(1) BAD signature and (2) auto SHA1

DIG Dmitri I GOULIAEV <dmitri.gouliaev@telkel.net>
Thu Sep 11 00:59:06 2003


--yhze8HlyfmXt1APY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi, Kyle Hasselbacher !

 On Mon, Aug 04, 2003 at 10:50:50AM -0500, Kyle Hasselbacher wrote:

> On Sat, Aug 02, 2003 at 04:21:03AM -0500, DIG wrote:
>=20
> >1. First group of messages returns "BAD signature". What is the best way
> >to find out whose fault it is (as in famous Russian question)? It is my
> >fault, or it is the fault of my correspondent?
>=20
> Someone else already answered this better than I.  Basically it means the
> message was altered since it was signed.  It may have been altered by
> software not sensitive to signatures, or it's a dreaded attacker trying to
> falsify a message.

That was exactly the case -- signed part of the message was altered. And th=
e "attacker" was my e-mail provider.

> >2. Second group of messages contains messages like this:
> >
> >    -----BEGIN PGP SIGNED MESSAGE-----
> >    Hash: SHA1
>=20
> In Mutt, the easiest way might be to pipe the message to gpg and witness
> the output.  Type this:
>=20
> |gpg --verify
>=20
> It'll tell you if the signature is good.  In newer versions of Mutt, you
> can do "escape P", and it will check the message for in-line PGP like the
> above and treat it accordingly.
>=20
> Neither of those is automatic, though.

Thanks for the tip, Kyle.=20

Now I use a semiautomatic solution. I just added next two lines:

    macro index \Cv "|gpg --verify\n" 'verify in-line PGP signature'
    macro pager \Cv "|gpg --verify\n" 'verify in-line PGP signature'

=2E.. to my muttrc file. And to verify somebody's in-line signature, I just=
 press [Ctrl-V].=20


[To ALL]

So, I already solved most of my problems with ``BAD signatures'' on this li=
st.=20

But I still have difficulties with some of them. Is there some list or some=
thing, where I could ask if my signature is correct (to be sure that it wil=
l work for others)? Is it appropriate in this list to ask others if my sign=
ature is correct or not? And IF this list is an appropriate place for askin=
g such question, can I ask you what software you are using (in both cases)?


P.S. I know, I know. It was more than month ago -- I try to catch up!


Best regards,

--=20
DIG (Dmitri I GOULIAEV)
1024D/63A6C649: 26A0 E4D5 AB3F C2D4 0112  66CD 4343 C0AF 63A6 C649



--yhze8HlyfmXt1APY
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/X6xcQ0PAr2OmxkkRAv8qAKCZRTcwzFVOpwPdv6FAMDMKHe9LkwCgrYG4
tA760m4P0+R4wSEopSspZNQ=
=Wnfz
-----END PGP SIGNATURE-----

--yhze8HlyfmXt1APY--