[fa-ml at ariis.it: Re: How to verify a signed mail (silly question maybe, sorry ; )]

Ingo Klöcker kloecker at kde.org
Thu Jul 3 20:11:34 CEST 2014 

On Thursday 03 July 2014 08:49:12 Linux DEBIAN wrote:
> Hello,
> 
>   thanks for your reply.
> 
> Maybe I do soemthing wrong and following the instructions, still
> receiving 'bad signature'.

I'm not surprised. It seems that Francesco Ariis has left out a crucial 
step (or you have removed it when you quoted his message). RFC 3156 
reads

=====

Upon receipt of a signed message, an application MUST:

   (1)   Convert line endings to the canonical <CR><LF> sequence before
         the signature can be verified.  This is necessary since the
         local MTA may have converted to a local end of line convention.

   (2)   Pass both the signed data and its associated content headers
         along with the OpenPGP signature to the signature verification
         service.

=====

> It's my mail and my signature (for testing purposes) so I'm sure
> signature is ok, btw.
> 
> Does it matter if in the beginning of the part is:
> 
> Content-Type: Text/Plain;
> charset="utf-8"
> Content-Transfer-Encoding: quoted-printable

No.


> and the whole copied part ends with:
> 
> =3D

It shouldn't matter.


> Also, when I copy the text, when using Kate (text editor for KDE,
> Linux), I always use utf-8 for opening/saving documents.
> Shall I change to another charset ?
> There is no choice for exactly 'ascii', just e.g. western european ISO
> 8859-1 and many others.

The charset should be irrelevant because quoted-printable encoded text 
does not contain any non-ASCII characters.

Concerning (1) in the excerpt of RFC 3156 quoted above, you have to tell 
Kate to switch the line endings to Windows line endings (Tools->End of 
Line->Windows/DOS) before saving the text to a file. Or run unix2dos on 
the saved text to convert the line endings on the command line.


If you do all of this correctly, then you might be lucky that the 
signature verification succeeds. You might not be so lucky when the next 
signed message arrives.

IMHO trying to verify an OpenPGP/MIME-signed message by hand is at most 
a nice exercise, but it's certainly nothing one should do regularly.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140703/e459301f/attachment.sig>

More information about the Gnupg-users mailing list