Sign a mail

Werner Koch wk at
Tue Jul 21 09:39:08 CEST 2009

On Mon, 20 Jul 2009 21:42, arothe at said:

> inner boundaries). RFC 3156 says, I have to include the inner
> boundaries into the signed content, but should I include also the last

Here is a slighly modified example:
    +-- First column
    Mime-Version: 1.0<CRLF>
    Content-Type: multipart/signed; boundary=bar; micalg=pgp-md5;<CRLF>
  & Content-Type: text/plain; charset=iso-8859-1<CRLF>
  & Content-Transfer-Encoding: quoted-printable<CRLF>
  & <CRLF>
  & =A1Hola!<CRLF>
  & <CRLF>
  & Did you know that talking to yourself is a sign of senility?<CRLF>
  & <CRLF>
  & It's generally a good idea to encode lines that begin with<CRLF>
  & From=20because some mail transport agents will insert a greater-<CRLF>
  & than (>) sign, thus invalidating the signature.<CRLF>
  & <CRLF>
  & Also, in some cases it might be desirable to encode any   =20<CRLF>
  & trailing whitespace that occurs on lines in order to ensure  =20<CRLF>
  & that the message signature is not invalidated when passing =20<CRLF>
  & a gateway that modifies such whitespace (like BITNET). =20<CRLF>
  & <CRLF>
  & me<CRLF>
    Content-Type: application/pgp-signature<CRLF>

<CRLF> surprisingly denotes the RFC822 required CR, LF. 
[...] Is stuff I don't show.
& denotes the signed text.

You create the signature over all the lines marked with &.  As you can
see the <CRLF> line after the last &-marked line is not part of the
signed text; it is part of the boundary in the following line.

Now this is a plain single item message.  If you want to sign another
multipart MIME message, you do it straightforward: Replace the
Content-Type line after the first "<CRLF>--bar" boundary with the new
content-type, for example:  

    Content-Type: multipart/mixed; boundary=foo;<CRLF>

and include this line in the signature, the last line of this mime
container will be

which is also included in the signed data.  After that you will continue

    Content-Type: application/pgp-signature<CRLF>

which is not anymore part of the signed text.

> CR+LF? Is it necessary to encode the parts of the signed content with
> quoted-printable? I use

That depends on the content.  RFC-3156 gives very specific rules on how
to do that.  Make sure the signed data is 7-bit.

> as the signature creation command, but I'm not sure with the -t.

The -t is fine, but not required if you follow the rules:

      Note: Implementations can either generate "signatures of a
      canonical text document" or "signatures of a binary document", as
      defined in [1].  The restrictions on the signed material put forth
      in section 3 and in this section will make sure that the various
      MIC algorithm variants specified in [1] and [5] will all produce
      the same result.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list