Re: What are those attachments you have on your email?

[Stephan Beck]

Hi,

David Adamson:
> On Fri, Nov 25, 2016 at 9:33 AM, Stephan Beck  wrote:

> Stephan so this is a result of you using a mail client that requires
> the signature file and If I used a similar mail client it could
> automatically verify this email message was signed by the holder of
> Stephan's private key?

If you used a PGP/MIME compliant email client (may it be Claws or
Thunderbird with the Enigmail plugin) you'd see the signature file as an
attachment to the email, and by importing (or retrieving and importing
it, if not yet present in the keyring) the sender's public key using the
appropriate commands of this email client or the respective plugin like
Enigmail, "you" could verify the signature, i.e. verify that the signed
message was effectively signed with the private (signing) key of the
holder of the respective public key. (The corresponding plugin such as
Enigmail verifies the signature automatically when you select the message)
If you used a non PGP/MIME email client (without any plugin of this
kind) or a webmail interface (not capable of handling such messages) you
would not be able to directly process the attachment for verifying purposes.

But you could open the message's header ("View Source" command) copy and
paste the signature including the --- BEGIN/END --- parts (see below)
into a text file, save it with .asc file extension
and verify it by means of gpg (or the dedicated gpgv package).
gpg2 --verify signature.asc signed_message_text.txt.
If it is a public key, you can copy and paste it (including the ---
BEGIN/END --- parts) into a text file, save it with the .asc file
extension and import it directly into your keyring using the
gpg2 --import command



-BEGIN PGP SIGNATURE---

[SIGNATURE]

-END PGP SIGNATURE-

or (in case of a public key)

-BEGIN PGP PUBLIC KEY BLOCK-

[PUBLIC KEY in armored format]

-END PGP PUBLIC KEY BLOCK---

> 
> However is it the case as Juan put it that since I'm using another
> type of mail service, in my case gmail web based interface, that this
> signature will not be applicable?

I actually don't know gmail well, so I cannot tell you (but you can)
whether gmail has any type of PGP/MIME handling webmail-based apps.
If not, the PGP/MIME signature attachment cannot be "processed" directly.
But you could save the attachment as .asc file (seemingly you did that),
save the message as a text file and put both (first the signature file)
on gpg's command line (see above) to verify the signature (key will be
retrieved by gpg if it's not yet present.)

Cheers

Stephan



0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What are those attachments you have on your email?

[David Adamson]

On Fri, Nov 25, 2016 at 9:33 AM, Stephan Beck  wrote:
> Sorry, David, for arriving a bit late to the party..., I had to answer
> Peter who had addressed several list mails in reply to mine yesterday
> and it took me a while.
> Yes, as Brian says, the verify command expects an .asc signature file
> and a message or a file signed with it as input. By
> using/fetching/retrieving the signer's key gpg verifies that this
> message/file really was signed by the one who claims to be the signer.
>
> Cheers
>
> Stephan
>

Stephan so this is a result of you using a mail client that requires
the signature file and If I used a similar mail client it could
automatically verify this email message was signed by the holder of
Stephan's private key?

However is it the case as Juan put it that since I'm using another
type of mail service, in my case gmail web based interface, that this
signature will not be applicable?

Juan said:
"Otherwise, it
looks like a normal message (or empty if PGP/MIME encrypted) with a
signature.asc file (sometimes called differently) as an attachment."

Brian,
Thanks for the resource. I'll have to get used to
reading/understanding this type of material/subject matter.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What are those attachments you have on your email?

[Brian Minton]

On Fri, Nov 25, 2016 at 08:12:35AM -0500, David Adamson wrote:
> On Fri, Nov 25, 2016 at 5:28 AM, Stephan Beck  wrote:
> I was thinking of ways to get my key out to people without using the
> keyservers and instead attaching my public key to my email seemed like a good
> idea.  I noticed you have two, one called 0x4218732B.asc and another
> called signature.asc.  Am I correct in assuming your first one is your
> public key?  The second one I'm not sure what it is for.  I thought
> maybe you were signing your public key so I ran the following but got
> a BAD signature message so I thought maybe it's for something else -

A signature.asc file is usually for the message itself. See RFC 3156.
https://tools.ietf.org/html/rfc3156 for more details.  It's called PGP/MIME
and it allows you to encrypt, sign, or both for messages containing
attachments.

-- 
Brian Minton
brian at minton dot name http://brian.minton.name
Live long, and prosper longer!
OpenPGP fingerprint = 8213 71DD 4665 CF4F AE20  2206 0424 DC19 B678 A1A9


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What are those attachments you have on your email?

[Stephan Beck]

Sorry, David, for arriving a bit late to the party..., I had to answer
Peter who had addressed several list mails in reply to mine yesterday
and it took me a while.
Yes, as Brian says, the verify command expects an .asc signature file
and a message or a file signed with it as input. By
using/fetching/retrieving the signer's key gpg verifies that this
message/file really was signed by the one who claims to be the signer.

Cheers

Stephan

David Adamson:
> On Fri, Nov 25, 2016 at 5:28 AM, Stephan Beck  wrote:
>> Hi David,
>>
>> I kindly invite you to post your PM on-list. It might be of interest for
>> other people as well.
>>
>> Thanks and regards
>>
>> Stephan
>>
> 
> Certainly that sounds like a good idea.
> 
> Stephan,
> 
> Thanks again for your help.  I am playing around with generating my
> keys, importing others and encrypting and decrypting.
> 
> I was thinking of ways to get my key out to people without using the
> keyservers and instead attaching my public key to my email seemed like a good
> idea.  I noticed you have two, one called 0x4218732B.asc and another
> called signature.asc.  Am I correct in assuming your first one is your
> public key?  The second one I'm not sure what it is for.  I thought
> maybe you were signing your public key so I ran the following but got
> a BAD signature message so I thought maybe it's for something else -
> 
> david@system:~/Downloads$ gpg2 --verify signature.asc 0x4218732B.asc
> gpg: Signature made Wed 23 Nov 2016 11:41:22 AM EST
> gpg:using RSA key 5E77973C5ED0E692
> gpg: Can't check signature: No public key
> david@system:~/Downloads$ gpg2 --import 0x4218732B.asc
> gpg: key 1CA0EF5E4218732B: public key "Stephan Beck
> " imported
> gpg: Total number processed: 1
> gpg:   imported: 1
> david@system:~/Downloads$ gpg2 --verify signature.asc 0x4218732B.asc
> gpg: Signature made Wed 23 Nov 2016 11:41:22 AM EST
> gpg:using RSA key 5E77973C5ED0E692
> gpg: BAD signature from "Stephan Beck " [unknown]
> 
> Thanks!
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What are those attachments you have on your email?

[Juan Miguel Navarro Martínez]

On 2016-11-25 at 14:12, David Adamson wrote:
> I noticed you have two, one called 0x4218732B.asc and another
> called signature.asc.  Am I correct in assuming your first one is your
> public key?  The second one I'm not sure what it is for.  I thought
> maybe you were signing your public key so I ran the following but got
> a BAD signature message so I thought maybe it's for something else 

The first one is indeed the public key, the second one most likely is
the signature for the email using PGP/MIME. If you have PGP-supported
email client (like Claws) or the email client have a PGP pluging (like
Thunderbird+Enigmail) it should be able to verify it. Otherwise, it
looks like a normal message (or empty if PGP/MIME encrypted) with a
signature.asc file (sometimes called differently) as an attachment.

-- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users