-----BEGIN PGP SIGNED MESSAGE----- On Sat, 9 Sep 2000 kmself@ix.netcom.com wrote:
> > Say I'm using one of the many mailers that doesn't support gpg > > integration, so I need to save the message and key to disk and use gpg > > manually to check the signatures. What parts of the message are > > signed, though??? for example, in Karsten's email, there were 3 > > message sections: the text, the attached .muttrc, and the gpg sig. > > The signature applies to the entire contents, including attachments, of > the message. So you have verification that I was the person who wrote > and signed all parts of the mail. Makes more sense that way, no? Of course. My problem is that with the old way of handling signing/encrypting, the beginning and ending of the signed/encrypted text is clearly marked for both the user and the gpg app. I suspect that the reason I keep getting bad sigs is that gpg doesn't know what part of the text to check. For example, I saved your message (the one to which I'm replying now) to a file in my home dir: msg.pgp. I saved the key to msg.key. I then ran gpg msg.key and was prompted for the external data file. I told it where to find the file, it went through the verification process, and informed me that it was a bad signature: gpg msg.key Detached signature. Please enter name of data file: msg.pgp gpg: Signature made Sun Sep 10 01:47:15 2000 EDT using DSA key ID 55F2B9B0 gpg: BAD signature from "Karsten M. Self <kmself@ix.netcom.com>" I've never had such problem with the traditional inline signature. But when sigs are sent as attachments the exact opposite is true: I've never found a single mailer other than mutt that handles them. That really seems to defeat the purpose. > > So I save the message and key to my home dir, download the key, and > > run gpg on the key. It asks me for the file name, which I provide. > > To this it responds that they signature is invalid. > > Hmm... The entire message or just the text? When verifying a sig using the manner described above, gpg doesn't even offer the option of using multiple data files, so I've only been using the main message text with no attachements... > > I must say, the old style of handling pgp/gpg with the inline sigs and > > stuff worked much better for me. What are the advantages of sending > > the key as an attachment instead of inline? > > Well, as an example, a signed message with MIME components shows up as > signed, and I'm told that the signature is valid and known, the sig is > valid but unknown, or that the signature is invalid. Automajickally. Sure, in mutt it's great. As I said, I've yet to see it work anywhere else. noah _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBObudsYdCcpBjGWoFAQEwtAQAh6A+6wSfI9B5pdIBIwPHL2T9thNCiPtX lrkOkRixSWnXvnOe2Zw6PrGeHxGaaGCmqyUlDXd9czf4tO+DsomPhiHcxjkdRWlV 4d5znzLVrJeMgT3oaEPszbjxhuuVGasjV6tbR+Of7RL4bg4PQ7BTQJOC6qjk7Oxb D8Xt+8QDt0o= =rRNE -----END PGP SIGNATURE-----
