Re: [OT] Manually verifying PGP/MIME signature with GPG
On Du, 22 apr 12, 20:52:46, Jon Dowland wrote: On Sun, Apr 22, 2012 at 04:22:14PM +0300, Andrei POPESCU wrote: Can you reproduce this with local copies from a mail agent (ideally mutt)? My quick experiments failed. Just curious, nothing critical. You need to get ahold of the signed part without mutt decoding it. I achieved it by piping the raw message to cat in mutt (|cat ~/tmp/foo) and manually editing the result to cut out the other bits. I needed the particular MIME part for the message, plus the MIME headers above it, and possibly a trailing newline (use trial and error for that bit). You can safely decode/save the signature attachment, it's just the message itself (which is signed post-encoding, that is, in the wire format for the mail) which you need to cut out. Thanks, if I'm ever bored and want to play with sed I'll experiment with that, otherwise the topic is closed from my point of view. Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Du, 15 apr 12, 16:28:28, Camaleón wrote: As I thought, verifying PGP/MIME detached signatures can be also done from command line with GPG. I have tried with some posts from this same mailing list coming from users that use detached signatures and in every case it worked fine: ... The recipe is very easy and the only needed ingredients are: - Browsing to the mailing list archive - Telnet to news.gmane.org server to get the message - Use gpg --verify And that's all. If anyone is interested in the detailed steps, just ask. Can you reproduce this with local copies from a mail agent (ideally mutt)? My quick experiments failed. Just curious, nothing critical. Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Sun, 22 Apr 2012, Andrei POPESCU wrote: On Du, 15 apr 12, 16:28:28, Camaleón wrote: As I thought, verifying PGP/MIME detached signatures can be also done from command line with GPG. I have tried with some posts from this same mailing list coming from users that use detached signatures and in every case it worked fine: ... The recipe is very easy and the only needed ingredients are: - Browsing to the mailing list archive - Telnet to news.gmane.org server to get the message - Use gpg --verify And that's all. If anyone is interested in the detailed steps, just ask. Can you reproduce this with local copies from a mail agent (ideally mutt)? My quick experiments failed. Just curious, nothing critical. mutt will remove the signature on decode-copy (mutt lingo for export), as it should. If you save the message to mbox format, gpg 1.4.10 in Lenny will not be able to verify it (maybe a newer version will). gpg2 in Lenny (2.0.14) does verify the signature, but it won't work with gpg2 --verify. You have to: 1. save to mbox format in mutt (e.g. to /tmp/1.mbox) 2. run gpg2 /tmp/1.mbox. When it asks for the file with the detached signature, you give it /tmp/1.mbox again. There is probably a better way to do this. That said, mutt handles PGP/MIME properly, it annotates which portions of the message have been signed, which portions have NOT been signed, and the full gpg output, plus mutt's idea of what that gpg output means (good sig, bad sig, unverified sig, etc) for each portion. Well at least when you have only one section that is protected by a PGP/MIME signature, and several sections which are not. I didn't check the RFC, nor tried to have a message with several sections, each one signed independently. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120422134741.ga10...@khazad-dum.debian.net
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Sun, 22 Apr 2012 16:22:14 +0300, Andrei POPESCU wrote: On Du, 15 apr 12, 16:28:28, Camaleón wrote: As I thought, verifying PGP/MIME detached signatures can be also done from command line with GPG. I have tried with some posts from this same mailing list coming from users that use detached signatures and in every case it worked fine: ... The recipe is very easy and the only needed ingredients are: - Browsing to the mailing list archive - Telnet to news.gmane.org server to get the message - Use gpg --verify And that's all. If anyone is interested in the detailed steps, just ask. Can you reproduce this with local copies from a mail agent (ideally mutt)? My quick experiments failed. Just curious, nothing critical. :-) I can't test it because I'm not subscribed to Debian mailing lists and thus I don't get copies of the messages. But just two quick notes on your question: 1/ Mutt can verify PGP/GPG signatures (inline and detached) automatically or on user demand so why not using Mutt instead having to deal with the raw message? Mutt itself does the hard job of injecting gpg with the correct format of the message, separating the signature from the signed content. 2/ A common error when you have to manually verify the signature it comes from the extra lines you leave between the content of the message body and the signature which makes the verification proccess to fail. Removing the extra lines solves the problem and the signature can be properly checked. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jn12ch$ha3$9...@dough.gmane.org
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Du, 22 apr 12, 10:47:41, Henrique de Moraes Holschuh wrote:
On Sun, 22 Apr 2012, Andrei POPESCU wrote:
Can you reproduce this with local copies from a mail agent (ideally
mutt)? My quick experiments failed. Just curious, nothing critical.
As I said, just curious :)
mutt will remove the signature on decode-copy (mutt lingo for
export), as it should.
If you save the message to mbox format, gpg 1.4.10 in Lenny will not be
able to verify it (maybe a newer version will). gpg2 in Lenny (2.0.14)
does verify the signature, but it won't work with gpg2 --verify.
I tried saving the individual parts ('v' and then 's' ), but that didn't
work. Not curious enough to try your mbox method, mutt's automatic
verification works fine :)
Thanks,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
signature.asc
Description: Digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Sun, Apr 22, 2012 at 04:22:14PM +0300, Andrei POPESCU wrote: Can you reproduce this with local copies from a mail agent (ideally mutt)? My quick experiments failed. Just curious, nothing critical. You need to get ahold of the signed part without mutt decoding it. I achieved it by piping the raw message to cat in mutt (|cat ~/tmp/foo) and manually editing the result to cut out the other bits. I needed the particular MIME part for the message, plus the MIME headers above it, and possibly a trailing newline (use trial and error for that bit). You can safely decode/save the signature attachment, it's just the message itself (which is signed post-encoding, that is, in the wire format for the mail) which you need to cut out. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120422195232.GB11237@debian
Re: [OT] Manually verifying PGP/MIME signature with GPG
Andrei POPESCU wrote:
I tried saving the individual parts ('v' and then 's' ), but that didn't
work. Not curious enough to try your mbox method, mutt's automatic
verification works fine :)
That won't work because the saved part is the *body* of the part and
not the raw encoded bits of that part. It is the raw encoded part
that is signed, not the decoded body.
See my earlier response in this thread where I showed how this can be
done manually.
http://lists.debian.org/debian-user/2012/04/msg00766.html
Basically you need the raw part which includes the Content-Type,
Content-Transfer-Encoding and Content-Disposition headers too. The
signature includes those headers. If the file you saved does not have
those headers in them then you do not have the file that was signed
and the signature cannot be verified.
Bob
signature.asc
Description: Digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Sun, Apr 15, 2012 at 04:28:28PM +, Camaleón wrote: (Disclaimer: newbies and soft-minded readers, please, stop reading here. The following content can damage your mind. You've been advised) Ha! I believe that is a dig at some constructive criticism. Ummm, let's see, No FUD in there, safe to proceed. As I thought, verifying PGP/MIME detached signatures can be also done from command line with GPG. I have tried with some posts from this same mailing list coming from users that use detached signatures and in every case it worked fine: sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test.pgp test.eml gpg: Signature made Tue Apr 10 08:41:59 2012 CEST using RSA key ID 82A46728 gpg: Good signature from Mika Suomalainen gpg: aka Mika Suomalainen s.mik...@gmail.com gpg: aka Mika Suomalainen mika.henrik.mai...@hotmail.com gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 () The recipe is very easy and the only needed ingredients are: - Browsing to the mailing list archive - Telnet to news.gmane.org server to get the message - Use gpg --verify -- Religion is excellent stuff for keeping common people quiet. -- Napoleon Bonaparte -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120421032435.GT3659@tal
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Wed, 11 Apr 2012 14:52:52 +, Camaleón wrote: On Tue, 10 Apr 2012 14:43:51 +, Camaleón wrote: (...) Anyway, I get the posts through a nntp news server (Gmane), I don't know - because I've not tried- if the header information provided would be enough to be able to verify the signature manually. Mmm, I tried this yesterday and it seems to be working fine from Thunderbird + Enigmail with no additional tweaks: signatures (both inline and detached) are verified correctly. If Enigmail can parse and verify the signed posts I see no reason for gpg cannot do the same. (Disclaimer: newbies and soft-minded readers, please, stop reading here. The following content can damage your mind. You've been advised) As I thought, verifying PGP/MIME detached signatures can be also done from command line with GPG. I have tried with some posts from this same mailing list coming from users that use detached signatures and in every case it worked fine: sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test.pgp test.eml gpg: Signature made Tue Apr 10 08:41:59 2012 CEST using RSA key ID 82A46728 gpg: Good signature from Mika Suomalainen gpg: aka Mika Suomalainen s.mik...@gmail.com gpg: aka Mika Suomalainen mika.henrik.mai...@hotmail.com gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test2.pgp test2.eml gpg: Signature made Tue Apr 10 11:00:44 2012 CEST using RSA key ID 06AA gpg: Good signature from Jon Dowland j...@debian.org gpg: aka Jon Dowland j...@alcopop.org gpg: aka Jon Dowland jon.dowl...@ncl.ac.uk gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E037 CB2A 1A00 61B9 4336 3C8B 0907 4096 06AA sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test3.pgp test3.eml gpg: Signature made Mon Apr 9 21:46:11 2012 CEST using DSA key ID C13650B6 gpg: Good signature from Bob Proulx b...@proulx.com gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5B98 916C E867 EC0F D45C F608 D294 5C3B C136 50B6 sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test4.pgp test4.eml gpg: Signature made Thu Apr 12 11:43:58 2012 CEST using RSA key ID DEA22DE9 gpg: Good signature from Andrei Popescu andreimpope...@gmail.com gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4ACD 960A 2844 2952 EE06 466F 7356 B378 DEA2 2DE9 The recipe is very easy and the only needed ingredients are: - Browsing to the mailing list archive - Telnet to news.gmane.org server to get the message - Use gpg --verify And that's all. If anyone is interested in the detailed steps, just ask. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jmesvc$3it$5...@dough.gmane.org
Re: [OT] Manually verifying PGP/MIME signature with GPG
15.04.2012 19:28, Camaleón kirjoitti: On Wed, 11 Apr 2012 14:52:52 +, Camaleón wrote: On Tue, 10 Apr 2012 14:43:51 +, Camaleón wrote: (...) Anyway, I get the posts through a nntp news server (Gmane), I don't know - because I've not tried- if the header information provided would be enough to be able to verify the signature manually. Mmm, I tried this yesterday and it seems to be working fine from Thunderbird + Enigmail with no additional tweaks: signatures (both inline and detached) are verified correctly. If Enigmail can parse and verify the signed posts I see no reason for gpg cannot do the same. (Disclaimer: newbies and soft-minded readers, please, stop reading here. The following content can damage your mind. You've been advised) Ignore people who say so. Your posts are usually helpful. By the way, same people told me to use PGP/MIME and when I asked how to do so they didn't say anything useful. As I thought, verifying PGP/MIME detached signatures can be also done from command line with GPG. I have tried with some posts from this same mailing list coming from users that use detached signatures and in every case it worked fine: sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test.pgp test.eml gpg: Signature made Tue Apr 10 08:41:59 2012 CEST using RSA key ID 82A46728 gpg: Good signature from Mika Suomalainen gpg: aka Mika Suomalainen s.mik...@gmail.com gpg: aka Mika Suomalainen mika.henrik.mai...@hotmail.com gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test2.pgp test2.eml gpg: Signature made Tue Apr 10 11:00:44 2012 CEST using RSA key ID 06AA gpg: Good signature from Jon Dowland j...@debian.org gpg: aka Jon Dowland j...@alcopop.org gpg: aka Jon Dowland jon.dowl...@ncl.ac.uk gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E037 CB2A 1A00 61B9 4336 3C8B 0907 4096 06AA sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test3.pgp test3.eml gpg: Signature made Mon Apr 9 21:46:11 2012 CEST using DSA key ID C13650B6 gpg: Good signature from Bob Proulx b...@proulx.com gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5B98 916C E867 EC0F D45C F608 D294 5C3B C136 50B6 sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test4.pgp test4.eml gpg: Signature made Thu Apr 12 11:43:58 2012 CEST using RSA key ID DEA22DE9 gpg: Good signature from Andrei Popescu andreimpope...@gmail.com gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4ACD 960A 2844 2952 EE06 466F 7356 B378 DEA2 2DE9 The recipe is very easy and the only needed ingredients are: - Browsing to the mailing list archive - Telnet to news.gmane.org server to get the message - Use gpg --verify And that's all. If anyone is interested in the detailed steps, just ask. Greetings, Thank you for testing this. I will keep this in mind whenever I have a need for this :). -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 0x82A46728.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Sun, 15 Apr 2012 19:38:46 +0300, Mika Suomalainen wrote: 15.04.2012 19:28, Camaleón kirjoitti: (...) As I thought, verifying PGP/MIME detached signatures can be also done from command line with GPG. I have tried with some posts from this same mailing list coming from users that use detached signatures and in every case it worked fine: (...) The recipe is very easy and the only needed ingredients are: - Browsing to the mailing list archive - Telnet to news.gmane.org server to get the message - Use gpg --verify And that's all. If anyone is interested in the detailed steps, just ask. Thank you for testing this. I will keep this in mind whenever I have a need for this :). Now we know it is possible to verify PGP/MIME detached signatures from Debian mailing lists without needing to be suscribed to them ;-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jmeufc$3it$8...@dough.gmane.org
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Tue, Apr 10, 2012 at 03:53:19PM +0100, Jon Dowland wrote: On Tue, Apr 10, 2012 at 02:43:51PM +, Camaleón wrote: If you don't know, please refrain from guessing! Refrain yourself from reading :-/ I'm not at significant risk of being (unintentionally) misled by you: newbies are. +1 -- Religion is excellent stuff for keeping common people quiet. -- Napoleon Bonaparte -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120414153308.GJ28159@tal
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Tue, 10 Apr 2012 14:43:51 +, Camaleón wrote: (...) Anyway, I get the posts through a nntp news server (Gmane), I don't know - because I've not tried- if the header information provided would be enough to be able to verify the signature manually. Mmm, I tried this yesterday and it seems to be working fine from Thunderbird + Enigmail with no additional tweaks: signatures (both inline and detached) are verified correctly. If Enigmail can parse and verify the signed posts I see no reason for gpg cannot do the same. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jm45s4$3l4$7...@dough.gmane.org
Re: [OT] Manually verifying PGP/MIME signature with GPG
On 09/04/12 17:48, Jeremy T. Bouse wrote: To verify PGP/MIME vs inline is the same if you were using the GPG or PGP command to verify a clearsigned file or not. With PGP/MIME you'd have to save the original email which would in a multi-part MIME email be an attachment itself, just the first one, and the signature attachment and run them through the CLI tool to verify the signature. Alas, this doesn't actually work[1]. As Bob expands later, you need to get the message body in its encoded format (e.g. quoted-printable), complete with the MIME headers describing the encoding[2]. This is difficult to export from most mailers, and impossible (so far as I know) from the web archives. (note that my mail client may re-wrap lines from the examples below) [1]: bryant$ cat msg On 03/04/12 17:06, Mika Suomalainen wrote: Yes we did, but you are forgetting GPG clearsigning vs GPG S/MIME and was there something else... ☺ I missed that part of the discussion (but that has reminded me to re-setup my mailer to sign ☺) bryant$ cat msg.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJPfCpsAAoJEAkHQJYGUIIP/jr/WeTTTr0Ig8EtAKvFiTFu vRH20HOf0OhqXs7eBeJ0QZdXPONPHCFokB75khuBOgEP6Ed1SnY2XPMZUXBL97R4 Li2l8oVHGF4omVkbNYZ1nItbz95fhLCqxIu/9TouPYsH0fNI4WTrjWFQH2c+zD4k iLeumt03He+l/3j24RxKKQ2qZt1qx2558kKMQCB2WmCRmjUc79uYTl09n4XVZvhc yOklofhCMlQXsaCPwpfed5zZZBvpRtpLNsgL4nWKbsmFDdVhmf/CLB1PlSn0H3lV xr8IwPsn1MC7Ums+nEzuabGzy2JMRrZaRrEVERFwtkW7xftEqy4N63Ua+g9AzQuH T4XYmYFq0vZXliF/zRkoStEmfUZke7OonxUEGhjz3MdeIaMoxlw2V+Zi9NF5U9A7 pdX/CRhPfG2q5VYsyGyCeBtF5PLiIAs6bEUHKf0IJy0MXk01cIUL69Yfm6XqoJ8j R8sK0eL7JphwX3cjgJ8L2cyIBW8Z1YqSc1d93kjiwDZeewNw6dueuXNkvvsVhhis uJU2iapDo8Q4FiHcop+uqpEOuCT0DeUS6wgPlsD3fMp1a2LMzrWMkAU6Wo0zAWDM Gk9TlVzJjT4jrTffkLM4rxoYYvhUUdUsOKrHukRsxB7E++NXpqUkqV0pi0486lYc 7NADA1QrTNgixFBBONCa =Zjte -END PGP SIGNATURE- bryant$ gpg --verify msg.asc gpg: Signature made Wed 04 Apr 2012 12:03:08 PM BST using RSA key ID 06AA gpg: BAD signature from Jon Dowland j...@debian.org [2]: bryant$ cat raw Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 03/04/12 17:06, Mika Suomalainen wrote: Yes we did, but you are forgetting GPG clearsigning vs GPG S/MIME and was there something else... =E2=98=BA I missed that part of the discussion (but that has reminded me to re-setup my mailer to sign =E2=98=BA) bryant$ gpg --verify raw.asc gpg: Signature made Wed 04 Apr 2012 12:03:08 PM BST using RSA key ID 06AA gpg: Good signature from Jon Dowland j...@debian.org Primary key fingerprint: E037 CB2A 1A00 61B9 4336 3C8B 0907 4096 06AA -- Jon Dowland signature.asc Description: OpenPGP digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
On 09/04/12 17:54, Camaleón wrote: Look at man gpg, there must be also an option here for verifiying the signature. On the one hand, I think the energy and enthusiasm to which you bring to helping people on -user is admirable. On the other, sometimes your replies are information-free, or even misleading. If you don't know, please refrain from guessing! signature.asc Description: OpenPGP digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Tue, 10 Apr 2012 10:00:44 +0100, Jon Dowland wrote: On 09/04/12 17:54, Camaleón wrote: Look at man gpg, there must be also an option here for verifiying the signature. On the one hand, I think the energy and enthusiasm to which you bring to helping people on -user is admirable. Your welcome. On the other, sometimes your replies are information-free, or even misleading. Misleading what, exactly? Both gpg and smime can verify signatures, that's what Mutt and other e-mail clients do use. The fact that this mailing list does not provide an archive to get the raw messages with attachments does not change the above. Anyway, I get the posts through a nntp news server (Gmane), I don't know - because I've not tried- if the header information provided would be enough to be able to verify the signature manually. If you don't know, please refrain from guessing! Refrain yourself from reading :-/ Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jm1gv7$csk$5...@dough.gmane.org
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Tue, Apr 10, 2012 at 02:43:51PM +, Camaleón wrote: If you don't know, please refrain from guessing! Refrain yourself from reading :-/ I'm not at significant risk of being (unintentionally) misled by you: newbies are. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120410145319.GA15551@debian
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Tue, 10 Apr 2012 15:53:19 +0100, Jon Dowland wrote: On Tue, Apr 10, 2012 at 02:43:51PM +, Camaleón wrote: If you don't know, please refrain from guessing! Refrain yourself from reading :-/ I'm not at significant risk of being (unintentionally) misled by you: newbies are. If you're so worried, apply for a newbie-sitter job. Still, you failed to reply what was misleading. Sigh. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jm1ip9$ivm$2...@dough.gmane.org
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Tue, Apr 10, 2012 at 03:14:49PM +, Camaleón wrote: If you're so worried, apply for a newbie-sitter job. What exactly is that? Still, you failed to reply what was misleading. Sigh. Indeed, I haven't taken the time to go back and pick out the ones that caught my attention in particular. If you'd really value me to do so, I can do, either privately or in a new thread. Taking things too personally aside, do you have a problem with the actual advice I offered (don't reply on subjects you don't know anything about?) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120410152205.GB15551@debian
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Tue, 10 Apr 2012 16:22:05 +0100, Jon Dowland wrote: On Tue, Apr 10, 2012 at 03:14:49PM +, Camaleón wrote: If you're so worried, apply for a newbie-sitter job. What exactly is that? It was a pun meaning a person who cares about newbies. Still, you failed to reply what was misleading. Sigh. Indeed, I haven't taken the time to go back and pick out the ones that caught my attention in particular. If you'd really value me to do so, I can do, either privately or in a new thread. So first you said I'm fooling and perverting newbie's mind and now you want to go private... bad move. Taking things too personally aside, do you have a problem with the actual advice I offered (don't reply on subjects you don't know anything about?) What problem could I have? Everybody can have their opinion and express it. I do also have mine and thus encourage you to avoid reading my posts given that you seem to find them offensive. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jm1kpk$v2l$2...@dough.gmane.org
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Tue, Apr 10, 2012 at 03:49:08PM +, Camaleón wrote: What problem could I have? Everybody can have their opinion and express it. I do also have mine and thus encourage you to avoid reading my posts given that you seem to find them offensive. I don't, and never said that, but I can see the law of diminishing returns taking effect here so perhaps I'll take your advice. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120410155215.GC15551@debian
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Tue, 10 Apr 2012 16:52:15 +0100, Jon Dowland wrote: On Tue, Apr 10, 2012 at 03:49:08PM +, Camaleón wrote: What problem could I have? Everybody can have their opinion and express it. I do also have mine and thus encourage you to avoid reading my posts given that you seem to find them offensive. I don't, and never said that, but I can see the law of diminishing returns taking effect here so perhaps I'll take your advice. And you can start doing it when you want... don't delay! Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jm1l6m$v2l$3...@dough.gmane.org
[OT] Manually verifying PGP/MIME signature with GPG
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I am now asking this question for the third time, but now in separate thread. As this list seems to be against GPG INLINE signatures, I have promised to move to S/MIME (with devices which support it) when someone on this list tells me how do I manually verify PGP/MIME signature in case email client cannot be used to do it. Example case would be verifying message from mailing list archives. I will also move to PGP/MIME if anyone on this list admits my point that it's easier to verify GPG INLINE manually than PGP/MIME. I have 1. Used 45 minutes to try to solve how to do it by myself. 2. I have Googled for this without finding anything useful. 3. I have asked at official GNUPG support channel and got only answer that it's tricky. I am using PGP INLINE mainly, because of two reasons, which are 1. GPG INLINE is easier to verify manually. It's only copy-pasting the whole message to gpg. I have sent three messages to this list asking how does this happen with PGP/INLINE, but people are just ignoring the question and telling me that I should use it. 2. K9 Mail, which I use on my phone when I sometimes need to email from it, doesn't support PGP/MIME. There is bug report about it at https://code.google.com/p/k9mail/issues/detail?id=13colspec=ID%20Product%20Type%20Status%20Priority%20Milestone%20Owner%20Summary . - -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPgvpqAAoJEE21PP6CpGcog+IP/2Zh+g8nIPQZ4MMRxvVuZOaW J8AzXE9QRCSYeXBRe4ful5TcfdI1d6Z3hDyuwPE7VLqghEg+InbifZRvdbPLD/sC g4QydY+FEug1dmS3gpDKOiaXEbfoxYyEZ5H/GANLyYlijIItL6rZvDIvvE4SsIUu P7B18Kck6Pnqz8P5oNGeu1jiFuMABUqxsgIP7aBB0KT96ws7/0ekk4LOFtZe4r2c 0Defqa5MdNXe4NByoSYT0S+i5azhZbVtJknhCX4JK6d0oz/wfFxEQdPo0rdAqy6s /3rxGsb4ZZHAkR/TB75dn9LMy1cqq0RBX5MjbYblV73uhJ7VB7nM71vya19TnpKk Ij6FV7nHozcWAd4HAXmZmmM76iIXPndOSewR4XJIzA/xeVG9i4Yfj1WPjJ2R5xqP lR2GiAz/3ck5usUGr1e8E6YwYWzRChXaP8k7MXpJx+ItXucAnYxhWXMv663OXd5G KxWKYQkMOb7GuCPgaS0rqT0bfgd3ZHcNWd3j0G5EvdvRS6jSiLk8fy8orPS2X+5p mmua+VLBZZ3oq2NEKiYotfsNpLxq1rCCgbmj0WXpiyl7DgwPMI+vDECzop0YXypQ RZXU+EvvpEVNiPm7aikXhQtxhf77PvKxHTwpKT90CQMH4OuOcssRwtzetD+OdWV1 BncyB2Ma1hFaNCUp2zor =CMnA -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f82fa6d.7000...@hotmail.com
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Mon, 09 Apr 2012 18:04:13 +0300, Mika Suomalainen wrote: I am now asking this question for the third time, but now in separate thread. For the third time? Then is that I missed it. You did the right move by opening a new thread :-) As this list seems to be against GPG INLINE signatures, Uh? First notice I have :-? I recognize it's annoying to delete the extra text when replying to PGP/ GPG inline messages but I can live with that. I have promised to move to S/MIME (with devices which support it) when someone on this list tells me how do I manually verify PGP/MIME signature in case email client cannot be used to do it. You don't have to move on S/MIME if you don't want. Example case would be verifying message from mailing list archives. I will also move to PGP/MIME if anyone on this list admits my point that it's easier to verify GPG INLINE manually than PGP/MIME. (...) Dude, use whatever you like most, if someone complaints that's up to them (unless there's some hidden rule/policy for this I'm not aware of) ;-) Anyway, openssl's smime should be able to verify the signature. As per the man page: *** The smime command handles S/MIME mail. It can encrypt, decrypt, sign and verify S/MIME messages. *** There are some usage samples at the bottom of the page. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jlv04f$ss9$1...@dough.gmane.org
Re: [OT] Manually verifying PGP/MIME signature with GPG
On 09.04.2012 18:44, Camaleón wrote: On Mon, 09 Apr 2012 18:04:13 +0300, Mika Suomalainen wrote: I am now asking this question for the third time, but now in separate thread. For the third time? Then is that I missed it. You did the right move by opening a new thread :-) As this list seems to be against GPG INLINE signatures, Uh? First notice I have :-? The other questions and PGP/INLINE hate are in some of those three (or more) of those different [OT] Posting styles threads. I recognize it's annoying to delete the extra text when replying to PGP/ GPG inline messages but I can live with that. I have promised to move to S/MIME (with devices which support it) when someone on this list tells me how do I manually verify PGP/MIME signature in case email client cannot be used to do it. You don't have to move on S/MIME if you don't want. Oh, sorry. I am confusing with S/MIME and PGP/MIME myself too. They are two different things, or at least I think so. The one which I am asking about is PGP/MIME (those signature.asc files, which you might have seen). Example case would be verifying message from mailing list archives. I will also move to PGP/MIME if anyone on this list admits my point that it's easier to verify GPG INLINE manually than PGP/MIME. (...) Dude, use whatever you like most, if someone complaints that's up to them (unless there's some hidden rule/policy for this I'm not aware of) ;-) I am getting the picture that there is some kind of hidden policy, which should be put to list code of conduct or elsewhere. Anyway, openssl's smime should be able to verify the signature. As per the man page: *** The smime command handles S/MIME mail. It can encrypt, decrypt, sign and verify S/MIME messages. *** There are some usage samples at the bottom of the page. Greetings, I think that I will start using PGP/MIME now that someone has said that it's annoying to remove GPG signatures from messages and that they can live with it. It's nicer way than telling to filter all emails from one sender / threading / telling what should be done in their opinions and then ignoring all problems in that way. I hope that someone can still answer this question. PS. Sorry again for typoing PGP/MIME as S/MIME. -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 signature.asc Description: OpenPGP digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
On Mon, 09 Apr 2012 19:11:04 +0300, Mika Suomalainen wrote: On 09.04.2012 18:44, Camaleón wrote: As this list seems to be against GPG INLINE signatures, Uh? First notice I have :-? The other questions and PGP/INLINE hate are in some of those three (or more) of those different [OT] Posting styles threads. Ah... okay. I recognize it's annoying to delete the extra text when replying to PGP/ GPG inline messages but I can live with that. I have promised to move to S/MIME (with devices which support it) when someone on this list tells me how do I manually verify PGP/MIME signature in case email client cannot be used to do it. You don't have to move on S/MIME if you don't want. Oh, sorry. I am confusing with S/MIME and PGP/MIME myself too. They are two different things, or at least I think so. The one which I am asking about is PGP/MIME (those signature.asc files, which you might have seen). Mmm... I see. Yes, they seem to be different implementantions: http://pthree.org/2011/09/17/pgpmime-versus-smime/ Dude, use whatever you like most, if someone complaints that's up to them (unless there's some hidden rule/policy for this I'm not aware of) ;-) I am getting the picture that there is some kind of hidden policy, which should be put to list code of conduct or elsewhere. A hidden policy (should there's any) is by definition not applicable so don't worry about it and use what GPG/PGP inline/attached file you estimate better for you. Anyway, openssl's smime should be able to verify the signature. As per the man page: *** The smime command handles S/MIME mail. It can encrypt, decrypt, sign and verify S/MIME messages. *** There are some usage samples at the bottom of the page. I think that I will start using PGP/MIME now that someone has said that it's annoying to remove GPG signatures from messages and that they can live with it. Well, that was my *personal* opinion, you don't have to do what every person says, follow your own way :-) It's nicer way than telling to filter all emails from one sender / threading / telling what should be done in their opinions and then ignoring all problems in that way. Well, discarding posts just because of inline PGP/GPG signatures is a bit radical. As I said, it's annoying but nothing more. I hope that someone can still answer this question. PS. Sorry again for typoing PGP/MIME as S/MIME. You said PGP/MIME, I got S/MIME O:-) Look at man gpg, there must be also an option here for verifiying the signature. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jlv48f$ss9$1...@dough.gmane.org
Re: [OT] Manually verifying PGP/MIME signature with GPG
On 04/09/2012 12:11 PM, Mika Suomalainen wrote: On 09.04.2012 18:44, Camaleón wrote: On Mon, 09 Apr 2012 18:04:13 +0300, Mika Suomalainen wrote: [...] I recognize it's annoying to delete the extra text when replying to PGP/ GPG inline messages but I can live with that. I have promised to move to S/MIME (with devices which support it) when someone on this list tells me how do I manually verify PGP/MIME signature in case email client cannot be used to do it. You don't have to move on S/MIME if you don't want. Oh, sorry. I am confusing with S/MIME and PGP/MIME myself too. They are two different things, or at least I think so. The one which I am asking about is PGP/MIME (those signature.asc files, which you might have seen). Example case would be verifying message from mailing list archives. I will also move to PGP/MIME if anyone on this list admits my point that it's easier to verify GPG INLINE manually than PGP/MIME. The only real difference between inline PGP and PGP/MIME is that the in PGP/MIME the signature is detached and added to the email as an attachment, which as you mention the signature.asc. To verify PGP/MIME vs inline is the same if you were using the GPG or PGP command to verify a clearsigned file or not. With PGP/MIME you'd have to save the original email which would in a multi-part MIME email be an attachment itself, just the first one, and the signature attachment and run them through the CLI tool to verify the signature. Also as most mail clients these days support PGP/MIME standard either natively or via additional plugin there should be little need to do so manually unless this is just an exercise to better understand how it is handled. [...] I think that I will start using PGP/MIME now that someone has said that it's annoying to remove GPG signatures from messages and that they can live with it. It's nicer way than telling to filter all emails from one sender / threading / telling what should be done in their opinions and then ignoring all problems in that way. I hope that someone can still answer this question. PS. Sorry again for typoing PGP/MIME as S/MIME. PGP/MIME just makes it easier for those that don't bother with the signatures to ignore the attachment with the signature and not have to deal with cutting it out in replies. The other issue I've seen with inline vs PGP/MIME is that if the signature is not stripped out by someone replying and including the signature in the quote it will sometimes confuse the MUA. In most cases PGP/MIME won't have this issue as the signature is a separate attachment and unless efforts are made to include attachments in replies won't be included and even if it does it still doesn't confuse the MUA. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f8312ed.3090...@undergrid.net
Re: [OT] Manually verifying PGP/MIME signature with GPG
On 09.04.2012 19:48, Jeremy T. Bouse wrote: On 04/09/2012 12:11 PM, Mika Suomalainen wrote: On 09.04.2012 18:44, Camaleón wrote: On Mon, 09 Apr 2012 18:04:13 +0300, Mika Suomalainen wrote: ... PGP/MIME just makes it easier for those that don't bother with the signatures to ignore the attachment with the signature and not have to deal with cutting it out in replies. The other issue I've seen with inline vs PGP/MIME is that if the signature is not stripped out by someone replying and including the signature in the quote it will sometimes confuse the MUA. In most cases PGP/MIME won't have this issue as the signature is a separate attachment and unless efforts are made to include attachments in replies won't be included and even if it does it still doesn't confuse the MUA. So if I was verifying my signature in that my latest message manually, I would need two files, which would be message and signature.asc and the verifying command would be gpg --verify message signature.asc (or were they swapped)? If we think that I am verifying the signature in my latest message, http://lists.debian.org/debian-user/2012/04/msg00748.html , how would I get the message part of it? Or is just copy-pasting and saving it enough? (Or is it impossible? :)). -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 signature.asc Description: OpenPGP digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
On 09.04.2012 19:54, Camaleón wrote: ... PS. Sorry again for typoing PGP/MIME as S/MIME. You said PGP/MIME, I got S/MIME O:-) Look at man gpg, there must be also an option here for verifiying the signature. Greetings, I wrote I have promised to move to S/MIME (with devices which support it) when someone on this list tells me how do I manually verify PGP/MIME signature in case email client cannot be used to do it. , so I misspelled it once too. -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 signature.asc Description: OpenPGP digital signature
Re: [OT] Manually verifying PGP/MIME signature with GPG
Mika Suomalainen wrote: Jeremy T. Bouse wrote: Mika Suomalainen wrote: Camaleón wrote: Mika Suomalainen wrote: I am now asking this question for the third time, but now in separate thread. That is the way to do it. I had not seen any of your previous questions. If I kill a long rambling thread it will sweep in any unrelated questions that were posted in that thread. Therefore if you want people to read and make sense of your question you should post it as a separate message in as clear of a problem statement as possible. As this list seems to be against GPG INLINE signatures, I have PGP inline signatures are just annoying. They aren't fatal. They are simply the very old way. Because they were annoying an improved way was developed. Generally we think that using PGP/MIME is a superior and more friendly way to go. I use PGP/MIME and think you should too. I am using PGP INLINE mainly, because of two reasons, which are 1. GPG INLINE is easier to verify manually. It's only copy-pasting the whole message to gpg. If you are manually verifying messages I think that is too labor intensive to do normally though the course of daily reading email. There are hundreds of messages to this mailing list every day. Trying to verify them manually would be too hard. Your mail user agent needs to do this for you or it just won't happen when it needs to happen. Therefore instead of worrying about doing it manually I would worry about using and configuring your agent to do it for you. Also when cutting and pasting you probably will not have the actual contents of many messages. If the message is encoded with us-ascii it might work fine. But if encoded in UTF-8 (or even 8859-1) due to non-ascii characters then the message in the cut-n-paste will almost certainly be different from the one encoded and will fail to verify. So that isn't a good general purpose solution. PGP/MIME just makes it easier for those that don't bother with the signatures to ignore the attachment with the signature and not have to deal with cutting it out in replies. The other issue I've seen with inline vs PGP/MIME is that if the signature is not stripped out by someone replying and including the signature in the quote it will sometimes confuse the MUA. In most cases PGP/MIME won't have this issue as the signature is a separate attachment and unless efforts are made to include attachments in replies won't be included and even if it does it still doesn't confuse the MUA. Agreed to all. So if I was verifying my signature in that my latest message manually, I would need two files, which would be message and signature.asc Yes, mostly. This is fully described in RFC 2015. http://www.ietf.org/rfc/rfc2015.txt To manually verify your signature on a message you would need the contents of the message body in one file. That must include the encoding verbatim and it must include the content header. Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This is a test message. Including Camale=F3n's name to force quoted-printable encoding to illustrate that it also must be part of the signed message. That would be in one file. Note the character encoding and the message header. This data must be a verbatim copy of the signed part of the file. In the other file would be the detached signature. and the verifying command would be gpg --verify message signature.asc (or were they swapped)? Here is an example where I tried the above: $ gpg --verify message.gpg.signature.asc message.txt gpg: Signature made Sun 08 Apr 2012 05:40:55 PM MDT using DSA key ID C13650B6 gpg: Good signature from Bob Proulx b...@proulx.com If we think that I am verifying the signature in my latest message, http://lists.debian.org/debian-user/2012/04/msg00748.html , how would I get the message part of it? Or is just copy-pasting and saving it enough? (Or is it impossible? :)). You need the original message. Being able to see how the message is displayed is not enough due to character encoding changing the underlying data. This is why cutting and pasting isn't a good thing even in the inline case. HTH, Bob signature.asc Description: Digital signature
