GPG signed incoming message not included properly

Hi,
how can I properly include a GPG signed message (see example below) into a “Notify AdminCcs” scrip message. With a “Correspondence as HTML” template only one of the text/plain parts is included.

The full message is properly shown in the RT GUI. The forwarded mail only shows:

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Thanks,
Fritz

Sorry for the long example:

Return-Path: ubuntu-security-announce-bounces@lists.ubuntu.com
Received: from wartburg.oetiker.ch (LHLO zimbra.oetiker.ch) (192.168.0.159)
by zimbra.oetiker.ch with LMTP; Mon, 15 Feb 2021 14:06:53 +0100 (CET)
Received: from zimbra.oetiker.ch (localhost [127.0.0.1])
by zimbra.oetiker.ch (Postfix) with ESMTPS id 9E65E2EF58
for fritz@oetiker.ch; Mon, 15 Feb 2021 14:06:53 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
by zimbra.oetiker.ch (Postfix) with ESMTP id 9BB422EF57
for fritz@oetiker.ch; Mon, 15 Feb 2021 14:06:53 +0100 (CET)
X-Virus-Scanned: amavisd-new at zimbra.oetiker.ch
Received: from zimbra.oetiker.ch ([127.0.0.1])
by localhost (zimbra.oetiker.ch [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id cvREse51B17j for fritz@oetiker.ch;
Mon, 15 Feb 2021 14:06:53 +0100 (CET)
Received: from mailgw-01.oetiker.ch (mailgw-01.oetiker.ch [46.140.183.211])
by zimbra.oetiker.ch (Postfix) with ESMTPS id 80A592EF56
for fritz.zaucker@oetiker.ch; Mon, 15 Feb 2021 14:06:53 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
by mailgw-01.oetiker.ch (Postfix) with ESMTP id 4976D2E129D
for fritz.zaucker@oetiker.ch; Mon, 15 Feb 2021 14:06:53 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at oetiker.ch
Received: from mailgw-01.oetiker.ch ([127.0.0.1])
by localhost (mailgw-01.oetiker.ch [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7BaVBhpPxm9O for fritz.zaucker@oetiker.ch;
Mon, 15 Feb 2021 14:06:53 +0100 (CET)
Received: by mailgw-01.oetiker.ch (Postfix, from userid 110)
id 255C42E129E; Mon, 15 Feb 2021 14:06:53 +0100 (CET)
X-Spam-Status: No, score=-3.9 required=5.0 tests=KAM_ASCII_DIVIDERS,
KAM_DMARC_NONE,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,
MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
SPF_NONE autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mailgw-01.oetiker.ch
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=ubuntu-security-announce-bounces@lists.ubuntu.com; receiver=
Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client did not present a certificate)
by mailgw-01.oetiker.ch (Postfix) with ESMTPS id C5B112E129D
for fritz.zaucker@oetiker.ch; Mon, 15 Feb 2021 14:06:52 +0100 (CET)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
by huckleberry.canonical.com with esmtp (Exim 4.86_2)
(envelope-from ubuntu-security-announce-bounces@lists.ubuntu.com)
id 1lBdTl-0006Mj-60; Mon, 15 Feb 2021 12:59:53 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
by huckleberry.canonical.com with esmtps
(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
(envelope-from marc.deslauriers@canonical.com) id 1lBdTR-0006Kq-G0
for ubuntu-security-announce@lists.ubuntu.com; Mon, 15 Feb 2021 12:59:33 +0000
Received: from 1.general.mdeslaur.us.vpn ([10.172.64.68])
by youngberry.canonical.com with esmtpsa
(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
(envelope-from marc.deslauriers@canonical.com) id 1lBdTR-0001XB-2R
for ubuntu-security-announce@lists.ubuntu.com; Mon, 15 Feb 2021 12:59:33 +0000
From: Marc Deslauriers marc.deslauriers@canonical.com
Subject: [USN-4735-1] PostgreSQL vulnerability
To: “ubuntu-security-announce@lists.ubuntu.com
ubuntu-security-announce@lists.ubuntu.com
Message-ID: 537318be-270f-dbd7-54eb-84c443c2274c@canonical.com
Date: Mon, 15 Feb 2021 07:58:50 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.5.0
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 15 Feb 2021 12:59:49 +0000
X-BeenThere: ubuntu-security-announce@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Ubuntu Security Announcements
<ubuntu-security-announce.lists.ubuntu.com>
List-Unsubscribe: https://lists.ubuntu.com/mailman/options/ubuntu-security-announce,
mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=unsubscribe
List-Archive: https://lists.ubuntu.com/archives/ubuntu-security-announce
List-Post: mailto:ubuntu-security-announce@lists.ubuntu.com
List-Help: mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=help
List-Subscribe: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce,
mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=subscribe
Reply-To: ubuntu-users@lists.ubuntu.com, Ubuntu Security security@ubuntu.com
Content-Type: multipart/mixed; boundary="===============1665566898936539740=="
Errors-To: ubuntu-security-announce-bounces@lists.ubuntu.com
Sender: “ubuntu-security-announce”
ubuntu-security-announce-bounces@lists.ubuntu.com

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–===============1665566898936539740==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol=“application/pgp-signature”;
boundary=“iQuxm8yRFh2zdD51q6gTNmBQhrMXAiOt8”

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–iQuxm8yRFh2zdD51q6gTNmBQhrMXAiOt8
Content-Type: multipart/mixed; boundary=“VvM3d4u1kQVxMTQdTjeSyJPN8r2fcUAjx”;
protected-headers=“v1”
From: Marc Deslauriers marc.deslauriers@canonical.com
Reply-To: Ubuntu Security security@ubuntu.com
To: “ubuntu-security-announce@lists.ubuntu.com
ubuntu-security-announce@lists.ubuntu.com
Message-ID: 537318be-270f-dbd7-54eb-84c443c2274c@canonical.com
Subject: [USN-4735-1] PostgreSQL vulnerability

–VvM3d4u1kQVxMTQdTjeSyJPN8r2fcUAjx
Content-Type: text/plain; charset=utf-8
Content-Language: en-CA
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-4735-1
February 15, 2021

postgresql-12 vulnerability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.10
  • Ubuntu 20.04 LTS

Summary:

PostgreSQL could be made to expose sensitive information.

Software Description:

  • postgresql-12: Object-relational SQL database

Details:

Heikki Linnakangas discovered that PostgreSQL incorrectly leaked values o=
f
denied columns when handling certain errors. A remote attacker could
possibly use this issue to obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.10:
postgresql-12 12.6-0ubuntu0.20.10.1

Ubuntu 20.04 LTS:
postgresql-12 12.6-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References:
https://usn.ubuntu.com/4735-1
CVE-2021-3393

Package Information:
https://launchpad.net/ubuntu/+source/postgresql-12/12.6-0ubuntu0.20.10.=
1
https://launchpad.net/ubuntu/+source/postgresql-12/12.6-0ubuntu0.20.04.=
1

–VvM3d4u1kQVxMTQdTjeSyJPN8r2fcUAjx–

–iQuxm8yRFh2zdD51q6gTNmBQhrMXAiOt8
Content-Type: application/pgp-signature; name=“OpenPGP_signature.asc”
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=“OpenPGP_signature”

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmAqcC4ACgkQZWnYVadE
vpOSEg/+ME10f054CxnI2CNL/y98LVn7Cvi+tOiuXq+0LTk0q6KqTSgSivwZqEJQ
VHj5I/PVdX9qjtrM0QuTQrswxkt939Pbhk6PzOGNYGWqYlg9O/3F7y0SrlPyd9a5
1hDEdE5vGYPmfTwSEex2E4FQnFQlUDDbauLsLIij78POmwYyuBNBY7cu32W0pamR
2ycljrz087iFPnHsGKvXZzJ6lMys3wpNa4KwSm2gh3DbMWfGkAZP1Mjd/5daZ+fR
B5heiy+kzf8dPLYCZAu7JAFAfjexUfGPbeooMHY9uZ7DQbYYMO8cOk6IpOWvSiPh
zeGTacAFCPLHuw12OyHJNHZbxgDgM0eQMFOfRDPPlCQU7p4p9AVZvyPJIYuRtI6M
V6RBTyjz3Or1XzbMKkUqdV0w5jvWHILiih18VZwi2miTo35dr1ka1BVeW4d0wWZf
eBUt0yQLAYZbj5SbNTnhZNjsilcxZBHbVCdGa4lX61e7mQhWye/6Umq9xdPDwuqk
W2Y6OIYVfS/A9JRGAEJ4qtIvcMywsqrSshSdk326rVLD/m1ehiNIEmz1i+qhi6eK
mDJdCZCCbTzFJ/3WpfGVmPsG8BkL5PcTzNyR5kq6xqJoqrzkqI3pNBofj1fZ3kzH
8MhIkjbTdCrf33LXpPr6KWLIWeBQSNvYhtq4WerpdefwIHMvTRM=
=Buu/
-----END PGP SIGNATURE-----

–iQuxm8yRFh2zdD51q6gTNmBQhrMXAiOt8–

–===============1665566898936539740==
Content-Type: text/plain; charset=“utf-8”
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

According to this, I am afraid you can not do it easily. I have not tested it but what crosses my mind at the point, you could:

  • As a quick workaround you can perhaps add another line for plaintext content but then you have the message twice which maybe you don’t want.

  • Or maybe you can add the pgp signature like this:

    {$Transaction->Content( Type => "application/pgp-signature" ) if $Transaction->Attachments->First->GetHeader('X-RT-Gnupg-Status')}

Thanks for your reply. I didn’t want to add the signature, it was the main text of the messages that wasn’t forwarded. I agree that the documentation you quoted tells that only the first text/plain part of the email will be found.

I did a reinstall of RT, this time adding --enable-gnupg --enable-smime to the configure command line. Now everything works as expected.

I think the documentation around GnuPG and Crypt is not all that clear (to me at least).

1 Like