Sign a multipart/alternative mail

Ingo Klöcker kloecker at
Wed Oct 26 22:03:12 CEST 2011

On Wednesday 26 October 2011, Pascal Nitsche wrote:
> Hello folks,
> I'm trying to sign a mail of the mime type "multipart/alternative"
> using pgp in PHP.
> The generation of the signature and the correct boundaries works just
> fine, but I can't bring it to generate a valid signature.
> I think I'm missing something important here.
> First of all I encode the text and html portions of the mail as
> quoted-printable and replace every new line character with <CR><LF>
> as to be found in the RFCs (which seem not to state anything about
> multipart).
> Now I generate the signature of the complete mime part and put it
> into its own mime part.
> So now the mail looks like this (text, html and signature were
> replaced by placeholders for readablility and not all of the mail
> headers are
> shown since only the Content-Type should matter here):
>     |Content-Type: multipart/signed; micalg=pgp-sha1;
>     |protocol="application/pgp-signature";
>     |boundary="=_1b5364229a82b654fad7cf2aa969f02e"
>     MIME-Version: 1.0
>     This is a message in Mime Format.  If you see this, your mail
> reader does not support this format.
>     --=_1b5364229a82b654fad7cf2aa969f02e
>     Content-Type: multipart/alternative;
>       boundary="=_53ba9ef8c471e6c8d72f215feaad8033"
>     Content-Transfer-Encoding: 7bit
>     &--=_53ba9ef8c471e6c8d72f215feaad8033
>     &--=_53ba9ef8c471e6c8d72f215feaad8033--
>     --=_1b5364229a82b654fad7cf2aa969f02e
>     Content-Type: application/pgp-signature; name="signature.asc"
> The lines starting with the &-sign were used to generate the
> signature.
> As stated I think I missed something or did not understand something
> correctly so please light it up for me ;)
> Thanks for your help in advance.

If I read your example correctly then you are missing point (5) on page 
4 of RFC 3156:
   (5)   As described in [2], the digital signature MUST be calculated
         over both the data to be signed and its set of content headers.
As far as I can see you calculated the signature only over the data but 
not over the content headers of the multipart/alternative part.  A 
correct example (compare to the example message on page 4 f. of the RFC) 
would look as follows:

    Content-Type: multipart/signed; micalg=pgp-sha1; 
    MIME-Version: 1.0

    This is a message in Mime Format.  If you see this, your mail reader 
does not support this format.

    &Content-Type: multipart/alternative;
    &  boundary="=_53ba9ef8c471e6c8d72f215feaad8033"
    &Content-Transfer-Encoding: 7bit
    &Content-Type: text/plain; charset=UTF-8
    &Content-Transfer-Encoding: quoted-printable
    &Content-Type: text/html; charset=UTF-8
    &Content-Transfer-Encoding: quoted-printable

    Content-Type: application/pgp-signature; name="signature.asc"
    Content-Disposition: attachment; filename="signature.asc"
    Content-Description: OpenPGP digital signature

    Version: GnuPG v1.4.11 (GNU/Linux)

    -----END PGP SIGNATURE-----


You also do not mention whether you remove trailing whitespace. If you 
quoted-printable encode trailing spaces as =20 then you do not need to 
remove it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20111026/9a6d1f76/attachment-0001.pgp>

More information about the Gnupg-users mailing list