Can you help me understand Signature?

Rafi Avital Rafi Avital <ravital@netbox.com>
Fri Jul 25 02:05:01 2003


Hello all,

I have implemented an open-source DLL into a Windows app that communicates with
GnuPG (gpg.exe) and one of the requiremens was to verify signatures before
decrypting a file. Reading the source I found out the authors handled this in
the following way:

Capture the output of gpg --list-packets filename.gpg
Find the signature block in it
Capture the output of gpg --list-keys --with-colons
Find the string from the previous step in this output
If found go ahead with decryption, if not, log an error.

Bear in mind that the file is a single unit, it doesn't have  a "Begin
signature" line or anyhting of the sort, just a GPG-encrypted AND signed file.

When I issue a gpg --verify, passing the encrypted file, I get an error -
"Unexpected data."  I have read the manual and I realize it requires a signature
file.  Forgive my ignorance, I have no idea what that is.

Is this a file containing signatures that I would have cut and pasted from other
files?  from detached signatures?

I'm sorry but the gpg.man is not very clear on this, nor is the howto file.

Could you please explain to me the various kinds of signatures, and how
signature verification is supposed to work?  What is a detached signature, what
is clear-signing etc?

Using GPG Shell, when I verify, it does tell me "Good signature from ..."  and
that's the result I'm looking for.  Is the procedure I outlined above (listing
the packets) the only reliable way to verify a signature on an encrypted+signed
file?

I am evaluating a new MUA (The Bat!) which produces exactly the same result as
--verify when I ask it to verify a signature before decrypting.  I am told by
their mailing list that this works fine for them, but I realize I need more info
on exactly what everybody means when they say "verify signature."

Many thanks and best regards