Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] verifying a gpg-signed e-mail
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
potuz
Guru
Guru


Joined: 30 Jan 2010
Posts: 378

PostPosted: Sun Dec 14, 2014 3:53 pm    Post subject: [SOLVED] verifying a gpg-signed e-mail Reply with quote

I set up mutt to sign my outgoing e-mail with my pgp key. A friend told me that from his e-mail client (Thunderbird) he gets a message saying that the signature is bad.

Within my own client I can see in the headers

Code:

[-- Begin signature information --]
Good signature from: xxxx xxxx  <xxxxxx@gmail.com>
created: Sun 14 Dec 2014 01:09:22 PM BRST
[-- End signature information --]

[-- The following data is signed --]
xxxx
xxxx
[-- End of signed data --]

However, if I save the text file of the message and the attached signature.asc file I get
Code:
$ gpg --verify /tmp/signature.asc /tmp/message.txt
gpg: Signature made Sun 14 Dec 2014 12:39:33 PM BRST using RSA key ID xxxxxx
gpg: BAD signature from "xxxxxxx xxxxx <xxxxxxx@gmail.com>" [ultimate]

Also if I try to verify directly the signature in the file stored by mutt I get the same message saying it is a BAD signature.

What's going on?
Back to top
View user's profile Send private message
potuz
Guru
Guru


Joined: 30 Jan 2010
Posts: 378

PostPosted: Sun Dec 14, 2014 4:20 pm    Post subject: Reply with quote

Well, it turns out that Thunderbird has a bug that makes all signatures appear as bad http://sourceforge.net/p/enigmail/bugs/4/

I guess my local copy appears as badly signed when checked on the terminal because of the names and timestamp of the files.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Sun Dec 14, 2014 6:28 pm    Post subject: Reply with quote

And what happens when you keep the signature inside file with message rather than save with detached one?
Does it report invalid signature as well?
Back to top
View user's profile Send private message
potuz
Guru
Guru


Joined: 30 Jan 2010
Posts: 378

PostPosted: Sun Dec 14, 2014 6:40 pm    Post subject: Reply with quote

szatox wrote:
And what happens when you keep the signature inside file with message rather than save with detached one?
Does it report invalid signature as well?

In the local folder where mutt stores all e-mails there is a single file for each e-mail but it contains the s/mime multipart of the messages. They are cleartext, say this file is called mail.txt. Then on a message sent by a friend I'd get
Code:
$ gpg --verify mail.txt
gpg: Signature made Sun 14 Dec 2014 02:55:40 PM BRST using RSA key ID Fxxxxxx
gpg: Good signature from "xxxxx xxxxxx <xxxxx@gmail.com>" [full]


On an e-mail in my sent box I would get
Code:
$ gpg --verify mail.txt
gpg: no signed data
gpg: can't hash datafile: No data


but I think this is because of the detached signature sent by gpgme in mutt instead of an inline sign, so mutt when reading that file, extracts the detached signature, the cleartext message and then verifies the text file with the detached signature against the public key. This is not done by the gpg --verify command above.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum