I do not have a lot of use for encrypting my mail, but it is
(sometimes) interesting to look at the signatures of signed mail on
the lists - and using signed git tags for anything which I release
sounds like a good idea.
>From time to time I have seen mails on lkml which gpg reports as
BADSIG, but not been too worried about it. But today I tried
sending myself (at a different address) a signed mail. The sent
copy shows:
[-- PGP output follows (current time: Wed 02 Sep 2015 16:25:09 BST)
--]
gpg: Signature made Wed 02 Sep 2015 15:42:35 BST using RSA key ID
3043C26D
[GNUPG:] SIG_ID W56zzth79uXoGGJlCnNbs4NSh70 2015-09-02 1441204955
[GNUPG:] GOODSIG 78930DB93043C26D Ken Moffat (ntlworld address)
<zarniwh...@ntlworld.com>
gpg: Good signature from "Ken Moffat (ntlworld address)
<zarniwh...@ntlworld.com>"
[GNUPG:] VALIDSIG 08AA8A7D1D980359F39DACEA78930DB93043C26D
2015-09-02 1441204955 0 4 0 1 2 01
08AA8A7D1D980359F39DACEA78930DB93043C26D
[GNUPG:] TRUST_ULTIMATE
[-- End of PGP output --]
But when I received it (via a .forward file) it was unimpressive:
[-- PGP output follows (current time: Wed 02 Sep 2015 16:25:39 BST)
--]
gpg: Signature made Wed 02 Sep 2015 15:42:35 BST using RSA key ID
3043C26D
[GNUPG:] BADSIG 78930DB93043C26D Ken Moffat (ntlworld address)
<zarniwh...@ntlworld.com>
gpg: BAD signature from "Ken Moffat (ntlworld address)
<zarniwh...@ntlworld.com>"
[-- End of PGP output --]
Comparing the files, the sent-mail copy was in two parts with
boundaries starting --bg... : text/plain us-ascii for the text,
application/pgp-signature; name="signature.asc" for the GnuPG v1
signature.
And the received was 8bit utf-8 with no indication of the signature.
I had pasted some of the output (after showing the headers), and
been able to see the signature in the sent mail, but not in what I
received. But now when I try that I cannot see the signature even
in the sent mail. This is *really* doing my head in ;)
Searching for a straw to pull on (google mostly finds posts about
bad signatures in apt-get), I took a look at some of today's signed
posts on lkml.
First, a good one:
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
for this one, there is no Content-Disposition
Next, two bad ones:
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="d6Gm4EdcadzBjdND"
Content-Disposition: inline
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="KUplgXDa5OCjEs8pbWXqfHVv1o4NnLftB"
and for my own bad one:
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="bg08WKrSYDhXBjb5"
Content-Disposition: inline
Is the fact that bad signatures are showing up with "random"
boundary identities (i.e. not =-=-=) and Content-Disposition: inline
an indication of a problem, or am I flailing randomly in the dark ?
Help! Please.
ĸen
--
Il Porcupino Nil Sodomy Est! (if you will excuse my latatian)
aka "The hedgehog song"
