[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Manually verifying PGP/MIME signature with GPG

On Wed, 11 Apr 2012 14:52:52 +0000, Camaleón wrote:

> On Tue, 10 Apr 2012 14:43:51 +0000, Camaleón wrote:
> 
> (...)
> 
>> Anyway, I get the posts through a nntp news server (Gmane), I don't
>> know - because I've not tried- if the header information provided would
>> be enough to be able to verify the signature manually.
> 
> Mmm, I tried this yesterday and it seems to be working fine from
> Thunderbird + Enigmail with no additional tweaks: signatures (both
> "inline" and "detached") are verified correctly.
> 
> If Enigmail can parse and verify the signed posts I see no reason for
> gpg cannot do the same.

(Disclaimer: newbies and soft-minded readers, please, stop reading here. 
The following content can damage your mind. You've been advised)



As I thought, verifying PGP/MIME detached signatures can be also done from 
command line with GPG. I have tried with some posts from this same mailing 
list coming from users that use detached signatures and in every case it 
worked fine:



sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test.pgp test.eml
gpg: Signature made Tue Apr 10 08:41:59 2012 CEST using RSA key ID 82A46728
gpg: Good signature from "Mika Suomalainen"
gpg:                 aka "Mika Suomalainen <s.mika95@gmail.com>"
gpg:                 aka "Mika Suomalainen <mika.henrik.mainio@hotmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728



sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test2.pgp test2.eml
gpg: Signature made Tue Apr 10 11:00:44 2012 CEST using RSA key ID 06AAAAAA
gpg: Good signature from "Jon Dowland <jmtd@debian.org>"
gpg:                 aka "Jon Dowland <jon@alcopop.org>"
gpg:                 aka "Jon Dowland <jon.dowland@ncl.ac.uk>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E037 CB2A 1A00 61B9 4336  3C8B 0907 4096 06AA AAAA



sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test3.pgp test3.eml
gpg: Signature made Mon Apr  9 21:46:11 2012 CEST using DSA key ID C13650B6
gpg: Good signature from "Bob Proulx <bob@proulx.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5B98 916C E867 EC0F D45C  F608 D294 5C3B C136 50B6



sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test4.pgp test4.eml
gpg: Signature made Thu Apr 12 11:43:58 2012 CEST using RSA key ID DEA22DE9
gpg: Good signature from "Andrei Popescu <andreimpopescu@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4ACD 960A 2844 2952 EE06  466F 7356 B378 DEA2 2DE9


The recipe is very easy and the only needed ingredients are:

- Browsing to the mailing list archive
- Telnet to "news.gmane.org" server to get the message
- Use "gpg --verify"

And that's all. 

If anyone is interested in the detailed steps, just ask.

Greetings,

-- 
Camaleón
Reply to: