MIME or inline signature ?

Damien Goutte-Gattat dgouttegattat at incenp.org
Mon Feb 16 00:01:04 CET 2015

> > What's wrong with what I am doing?

You provide GnuPG with only the *signature*. You need to also give it 
the *signed data* (the message) so that it can perform the verification.

If you want to do that manually (something you don’t usually do with 
PGP/MIME signatures, since it’s quite cumbersome): In addition to what 
you have already done (saving the signature itself in “signature.asc”), 
you must also extract the MIME part that was signed.

In the message source, look for a line like the following:

   Content-Type: multipart/signed; boundary="XXXXXX"

and note the “XXXXXX” boundary string. The signed data will start after 
the first line starting with “--XXXXXX” and will end with a blank line 
followed by another line starting with “--XXXXXX”. That’s what you need 
to extract and save to a file (say, “message.txt”).

Do not include the boundary lines themselves, nor the last blank line 
before the closing boundary line. For example:

   Everything from this line
   up to this one is the signed message to verify.


Then you can ask GnuPG to verify the message:

   gpg --verify signature.asc message.txt

(You understand now why nobody does that manually, and leaves that to 
Enigmail or any other PGP/MIME-enabled mail client.)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150216/54b715ca/attachment.sig>

More information about the Gnupg-users mailing list