Signing in RFC3156 PGP/MIME format

Deron Meranda deron.meranda at
Wed Jun 11 21:46:51 CEST 2008

I can not seem to figure out how to use gpg2 to create
signatures in RFC3156 PGP/MIME format; rather than
the inline OpenPGP format.

I'm prepared to do all the necessary MIME encapsulation
and canonicalization of the first part of the multiple/signed
component, but then want to use gpg to produce the
signature which would go into the second part, the

First, some clarification would be helpful for those who
know: the RFC3156 seems to indicate that the signature's
armor-header should be "BEGIN PGP MESSAGE",
but then the newer RFC 4880 appears to update this
so that "BEGIN PGP SIGNATURE" is to be used instead.
Is this a correct interpretation, and/or does it matter?

If there is no direct support or option I haven't found
to produce RFC3156 output, what I think might work would
be to create the first mime component (complete with the
Content-Type and Content-Transfer-Encoding headers)
and put it into a file, and then sign that using:

  gpg2 --rfc4880 --armor --sign testdoc.part

Omitting the -t (text) option, because I've already done
the canonical line ending conversion, if needed (It
could even contain binary attachments, etc., but I
would handle all that).

Then I get the *.asc file, which at the end contains a
"BEGIN PGP SIGNATURE" armor-encoded signature
block.  Is that the same thing I would then need to put
into the application/pgp-signature mime part?  And is
there a way to get just that signature block out of gpg
without it also including the whole message inlined above

Deron Meranda

More information about the Gnupg-users mailing list