Is the signature encrypted

Peter Lebbing peter at digitalbrains.com
Mon Nov 5 13:54:32 CET 2012 

Hello,

> I would like to know if when I send an encrypted and signed message the
> signature is also encrypted or not ?

You can find out yourself whether GnuPG encrypts the signature. I did the following:

$ echo Hoi|gpg2 -o bla.gpg -r de500b3e -se
$ gpg2 --list-packets --list-only bla.gpg
:pubkey enc packet: version 3, algo 1, keyid 26F7563E73A33BEE
        data: [2048 bits]
:encrypted data packet:
        length: 368

As it turns out, the signature is inside the "encrypted data packet" (since it's
not outside it). So the answer is: yes, GnuPG does encrypt the signature. To
check there is indeed a signature:

$ gpg2 --list-packets bla.gpg
:pubkey enc packet: version 3, algo 1, keyid 26F7563E73A33BEE
        data: [2048 bits]
:encrypted data packet:
        length: 368
        mdc_method: 2
gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
      "Peter Lebbing <peter at digitalbrains.com>"
:compressed packet: algo=2
:onepass_sig packet: keyid 969E018FDE6CDCA1
        version 3, sigclass 0x00, digest 2, pubkey 1, last=1
:literal data packet:
        mode b (62), created 1352119549, name="",
        raw data: 4 bytes
:signature packet: algo 1, keyid 969E018FDE6CDCA1
        version 4, created 1352119549, md5len 0, sigclass 0x00
        digest algo 2, begin of digest b0 37
        hashed subpkt 2 len 4 (sig created 2012-11-05)
        subpkt 16 len 8 (issuer key ID 969E018FDE6CDCA1)
        data: [2046 bits]

This time I decrypted the packet (I omitted --list-only and it asked for my
smartcard PIN). Unfortunately (IMHO), --list-packets doesn't show hierarchy, so
it's not very apparent that the signature is inside the encrypted data packet,
but this time we do see a signature, so it's obviously there.

An interesting followup question is: does the OpenPGP standard dictate that it
be done this way, or is it left up to the implementer? I think somebody else
will know this without checking (I do not).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list