Invalid Signature Checks in Outlook

  • Author:

    Peter Oettig

  • Date: 20.01.2022
  • There is a bug in Microsoft Outlook that causes mails with valid signatures to show as invalid. We describe workarounds and updates by Thunderbird that circumvents the issue.

Invalid Signature Checks in Outlook

20/01/2022: Thunderbird-Workaround released

The Release Thunderbird ESR (Extended Support Release) 91.4.1 provides the necessary workaround for the problem described in the original article. As of 11.01.2022, Thunderbird ESR 91.5.0 is released, which also provides the workaround. If you are on a version of Thunderbird ESR >= 91.4.1, you can roll back the temporary workaround described in the original article.

08/12/2021: Thunderbird-Workaround Delayed

On December 6th, 2021 Thunderbird ESR (Extended Support Release) 91.4.0 was released. Unfortunately, the necessary workaround for the signature bug in Outlook was not included and pushed back to release 96 of the Mozillar release calendar. Release 96 equates to Thunderbird ESR 91.5.0, which is scheduled for release on January 11th, 2022.

The temporary workaround described in the original article still works in Thunderbird ESR 91.4.0.

24/11/2021: Original Article

Recently, we received multiple reports of Microsoft Outlook showing some mails signed by senders using a KIT-CA-Certificate as containing an invalid signature. This is due to a bug in Outlook itself, which illicitely truncrates specific empty lines in so-called multipart mails [1], even though their are part of the signature. Consequently, this leads to the mail being shown as "altered after sending". However, the alteration was not caused by a malicious third party, but by the Outlook itself. Other mail clients and signature validation tools (e.g. Thunderbird or openssl) correctly show a valid signature for the same mail.

This bug is currently triggered quite often because the newest version of the mail client Thunderbird constructs mails slightly different, leading to the previously mentioned empty lines being truncrated illicitely by Outlook. The bug itself is in the implementation of Outlook and was already reported by the KIT mail team to Microsoft. Nonetheless, the developers of Thunderbird reinstated the previous behaviour which did not trigger the bug in Outlook [2]. This fix will be released with Release 96 (Thunderbird 91.4) which is currently planned for 07.12.2021. We will monitor this and will update this article once there is a patch available.

Workaround for Thunderbird Users

The update from Thunderbird 78 to 91 is currently being rolled out automatically on Windows. As updates are essential for security of systems and mail, the update should not be prevented by the user.
If you are using Thunderbird 91, you can fall back to the old mail composition system which did not trigger the bug in Outlook:

  1. Open the Thunderbird preferences
  2. Search for "config" using the search bar at the top right and click on "Config Editor"
  3. Search for "jsmodule" using the search bar at the top and switch "mailnews.send.jsmodule" from "true" to "false" by clicking the button in the same row on the right.
  4. Restart Thunderbird. This is required for the workaround to work!

Mails that are signed from now on are in a format that is not illicitely altered by Outlook. Note that this option will most likely disappear in a future major release of Thunderbird.

Workaround for Outlook Users

If you receive a mail with an invalid signature, please follow the following steps:

  • Do not ignore the warning! Not every invalid signature is caused by this bug.
  • Contact the sender in an unrelated way to this mail (e.g. composing a *new* mail or calling them). Tell them that there is a problem with the signature of their mail and ask if they are using Thunderbird 91.
  • If yes: Send this article to the sender of the mail in order for him to follow the workaround steps above. Afterwards, the mail has to be redelivered.
  • If no: Try to find the real problem. If you have questions, contact ca does-not-exist.kit edu
  • Alternatively, you can use another Mailclient (e.g. Thunderbird) for checking the signature of the mail. Please inform the sender about the problem with his signature anyway!

[1] A multipart mail is a type of mail that is composed of different media types, e.g. text + attachment or text + HTML (formatted text).