(1) BAD signature and (2) auto SHA1

Charly Avital shavital@netbox.com
Sat Aug 2 16:56:02 2003

Hash: SHA1

At 4:21 AM -0500 8/2/03, DIG wrote:
 >Hi, GnuPG people!
 >I can easily verify the signature for almost all messages that I 
receive (I use mutt >+ gnupg 1.2.1). But there are few 
messages that I can not verify automatically. So, I would >like to ask 
you two questions.
 >1. First group of messages returns "BAD signature". What is the best 
way to find out whose >fault it is (as in famous Russian question)? It 
is my fault, or it is the fault of my >correspondent?

"Bad signature" means that the hash value of the message that was sent 
to you,
and that was used by the sender to create the digital signature which 
he encrypted using his secret key, does not verify when the recipient 
(you in this case) uses the sender's public key to check that hash 
value. It means that the message you have received has been altered.

Whose fault is it? It depends of what caused the check of the hash 
value to fail, and there may be many causes:
- - - a word wrap problem. PGP, for instance wraps message at a certain 
wrap value, meaning how many columns. If both the e-mail client and PGP 
use the same value (the same number of columns), the message's format 
will be altered. Likewise, if the e-mail client is set to wrap at a 
lesser value than PGP's, carriage returns will be added, and the 
message will be considered as altered.
So this is the sender's "fault".
- - - text that contains "special characters", like accented letters, 
etc. ("high ASCII") may cause the signature verification to fail, 
unless the recipient's e-mail client's character set is utf-8. So, this 
could be the recipient's "fault". But it could be also the sender's 
"fault", if his email client's character set is not utf-8. This issue 
can be very confusing.
- - - there can be other reasons, you should check the documentation, 
especially considering that I'm not an expert, far from it. What I know 
about GPG and PGP is totally empirical.

The issue of whether you, the recipient, have signed or not signed the 
sender's public key in your public keyring does not affect the 
signature being found BAD or GOOD. This will affect the value of trust 
you, as owner of the keyring, have assigned to that public key. A 
signature can verify GOOD, but the key's trust value will be "not 
valid", or "of unknown validity", if the recipient-owner of the keyring 
has not assigned a trust value to that key by first signing it with his 
own secret key, and then defining how he considers the sender of the 
signed message (the owner of the secret-and-public keys) to be a 
trusted user.

See the "Web of Trust"

 >2. Second group of messages contains messages like this:
 >    Hash: SHA1
 >    Beginning of the message...
 >    End of message.
 >    -----BEGIN PGP SIGNATURE-----
 >    Version: GnuPG v1.2.1 (GNU/Linux)
 >    Comment: some comment
 >    iD8DBQE/IB9XVbJM14DSCi0RAlD6AKDlGy5pR0CkGW+7urdQ8RdLfVDNPACfQ7jf
 >    6YC96a+V6MbxlwJpThv1m3w=
 >    =HEsh
 >    -----END PGP SIGNATURE-----
 >So, my question is: how can I verify the messages like this one 
automatically? Are there some >rules or something that I can put into 
my ~/.procmailrc or my ~/.muttrc?

The above example is a typical on-line clear signed message. It 
displays, in the same text, the PGP headers and footers, the kind of 
hash that was used, the version of the encrypting system that was used, 
the comment, and the ASCII representation of the signature itself.

Automatic verifying, or any other automatic function is generally a 
feature of the email client (the MUA) in conjunction with the 
encryption system "plug-in". I have no idea how Mutt works, I can't 
answer that question.


Version: GnuPG v1.2.3rc2 (Darwin)