access to the original message before GpgOL touched it once. The messages that fail to verify which you have sent me were both already modified by GpgOL. So I don't have a baseline of the same message that would verify and so I can't tell the difference between the valid message and the bad message :-/.

I've tried to find the Microsoft mails in public archives but I did not find it.

A pristine file I do not have, because every file passes GpgOL before displayed. I suggest, you subscribe to the service and if you de-install GpgOL, you should obtain a pristine file.

@JW-D I would very much like to but I still only get an error on that page. Can you give me another, working, subscribe link? Maybe I found a wrong one.

Andre,
Were useful for you the files that I sent yesterday? There were extracted using MFCMAPI MFCMAPI tool once emails were collected but before opened by Outlook. When it's checked one of them fails to verify signature. Other two are ok (diferent origin but the same key).

I agree. It seems a MS trouble. It remembers the trouble that you have when send email of new version available for your software. Something modifies the signed content.

Indeed in view of this data, it seems to be that the problem occurs by Microsoft. It fits also with the fact, that all other signatures are working fine from my experience.

I agree! THANKS

-----Ursprüngliche Nachricht-----
Von: aheinecke (Andre Heinecke) <noreply@dev.gnupg.org>
Gesendet: Mittwoch, 27. Februar 2019 14:32
An: Juerg_Walter@t-online.de
Betreff: [Task] [Closed] T4299: Problem to verify PGP key used by Microsoft

aheinecke closed this task as "Resolved".
aheinecke added a comment.

I think this can be resolved according to the last comments. We have analyzed it and found that it is not an issue on our side.

TASK DETAIL
https://dev.gnupg.org/T4299

EMAIL PREFERENCES
https://dev.gnupg.org/settings/panel/emailpreferences/

To: aheinecke
Cc: BenM, aheinecke, werner, jmrexach, JW-D, ccharabaruk, Mak, gp_ast

• smime.p7s5 KBDownload