HowTo Verify : PGP Mime Signature over Text AND Attachment (RFC2015)

Harakiri harakiri_23 at
Mon Feb 9 09:18:02 CET 2004

Thanks for the fast reply, well thats like i thought
but i must be missing something - what is actually
signed within this multipart ?

I thought it was :

Part 1 Content-Types
Part 1 Data
Part 2 Content-Types
Part 2 Data

or do i miss something here ? I dont think the
boundarys are signed to, or are they?

Because i tried to verified such a message as i said
with gpg, i pasted the 1 Part and the 2 Part together
and tried gpg --verify sig.txt data.txt, but i always
had a bad signature.


--- Jeffrey Stedfast <fejj at> wrote:
> A multipart is considered 1 part. So when you sign a
> part with text +
> attachments (aka a multipart), you treat the
> encapsulating multipart as
> the single part to sign.
> so, if you have the structure:
> multipart/mixed
>    text/plain
>    image/jpeg
> and then go and sign it using rfc3156 (which
> obsoletes rfc2015), you end
> up with:
> multipart/signed
>    multipart/mixed
>       text/plain
>       image/jpeg
>    application/pgp-signature
> Hope that clears things up for you.
> Jeff

Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.

More information about the Gnupg-devel mailing list