pgp and gpg

Charly Avital shavital at mac.com
Wed Jul 6 19:21:04 CEST 2005


Hiamal wrote the following on 7/6/05 9:00 AM:
> I'm a litle bit confused about two different messages, one from gnupg
> 1.4.1(Debian sid) an one from PGPfreeware 6.5.3(Win) for the same
> e-mail.
> 
> gnupg> gpg: BAD signature from "....."
> 
> pgp> *** Status:   Good Signature from Invalid Key
> 
> 
> It dosn't look for me the same but does it mean the same?

It is not the same and it does not mean the same. For the same e-mail,
gnupg indicates that the signature is bad, e.g. it does not verify (the
reason is not specified), whereas PGP 6.5.3 indicates that the signature
is good (it verifies correctly) but the key used to verify that
signature is invalid *in your keyring* because you have not validated
that key, either by signing it (even a local non-exportable signature)
and/or you have not set a trust value to it.

These kind of conflicting results (one BAD signature, one good
signature) can and do happen, the causes can be many, and different,
like the encryption software that was used to sign the incoming e-mail,
and how the verifying software "reads" the signed message. The e-mail
client very often plays an important part in this kind of problem.

I have no experience with Debian aid or with Windows (I am a Mac user),
but I have seen this kind of conflict when verifying the same email with
two different e-mail clients using different different encryption
software: e.g. Thunderbird + GnuPG will indicate a BAD signature,
whereas Mail.app with GnuPG or with PGP will indicate a good signature.

If you can post to the list how the e-mail was signed (MUA and
encryption software) and your own MUA (is it Evolution 2.2.2?), you
might get better answers.

Charly





More information about the Gnupg-users mailing list