I'd like manually verify attached application/pgp-signature signatures in email. I have access to the raw (undecoded) email, and I read through RFC 3156, but I'm still getting BAD signatures. I've tried verifying a couple of different signatures from various lists, and the example given in the RFC, but they all fail. I'm not sure what I'm doing wrong. For instance, the RFC example message is (between the two lines): ---------------------------------- From: Michael Elkins <elk...@aero.org> To: Michael Elkins <elk...@aero.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary=bar; micalg=pgp-md5; protocol="application/pgp-signature"
--bar & Content-Type: text/plain; charset=iso-8859-1 & Content-Transfer-Encoding: quoted-printable & & =A1Hola! & & Did you know that talking to yourself is a sign of senility? & & It's generally a good idea to encode lines that begin with & From=20because some mail transport agents will insert a greater- & than (>) sign, thus invalidating the signature. & & Also, in some cases it might be desirable to encode any =20 & trailing whitespace that occurs on lines in order to ensure =20 & that the message signature is not invalidated when passing =20 & a gateway that modifies such whitespace (like BITNET). =20 & & me --bar Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC// jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn HOxEa44b+EI= =ndaj -----END PGP MESSAGE----- --bar-- ---------------------------------- The rfc says the leading '&' "indicate the portion of the data over which the signature was calculated.", so I'm not sure if he meant them to be included in the signature or not, but I've tried it with and without them, and with and without the space that follows them. I've confirmed that the line endings are CR+LF. Does somebody know how to do this? If you do, it would be really helpful if you could explain it, and maybe show a GPG Clearsigned equivalent. For instance, this is how I've been interpretting it (and it doesn't work): -----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable =A1Hola! Did you know that talking to yourself is a sign of senility? It's generally a good idea to encode lines that begin with From=20because some mail transport agents will insert a greater- than (>) sign, thus invalidating the signature. Also, in some cases it might be desirable to encode any =20 trailing whitespace that occurs on lines in order to ensure =20 that the message signature is not invalidated when passing =20 a gateway that modifies such whitespace (like BITNET). =20 me -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC// jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn HOxEa44b+EI= =ndaj -----END PGP SIGNATURE----- So any help would be great. Thanks -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
