> What's wrong with what I am doing?

You provide GnuPG with only the *signature*. You need to also give it the *signed data* (the message) so that it can perform the verification.

If you want to do that manually (something you don’t usually do with PGP/MIME signatures, since it’s quite cumbersome): In addition to what you have already done (saving the signature itself in “signature.asc”), you must also extract the MIME part that was signed.

In the message source, look for a line like the following:

  Content-Type: multipart/signed; boundary="XXXXXX"

and note the “XXXXXX” boundary string. The signed data will start after the first line starting with “--XXXXXX” and will end with a blank line followed by another line starting with “--XXXXXX”. That’s what you need to extract and save to a file (say, “message.txt”).

Do not include the boundary lines themselves, nor the last blank line before the closing boundary line. For example:

  --XXXXXX
  Everything from this line
  ...
  up to this one is the signed message to verify.

  --XXXXXX

Then you can ask GnuPG to verify the message:

  gpg --verify signature.asc message.txt

(You understand now why nobody does that manually, and leaves that to Enigmail or any other PGP/MIME-enabled mail client.)

Damien

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to