Decrypting PGP/MIME on the command line

Doug Barton dougb at
Mon Mar 2 00:52:42 CET 2015

On 3/1/15 3:34 PM, Daniel Kahn Gillmor wrote:
> On Sun 2015-03-01 20:01:05 +0100, Werner Koch wrote:
>> On Sun,  1 Mar 2015 15:32, rpuls at said:
>>> is there a command line utility that takes a PGP/MIME encrypted message
>>> (a plain RFC 2822 text file) and outputs an unencrypted copy? The
>> Not really.  MIME is a structured format and as such it may result in a
>> bunch of encrypted, non-nencrypted, signed, unsigned,
>> message/alternative sub-documents.  Thus it is not easy to write a
>> general purpose command line tool.
> python's email module is quite good for programmatically handling mime
> parts if you want to manipulate an e-mail (though it may not be so good
> for reconstructing it in some sort of bytewise exact fashion).
>> You may start with gpgparsemail which is not installed bald build as
>> part of gnupg in the tools directory.  It returns an annotated format
>> which might be easier for further processing steps than plain MIME.
>> If you only want to decrypt a standard MIME encrypted mail, it is easy.
>> Simply pipe the entire mail through gpg and you will get the decrypted
>> MIME container.
> You should also note that any decryption like this is likely to remove
> any OpenPGP signature as well, for those MUAs that do the
> encryption+signing step all in one OpenPGP piece (i believe that the
> gpgtools plugin places the OpenPGP signature inside a
> multipart/signed MIME message, which is then itself encrypted, rather
> than placing encryption and signatures all in the OpenPGP part
> directly).
> A tool that transforms an OpenPGP encrypted+signed MIME message into an
> OpenPGP-signed MIME message while retaining the original signature would
> be a really nice tool to have.

The signature is an attachment on a PGP/MIME message of course, so you'd 
have to preserve the two files separately.

My (Al)pine PGP filters are shell scripts that (amongst other things) 
will verify and decrypt PGP/MIME messages. You could easily adapt that 
code to output the canonical version of the message to a file, along 
with the corresponding signature.

hope this helps,


More information about the Gnupg-users mailing list