Re: PGP and Mutt

To: kmself@ix.netcom.com
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: PGP and Mutt
From: "Noah L. Meyerhans" <frodo@morgul.net>
Date: Sun, 10 Sep 2000 10:41:48 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.21.0009101028420.8467-100000@spider.noah>
In-reply-to: <[🔎] 20000909224715.C24501@ix.netcom.com>

-----BEGIN PGP SIGNED MESSAGE-----

On Sat, 9 Sep 2000 kmself@ix.netcom.com wrote:

> > Say I'm using one of the many mailers that doesn't support gpg
> > integration, so I need to save the message and key to disk and use gpg
> > manually to check the signatures.  What parts of the message are
> > signed, though???  for example, in Karsten's email, there were 3
> > message sections: the text, the attached .muttrc, and the gpg sig.  
> 
> The signature applies to the entire contents, including attachments, of
> the message.  So you have verification that I was the person who wrote
> and signed all parts of the mail.  Makes more sense that way, no?

Of course.  My problem is that with the old way of handling
signing/encrypting, the beginning and ending of the signed/encrypted text
is clearly marked for both the user and the gpg app.  I suspect that the
reason I keep getting bad sigs is that gpg doesn't know what part of the
text to check.  For example, I saved your message (the one to which I'm
replying now) to a file in my home dir: msg.pgp.  I saved the key to
msg.key.  I then ran gpg msg.key and was prompted for the external data
file.  I told it where to find the file, it went through the verification
process, and informed me that it was a bad signature:

gpg msg.key
Detached signature.
Please enter name of data file: msg.pgp
gpg: Signature made Sun Sep 10 01:47:15 2000 EDT using DSA key ID 55F2B9B0
gpg: BAD signature from "Karsten M. Self <kmself@ix.netcom.com>"

I've never had such problem with the traditional inline signature.  But
when sigs are sent as attachments the exact opposite is true: I've never
found a single mailer other than mutt that handles them.  That really
seems to defeat the purpose.

> > So I save the message and key to my home dir, download the key, and
> > run gpg on the key.  It asks me for the file name, which I provide.
> > To this it responds that they signature is invalid.
> 
> Hmm...  The entire message or just the text?

When verifying a sig using the manner described above, gpg doesn't even
offer the option of using multiple data files, so I've only been using the
main message text with no attachements...

> > I must say, the old style of handling pgp/gpg with the inline sigs and
> > stuff worked much better for me.  What are the advantages of sending
> > the key as an attachment instead of inline?
> 
> Well, as an example, a signed message with MIME components shows up as
> signed, and I'm told that the signature is valid and known, the sig is
> valid but unknown, or that the signature is invalid.  Automajickally. 

Sure, in mutt it's great.  As I said, I've yet to see it work anywhere
else.

noah

 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBObudsYdCcpBjGWoFAQEwtAQAh6A+6wSfI9B5pdIBIwPHL2T9thNCiPtX
lrkOkRixSWnXvnOe2Zw6PrGeHxGaaGCmqyUlDXd9czf4tO+DsomPhiHcxjkdRWlV
4d5znzLVrJeMgT3oaEPszbjxhuuVGasjV6tbR+Of7RL4bg4PQ7BTQJOC6qjk7Oxb
D8Xt+8QDt0o=
=rRNE
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: PGP and Mutt
  - From: kmself@ix.netcom.com

Prev by Date: stale/defunt sessions in debian
Next by Date: qt2 >=2.0.1-0
Previous by thread: Re: PGP and Mutt
Next by thread: Re: PGP and Mutt
Index(es):
- Date
- Thread