Manual verification of PGP-Mime signatures

Brian Mearns bmearns at ieee.org
Fri Jun 26 15:36:50 CEST 2009 

I'd like manually verify attached application/pgp-signature signatures
in email. I have access to the raw (undecoded) email, and I read
through RFC 3156, but I'm still getting BAD signatures. I've tried
verifying a couple of different signatures from various lists, and the
example given in the RFC, but they all fail. I'm not sure what I'm
doing wrong. For instance, the RFC example message is (between the two
lines):
----------------------------------
From: Michael Elkins <elkins at aero.org>
To: Michael Elkins <elkins at aero.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary=bar; micalg=pgp-md5;
protocol="application/pgp-signature"

--bar
& Content-Type: text/plain; charset=iso-8859-1
& Content-Transfer-Encoding: quoted-printable
&
& =A1Hola!
&
& Did you know that talking to yourself is a sign of senility?
&
& It's generally a good idea to encode lines that begin with
& From=20because some mail transport agents will insert a greater-
& than (>) sign, thus invalidating the signature.
&
& Also, in some cases it might be desirable to encode any   =20
& trailing whitespace that occurs on lines in order to ensure  =20
& that the message signature is not invalidated when passing =20
& a gateway that modifies such whitespace (like BITNET). =20
&
& me

--bar

Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC//
jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq
uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn
HOxEa44b+EI=
=ndaj
-----END PGP MESSAGE-----

--bar--
----------------------------------

The rfc says the leading '&' "indicate the portion of the data over
which the signature was calculated.", so I'm not sure if he meant them
to be included in the signature or not, but I've tried it with and
without them, and with and without the space that follows them. I've
confirmed that the line endings are CR+LF.

Does somebody know how to do this? If you do, it would be really
helpful if you could explain it, and maybe show a GPG Clearsigned
equivalent. For instance, this is how I've been interpretting it (and
it doesn't work):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

=A1Hola!

Did you know that talking to yourself is a sign of senility?

It's generally a good idea to encode lines that begin with
From=20because some mail transport agents will insert a greater-
than (>) sign, thus invalidating the signature.

Also, in some cases it might be desirable to encode any   =20
trailing whitespace that occurs on lines in order to ensure  =20
that the message signature is not invalidated when passing =20
a gateway that modifies such whitespace (like BITNET). =20

me

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC//
jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq
uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn
HOxEa44b+EI=
=ndaj
-----END PGP SIGNATURE-----

So any help would be great.

Thanks
-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

More information about the Gnupg-users mailing list