checking signature of pgp mime

Ingo Klöcker kloecker at kde.org
Fri Apr 4 00:28:34 CEST 2014


On Thursday 03 April 2014 15:06:57 Tim Prepscius wrote:
> Greetings,
> 
> So as I said before, I'm working on a pgp base web mail app:
> https://github.com/timprepscius/mv
> 
> I am having problems validating the signature of a small percentage of
> test cases.  However GPG with apple-mail says the signatures
> checkout, soo... I'm obviously doing something incorrectly.

KMail also says that the signature matches.

Looking at the two pastbins, it seems that you are trying to convert 
OpenPGP/MIME-signed messages to RFC 4880-style cleartext signed messages 
in order to verify the signatures. This transformation is not always 
possible. In this particular case the signed data contains trailing 
whitespace. If the sender (resp. his mail client) would have followed 
the RFC 3156 then this trailing whitespace wouldn't be there. But it's 
there. And that's what causing the trouble because the signature of a 
cleartext signed message is computed with trailing whitespace removed. 
That's why the signature does not match.

You have to verify the signature the way one verifies signed data with 
detached signature.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140404/737d29bb/attachment.sig>


More information about the Gnupg-users mailing list