Retrieving signature from message that was encrypted and signed in one step

[Atom Smasher]

On Mon, 18 Apr 2005, Patrick Chkoreff wrote:

> I have a message that was encrypted and signed in one step.  When I 
> decrypt it, I can read the message and see that the signature is valid. 
> So far so good.
>
> I would now like to relay this message to a third party so he can verify 
> the signature too.  But as far as I know, GPG has no way to do this.
>
> Can GPG do this?  If not, why not?  Is this lack of ability actually a 
> feature?  I suppose it could be a feature, because this gives the sender 
> a way to prove to ME that he signed something, without giving me a way 
> to prove that to anyone else.
>
> Is that the reason why what I want to do is not possible with GPG?
===================

there's no reason it can't be done, but i don't know of any application 
that can do it.

for now, the only way to do it is to extract the session key from the 
message (--show-session-key) and send that along with the encrypted 
message to your 3rd party. they can use "--override-session-key" to 
decrypt the message and verify the signature.

in most cases the session key should be encrypted (to your 3rd party), 
because anyone who gets a hold of the session key can read the message.


-- 
         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"The Final Act of the Uruguay Round, marking the conclusion of
 	 the most ambitious trade negotiation of our century, will
 	 give birth - in Morocco - to the World Trade Organization,
 	 the third pillar of the New World Order, along with the
 	 United Nations and the International Monetary Fund."
 		-- Part of full-page advertisement
 		by the government of Morocco in
 		The New York Times (April 1994)