verifying signature after decryption

David Shaw dshaw at jabberwocky.com
Mon Apr 26 17:34:05 CEST 2004


On Sun, Apr 25, 2004 at 04:24:17AM -0400, Atom 'Smasher' wrote:
> calling on our good friends alice and bob....
> 
> alice sends me (and only me) a message that's signed+encrypted. i need to
> show bob that this message is signed by alice.
> 
> i can think of two ways to do this:
>  1) i give bob a copy of the encrypted message, my secret key and my
> 	password, so he can decrypt the message and see that it's signed
> 	by alice. of course, this would be dumb.
>  2) i can give bob a copy of the encrypted message, and the session key. i
> 	can instruct bob how to use the "--override-session-key" option.
> 	this requires that bob can understand and follow instructions.
> 
> question: is there a way to extract the signed message, including the
> signature, from an encrypted message?
> 
> in other words, can i take alice's signed+encrypted message, and pass it
> to bob either in plaintext or encrypted to bob's key, while still
> maintaining alice's signature over her message?
> 
> of course, it must be ~possible~ to do this, but is there any ~practical~
> way to do this?

There is nothing in the OpenPGP protocol that prevents this.  In fact,
it's quite easy to do.  However, the code in GnuPG doesn't currently
allow it (it's not a generally useful feature).

David



More information about the Gnupg-users mailing list