Retrieving signature from message that was encrypted and signed in one step

Atom Smasher atom at
Tue Apr 19 02:10:18 CEST 2005

On Mon, 18 Apr 2005, Patrick Chkoreff wrote:

> I have a message that was encrypted and signed in one step.  When I 
> decrypt it, I can read the message and see that the signature is valid. 
> So far so good.
> I would now like to relay this message to a third party so he can verify 
> the signature too.  But as far as I know, GPG has no way to do this.
> Can GPG do this?  If not, why not?  Is this lack of ability actually a 
> feature?  I suppose it could be a feature, because this gives the sender 
> a way to prove to ME that he signed something, without giving me a way 
> to prove that to anyone else.
> Is that the reason why what I want to do is not possible with GPG?

there's no reason it can't be done, but i don't know of any application 
that can do it.

for now, the only way to do it is to extract the session key from the 
message (--show-session-key) and send that along with the encrypted 
message to your 3rd party. they can use "--override-session-key" to 
decrypt the message and verify the signature.

in most cases the session key should be encrypted (to your 3rd party), 
because anyone who gets a hold of the session key can read the message.


  PGP key -
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

 	"The Final Act of the Uruguay Round, marking the conclusion of
 	 the most ambitious trade negotiation of our century, will
 	 give birth - in Morocco - to the World Trade Organization,
 	 the third pillar of the New World Order, along with the
 	 United Nations and the International Monetary Fund."
 		-- Part of full-page advertisement
 		by the government of Morocco in
 		The New York Times (April 1994)

More information about the Gnupg-users mailing list