[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Manually verifying PGP/MIME signature with GPG

On Sun, 22 Apr 2012, Andrei POPESCU wrote:
> On Du, 15 apr 12, 16:28:28, Camaleón wrote:
> > As I thought, verifying PGP/MIME detached signatures can be also done from 
> > command line with GPG. I have tried with some posts from this same mailing 
> > list coming from users that use detached signatures and in every case it 
> > worked fine:
> ... 
> > The recipe is very easy and the only needed ingredients are:
> > 
> > - Browsing to the mailing list archive
> > - Telnet to "news.gmane.org" server to get the message
> > - Use "gpg --verify"
> > 
> > And that's all. 
> > 
> > If anyone is interested in the detailed steps, just ask.
> 
> Can you reproduce this with local copies from a mail agent (ideally 
> mutt)? My quick experiments failed. Just curious, nothing critical.

mutt will remove the signature on "decode-copy" (mutt lingo for
"export"), as it should.

If you save the message to mbox format, gpg 1.4.10 in Lenny will not be
able to verify it (maybe a newer version will).  gpg2 in Lenny (2.0.14)
does verify the signature, but it won't work with gpg2 --verify.

You have to:

1. save to mbox format in mutt (e.g. to /tmp/1.mbox)

2. run gpg2 /tmp/1.mbox.  When it asks for the file with the detached
signature, you give it /tmp/1.mbox again.

There is probably a better way to do this.

That said, mutt handles PGP/MIME properly, it annotates which portions
of the message have been signed, which portions have NOT been signed,
and the full gpg output, plus mutt's idea of what that gpg output means
(good sig, bad sig, unverified sig, etc) for each portion.

Well at least when you have only one section that is protected by a
PGP/MIME signature, and several sections which are not.  I didn't check
the RFC, nor tried to have a message with several sections, each one
signed independently.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: