On Thu, Jun 01, 2017 at 08:48:34AM +0200, Matthias Apitz wrote:
Hello, When I send signed mails to me with the MUA mutt (just for test) the received mail is verified fine in mutt, i.e. it says in mutt: [-- Begin signature information --] Good signature from: Matthias Apitz (GnuPG CCID) <g...@unixarea.de> created: Wed May 31 21:40:19 2017 [-- End signature information --] [-- The following data is signed --] hello [-- End of signed data --] but when I save the signature part into a file 'signature.asc' and the ASCII content of the mail as a file 'data' from the menu in mutt: q:Exit s:Save |:Pipe p:Print ?:Help I 1 <no description> [text/plain, 7bit, utf-8, 0.1K] I 2 signature.asc [applica/pgp-signat, 7bit, 0.8K] and run: $ gpg2 --verify signature.asc data gpg: Signature made Wed May 31 21:40:19 2017 CEST gpg: using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11 gpg: BAD signature from "Matthias Apitz (GnuPG CCID) <g...@unixarea.de>" [ultimate] it says 'BAD signature'. Why the file 'data' has BAD signature? The file 'data' after saving from mutt from the above menu just contains: $ cat data hello $ od -c data 0000000 h e l l o \n \n 0000007 I digged into this trussing the mutt-gpg2 process chain and it turned out that the netto data which verifies mutt is: $ od -c data.asc 0000000 C o n t e n t - T y p e : t e 0000020 x t / p l a i n ; c h a r s e 0000040 t = u t f - 8 \r \n C o n t e n t 0000060 - D i s p o s i t i o n : i n 0000100 l i n e \r \n \r \n h e l l o \r \n \r 0000120 \n 0000121 i.e. containes as well some mail header line about the content and charset and esp. as well \r\n line terminators. If I modify the file to this it is fine: $ gpg2 --verify signature.asc data.asc gpg: Signature made Wed May 31 21:40:19 2017 CEST gpg: using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11 gpg: Good signature from "Matthias Apitz (GnuPG CCID) <g...@unixarea.de>" [ultimate] Is this correct how mutt signs such mail bodies?
This is "PGP-MIME" format, as refined in <https://tools.ietf.org/html/rfc3156>. Section 5 of that clearly states: The multipart/signed body MUST consist of exactly two parts. The first part contains the signed data in MIME canonical format, including a set of appropriate content headers describing the data. The second body MUST contain the OpenPGP digital signature. It MUST be labeled with a content type of "application/pgp-signature". So, the MUA must convert the message body to MIME format (with the right line endings, with any Base64 or Quoted Printable encoding applied) and add the Content-Type header BEFORE signing the message. Similarly, the MUA must verify the signature BEFORE parsing the body's header for how to decode the message for display/saving. To re-iterate, when you save the message body, mutt strips the header and decodes the file (imagine if this was a binary attachment in Base64 encoding; you DO want mutt to reconstruct it back into binary form).
matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
-- For more information, please reread.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users