HowTo Verify : PGP Mime Signature over Text AND Attachment (RFC2015)

Jeffrey Stedfast fejj at ximian.com
Mon Feb 9 12:58:55 CET 2004


You need to pass the entire multipart to gpg... so, if you have:

Content-Type: multipart/signed; micalg="pgp-sha1";
protocol="application/pgp-signature"; boundary="signedXYZ"

--signedXYZ
Content-Type: multipart/mixed; boundary="mixedXYZ"

--mixedXYZ
Content-Type: text/plain

hello world

--mixedXYZ
Content-Type: image/jpeg

<base64>
--mixedXYZ--
--signedXYZ
Content-Type: application/pgp-signature

<sig content>
--signedXYZ--

if you had the above multipart/signed, you'd send the red part to gpg as
the signed content (sorry about the html mail, but this was the easiest
way to illustrate)

Jeff

On Mon, 2004-02-09 at 09:18 -0800, Harakiri wrote:

> Thanks for the fast reply, well thats like i thought
> but i must be missing something - what is actually
> signed within this multipart ?
> 
> I thought it was :
> 
> Part 1 Content-Types
> Part 1 Data
> Part 2 Content-Types
> Part 2 Data
> 
> or do i miss something here ? I dont think the
> boundarys are signed to, or are they?
> 
> Because i tried to verified such a message as i said
> with gpg, i pasted the 1 Part and the 2 Part together
> and tried gpg --verify sig.txt data.txt, but i always
> had a bad signature.
> 
> Regards
> 
> 
> --- Jeffrey Stedfast <fejj at ximian.com> wrote:
> > A multipart is considered 1 part. So when you sign a
> > part with text +
> > attachments (aka a multipart), you treat the
> > encapsulating multipart as
> > the single part to sign.
> > 
> > so, if you have the structure:
> > 
> > multipart/mixed
> >    text/plain
> >    image/jpeg
> > 
> > and then go and sign it using rfc3156 (which
> > obsoletes rfc2015), you end
> > up with:
> > 
> > multipart/signed
> >    multipart/mixed
> >       text/plain
> >       image/jpeg
> >    application/pgp-signature
> > 
> > Hope that clears things up for you.
> > 
> > Jeff
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing online.
> http://taxes.yahoo.com/filing.html


-- 
Jeffrey Stedfast
Evolution Hacker - Ximian, Inc.
fejj at ximian.com  - www.ximian.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/attachments/20040209/af256f07/attachment.htm


More information about the Gnupg-devel mailing list