HowTo Verify : PGP Mime Signature over Text AND Attachment
(RFC2015)
Jeffrey Stedfast
fejj at ximian.com
Mon Feb 9 11:31:07 CET 2004
A multipart is considered 1 part. So when you sign a part with text +
attachments (aka a multipart), you treat the encapsulating multipart as
the single part to sign.
so, if you have the structure:
multipart/mixed
text/plain
image/jpeg
and then go and sign it using rfc3156 (which obsoletes rfc2015), you end
up with:
multipart/signed
multipart/mixed
text/plain
image/jpeg
application/pgp-signature
Hope that clears things up for you.
Jeff
On Mon, 2004-02-09 at 10:35, Harakiri wrote:
> Hello *,
>
> the RFC 2015 does not clearly state what has to be
> done
> for messages with includes text AND an attachment for
> signing.
>
> For mime signing a text only, it is clear i have to
> sign the content types and the data (text) itself.
>
> However, what should i do if i want to mime sign text
> + attachment ? Or verify that ?
>
> Enigmail is able to sign/verify mime with attachments,
> but i dont quiet understand what they are
> signing/verifying.
>
>
> Example :
>
> --------------enigD9298D14592C3F164E9C405E
> Content-Type: multipart/mixed;
> boundary="------------000403090109010305080707"
>
> This is a multi-part message in MIME format.
> --------------000403090109010305080707
> Content-Type: text/plain; charset=us-ascii;
> format=flowed
> Content-Transfer-Encoding: 7bit
>
> test
>
> --------------000403090109010305080707
> Content-Type: text/plain;
> name="test.txt"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline;
> filename="act.txt"
>
> data in txt file
> --------------000403090109010305080707--
>
> --------------enigD9298D14592C3F164E9C405E
> Content-Type: application/pgp-signature;
> name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment;
> filename="signature.asc"
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (MingW32)
> Comment: Using GnuPG with Mozilla -
> http://enigmail.mozdev.org
>
> [...mysig]
> -----END PGP SIGNATURE-----
>
>
>
> Now, as you can see both (the text and the attachment)
> is included within the mime part - rfc states that
> mime signatures must have exactly 2 parts - the data
> and the signature. This time the data is over 2 parts.
>
> I tried verifying this data manually with gpg - with
> no luck, i thought the data to be verified looked like
> this :
> -------------------------------------------
> Content-Type: text/plain; charset=us-ascii;
> format=flowed
> Content-Transfer-Encoding: 7bit
>
> test
>
> Content-Type: text/plain;
> name="test.txt"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline;
> filename="act.txt"
>
> data in txt file
> -------------------------------------------
>
> But i always got bad signature, even if this would
> work for txt attachments, what should i do for binary
> attachments ? First convert from base64(or anything
> else) to binary and than verify ?
>
> Any ideas ? I understand the structure of mime
> signatures, but only for messages with no attachments.
>
> Thanks
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing online.
> http://taxes.yahoo.com/filing.html
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
--
Jeffrey Stedfast
Evolution Hacker - Ximian, Inc.
fejj at ximian.com - www.ximian.com
More information about the Gnupg-devel
mailing list