> What's wrong with what I am doing?
You provide GnuPG with only the *signature*. You need to also give it the *signed data* (the message) so that it can perform the verification.
If you want to do that manually (something you don’t usually do with PGP/MIME signatures, since it’s quite cumbersome): In addition to what you have already done (saving the signature itself in “signature.asc”), you must also extract the MIME part that was signed.
In the message source, look for a line like the following: Content-Type: multipart/signed; boundary="XXXXXX"and note the “XXXXXX” boundary string. The signed data will start after the first line starting with “--XXXXXX” and will end with a blank line followed by another line starting with “--XXXXXX”. That’s what you need to extract and save to a file (say, “message.txt”).
Do not include the boundary lines themselves, nor the last blank line before the closing boundary line. For example:
--XXXXXX Everything from this line ... up to this one is the signed message to verify. --XXXXXX Then you can ask GnuPG to verify the message: gpg --verify signature.asc message.txt(You understand now why nobody does that manually, and leaves that to Enigmail or any other PGP/MIME-enabled mail client.)
Damien
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
