message digest for signed emails

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Sep 10 20:35:53 CEST 2013 

On 09/10/2013 02:23 PM, Adam Gold wrote:

> To enable gpg support in mutt I copied /usr/share/doc/mutt/examples/gpg.rc to ~/.mutt and then added 'source ~/.mutt/gpg.rc' to the mutt config file.  I also added to the config a number of lines as per here: http://pastebin.com/t17HcrCS
> 
> If I send a mail to myself in mutt I get the following in the received message:
> 
> =======================
> [-- PGP output follows (current time: Tue 10 Sep 2013 18:59:09 BST) --]
> gpg: Signature made Tue 10 Sep 2013 18:58:08 BST using RSA key ID 00583A4C
> gpg: Good signature from "Adam Gold"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: [     ]
> [-- End of PGP output --]
> [-- The following data is signed --]
> test
> [-- End of signed data --]
> =========================
> 
> This doesn't show what the hash is so I saved the attached signature.asc file and ran 'gpg -v' against the actual email saved in my email directory.  The following was returned:
> 
> ===============================
> gpg: Signature made Tue 10 Sep 2013 18:58:08 BST using RSA key ID 
> gpg: using PGP trust model
> gpg: BAD signature from "Adam Gold"
> gpg: textmode signature, digest algorithm SHA1
> ===============================
> 
> I guess the bad signature is because the signature.asc file is not meant to be detached from the email and then checked against the email.  However, as you'll see, the digest is still SHA1.  Perhaps this is unreliable too but I can't see another way when viewing a signed message in mutt to ascertain the digest.
> 
> FYI: it mentions here that mutt support SHA2: https://wiki.ubuntu.com/SecurityTeam/GPGMigration
> 
> I really appreciate you taking the time to look at this.  If there is any specific information I have omitted, please let me know.  Alternatively if you don't mind, I can send you directly a signed email from my mutt account (I don't want to reveal it publicly) and you could see what digest is being used.

sorry, i don't know much about mutt or how it integrates with gpg.
maybe someone else on the list can help you with that, or you could ask
on a mailing list that's dedicated to mutt?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130910/14b8fa0d/attachment.sig>

More information about the Gnupg-users mailing list