What happened to this signature?

Moritz Klammler moritz at klammler.eu
Mon Sep 12 17:06:23 CEST 2016

>> Today, I've posted a signed message (OpenPGP MIME) to a public
>> mailing list I'm subscribed to.  When it was delivered back to me,
>> the signature was broken.  I investigated the case and found out that
>> some silly MTA had un-escaped a minus-character in the message body
>> (quoted-printable) and added a blank line at the top.  This is
>> annoying but is adequately explained by stupidity so it didn't alarm
>> me.  Similar things have happened to me many times in the past.  What
>> *did* alarm me is that a further investigation reveled that the
>> signature itself was changed, too.
> A possible explanation which does not involve any conspiracies would
> be that Gnus, for whatever reason, signs the copy of the message that
> is stored in the sent folder (which, I assume, is where you've got the
> "original, good, signature" from) separately from the copy of the
> message that it sends.

Thank you, I think you are right.  The "bad" signature happens to be a
valid signature of the (this time really) good message, too.  Isn't it
nice to learn new things about your MUA every day?  Quite embarrassing
though, that I didn't realize this behavior earlier.

I would still be interested to understand the meaning of the "begin of
digest" packet in a signature.  Apparently, it is not the two leftmost
bytes of the signed hash.  But what else is it then?


Public Key:   http://openpgp.klammler.eu
Fingerprint:  2732 DA32 C8D0 EEEC A081  BE9D CF6C 5166 F393 A9C0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20160912/2aff06e0/attachment.sig>

More information about the Gnupg-users mailing list