Re: PGP and Mutt
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 9 Sep 2000 kmself@ix.netcom.com wrote:
> > Say I'm using one of the many mailers that doesn't support gpg
> > integration, so I need to save the message and key to disk and use gpg
> > manually to check the signatures. What parts of the message are
> > signed, though??? for example, in Karsten's email, there were 3
> > message sections: the text, the attached .muttrc, and the gpg sig.
>
> The signature applies to the entire contents, including attachments, of
> the message. So you have verification that I was the person who wrote
> and signed all parts of the mail. Makes more sense that way, no?
Of course. My problem is that with the old way of handling
signing/encrypting, the beginning and ending of the signed/encrypted text
is clearly marked for both the user and the gpg app. I suspect that the
reason I keep getting bad sigs is that gpg doesn't know what part of the
text to check. For example, I saved your message (the one to which I'm
replying now) to a file in my home dir: msg.pgp. I saved the key to
msg.key. I then ran gpg msg.key and was prompted for the external data
file. I told it where to find the file, it went through the verification
process, and informed me that it was a bad signature:
gpg msg.key
Detached signature.
Please enter name of data file: msg.pgp
gpg: Signature made Sun Sep 10 01:47:15 2000 EDT using DSA key ID 55F2B9B0
gpg: BAD signature from "Karsten M. Self <kmself@ix.netcom.com>"
I've never had such problem with the traditional inline signature. But
when sigs are sent as attachments the exact opposite is true: I've never
found a single mailer other than mutt that handles them. That really
seems to defeat the purpose.
> > So I save the message and key to my home dir, download the key, and
> > run gpg on the key. It asks me for the file name, which I provide.
> > To this it responds that they signature is invalid.
>
> Hmm... The entire message or just the text?
When verifying a sig using the manner described above, gpg doesn't even
offer the option of using multiple data files, so I've only been using the
main message text with no attachements...
> > I must say, the old style of handling pgp/gpg with the inline sigs and
> > stuff worked much better for me. What are the advantages of sending
> > the key as an attachment instead of inline?
>
> Well, as an example, a signed message with MIME components shows up as
> signed, and I'm told that the signature is valid and known, the sig is
> valid but unknown, or that the signature is invalid. Automajickally.
Sure, in mutt it's great. As I said, I've yet to see it work anywhere
else.
noah
_______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBObudsYdCcpBjGWoFAQEwtAQAh6A+6wSfI9B5pdIBIwPHL2T9thNCiPtX
lrkOkRixSWnXvnOe2Zw6PrGeHxGaaGCmqyUlDXd9czf4tO+DsomPhiHcxjkdRWlV
4d5znzLVrJeMgT3oaEPszbjxhuuVGasjV6tbR+Of7RL4bg4PQ7BTQJOC6qjk7Oxb
D8Xt+8QDt0o=
=rRNE
-----END PGP SIGNATURE-----
Reply to: