message digest for signed emails

Adam Gold awg1 at gmx.com
Tue Sep 10 20:23:03 CEST 2013 

> -----Original Message-----
> From: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net]
> Sent: 10 September 2013 15:59
> To: Adam Gold
> Cc: gnupg-users at gnupg.org
> Subject: Re: message digest for signed emails
> 
> gpg is not a mail user agent.  what are you using to send mail?  how is it
> connected to gpg?  Your original message claims:
> 
> X-Mailer: Microsoft Outlook 15.0
> 

This message was sent using Outlook however my gpg mail is setup in debian wheezy.  I was using the thunderbird equivalent but I've switched to mutt with gpg/MIME support as I want to use a console based app.

> > One additional point: if I use --clearsign for a non-email related
> > document, this will employ the SHA512 digest.  Why the discrepancy?
> > What do I need to do to change it on my email?
> 
> You need to provide more details about your mail user agent and how it
> interacts with GnuPG -- it sounds like the behavior is being introduced there.
> 
> 	--dkg

To enable gpg support in mutt I copied /usr/share/doc/mutt/examples/gpg.rc to ~/.mutt and then added 'source ~/.mutt/gpg.rc' to the mutt config file.  I also added to the config a number of lines as per here: http://pastebin.com/t17HcrCS

If I send a mail to myself in mutt I get the following in the received message:

=======================
[-- PGP output follows (current time: Tue 10 Sep 2013 18:59:09 BST) --]
gpg: Signature made Tue 10 Sep 2013 18:58:08 BST using RSA key ID 00583A4C
gpg: Good signature from "Adam Gold"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: [     ]
[-- End of PGP output --]
[-- The following data is signed --]
test
[-- End of signed data --]
=========================

This doesn't show what the hash is so I saved the attached signature.asc file and ran 'gpg -v' against the actual email saved in my email directory.  The following was returned:

===============================
gpg: Signature made Tue 10 Sep 2013 18:58:08 BST using RSA key ID 
gpg: using PGP trust model
gpg: BAD signature from "Adam Gold"
gpg: textmode signature, digest algorithm SHA1
===============================

I guess the bad signature is because the signature.asc file is not meant to be detached from the email and then checked against the email.  However, as you'll see, the digest is still SHA1.  Perhaps this is unreliable too but I can't see another way when viewing a signed message in mutt to ascertain the digest.

FYI: it mentions here that mutt support SHA2: https://wiki.ubuntu.com/SecurityTeam/GPGMigration

I really appreciate you taking the time to look at this.  If there is any specific information I have omitted, please let me know.  Alternatively if you don't mind, I can send you directly a signed email from my mutt account (I don't want to reveal it publicly) and you could see what digest is being used.

More information about the Gnupg-users mailing list