GpgOL 2.3.3 - Attachment Problem (Encryption)
Open, WishlistPublic

Description

Hallo community,

I have a problem with GpgOL 2.3.3
.
I made two tests on the encryption and used the inline PGPOL configuration.

  1. Then I writte a encrypt message (without attachments) to my college. He receives a encrypt email and can read it. (check)
  2. Then I writte a encrypt message with attachments. He receives an empty mail with only two attachments
  3. Unbekannte Anlagen.dat = only Version number (ignore)
  4. opengp-encrypted-message.asc = Includes the encrypt message and my previous attachment in a attachment. (pic 1)

He can download the data and open it but it takes a lot of time.

I looking for a possibility to have my encryption in this form:

A Inline message with my attachments.

Moreover I checked also the logs :

"12:39:09/5972/cryptcontroller.cpp:collect_data: PGP Inline not supported for attachments. Using PGP MIME"

The Inline doesnt work in combination with attachments.

Would be nice if I could get an solution.

Thank you

AlexD created this task.May 14 2019, 12:21 PM
AlexD created this object in space S1 Public.
AlexD created this object with visibility "All Users".
AlexD renamed this task from GpgOL 2.3.3 - Attachmet Problem (Encryption) to GpgOL 2.3.3 - Attachment Problem (Encryption).
AlexD updated the task description. (Show Details)May 14 2019, 12:23 PM
AlexD changed the visibility from "All Users" to "Public (No Login Required)".May 14 2019, 12:26 PM
aheinecke lowered the priority of this task from High to Wishlist.EditedMay 15 2019, 8:33 AM
aheinecke edited projects, added gpgol, gpg4win, Feature Request; removed gnupg (gpg23).
aheinecke added a subscriber: aheinecke.

Hi,

What client does your colleague use so that you have to use PGP/Inline?

That format where the attachment is it's own PGP Encrypted file is very problematic. You basically have mutliple signature and encryption states. An attacker can easily remove or add attachments to the message. The attachment name is leaked. etc. Also see: https://wiki.gnupg.org/PgpPartitioned

Our opinion is that if you really _have_ to use PGP/Inline that you must do so manually using Kleopatra's notepad and Encrypted files.

I am a bit unsure if I just close this as "Wontfix" or move it to Wishlist. I think for now I go with Wishlist but do not expect that feature soon. At least until maybe some really important use case comes up.

Anyway, thanks for your feedback. It is always valuable to know what users would like to have.

Best Regards,
Andre

Hi,

What client does your colleague use so that you have to use PGP/Inline?

That format where the attachment is it's own PGP Encrypted file is very problematic. You basically have mutliple signature and encryption states. An attacker can easily remove or add attachments to the message. The attachment name is leaked. etc. Also see: https://wiki.gnupg.org/PgpPartitioned

Our opinion is that if you really _have_ to use PGP/Inline that you must do so manually using Kleopatra's notepad and Encrypted files.

I am a bit unsure if I just close this as "Wontfix" or move it to Wishlist. I think for now I go with Wishlist but do not expect that feature soon. At least until maybe some really important use case comes up.

Anyway, thanks for your feedback. It is always valuable to know what users would like to have.

Best Regards,
Andre


Hello,

thank you for the quick reply. I talked with my colleague and he has some question as well.

He uses MS Outlook 2013 with Gpg4win 2.2.3.
I use MS Outlook 2013 with Gpg4win 3.1.7.

As mentioned before when he writtes me a encrypt message with attachments, I can read it without problems. (It has the pic 2 form) I also can open the encrypt files.
If I writte him a encrypt message with attachments he gets an empty mail. The only attachment is "openpgp-encrypted-message.asc".

If he tries to encrypt it with MSO the message "Nichts zu entschlüsseln" pops up. He only can open and read the mail by saving it on the desktop. He encrypts the ".asc" data manually with GPGEx. After he can open the message with the Editor. When he also add ".eml" format he can see the whole message with my attachments in MSO. The e-mail is in MIME standard.

Technically the encryption works. Its only take a lot of time. On a daily basis its not really useful to do the steps all over again. Especially if the company has a lot of customers. It would take to long. We cant expect from our customers to do the steps. On Gpg4win 2.2.3 the encryption works.

Questions:

  • Did we something wrong ? Should my colleague upgrade Gpg4win ? Does the encryption works differently on the receiver side ? How you can imagine to use it on the daily basis ?

Is it possible to send you an encrypt mail ? Maybe we can find the solution.

Thank you very much.

Best Regards,

Alexey

Hi,

Yes your colleague should or basically needs to upgrade. 2.2.3 is very outdated. There are security issues that were fixed by then etc.

The GpgOL in 2.2.3 was very basic due to funding / time limitations. We are much much better now.

Sure you can send me an encrypted message. If you have the automation features on in gpgol it should fetch my key aheinecke@gnupg.org automatically through the Web Key Directory mechanism. Otherwise you can find it on the keyservers with the fingerprint 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 or just do "gpg --locate-key aheinecke@gnupg.org" and it will fetch it.

GpgOL is in use on a daily basis a lot and for most users it "just woroks". Especially since Gpg4win 3.0, before that we did some non standard stuff to work around Outlook problems nowadays we send and handle standardized PGP/MIME and S/MIME.

I think your solution is just: Please have your colleague update to a version that is not several years out of date ;-P That is never a good idea when using security software and especially not for something that was so much under development as GpgOL was in recent years.

Best Regards,
Andre

Or a better tl;dr; When you send mails without "inline" option everything is fine and standardized. The problem is that the old version of GpgOL that your college uses is too stupid to handle this ;-)