Bad signatures, pgp and MIME
recent messages sent to debian-security-announce have shown that
there is some discrepancy in understanding how PGP/MIME works and
how people would think that it works.
The basic problem is that you can't split a pgp/mime signed message
into parts and then verify it. If you use Mutt for pgp-signing,
then splitting the message with mutt or munpack you cannot verify
One reason given for this was that the Content-type header needs
to be part of the splitted message.
People were asking for the relevant document describing this
At least Mutt and premail are understanding this type of signature.
Regarding security advisories, we will skip this kind of signing,
although this has a different reason. Signing the file before
sending it will enable you to fetch the advisory form the web
and verify the signature.
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald E. Knuth
Please always Cc to me when replying to me on the lists.