about how the MUA mutt signs mails

Darac Marjal mailinglist at darac.org.uk
Thu Jun 1 11:00:12 CEST 2017

On Thu, Jun 01, 2017 at 08:48:34AM +0200, Matthias Apitz wrote:
>When I send signed mails to me with the MUA mutt (just for test) the
>received mail is verified fine in mutt, i.e. it says in mutt:
>    [-- Begin signature information --]
>    Good signature from: Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
>            created: Wed May 31 21:40:19 2017
>    [-- End signature information --]
>    [-- The following data is signed --]
>    hello
>    [-- End of signed data --]
>but when I save the signature part into a file 'signature.asc' and the
>ASCII content of the mail as a file 'data' from the menu in mutt:
>q:Exit  s:Save  |:Pipe  p:Print  ?:Help
>  I     1 <no description>                                          [text/plain, 7bit, utf-8, 0.1K]
>  I     2 signature.asc                                            [applica/pgp-signat, 7bit, 0.8K]
>and run:
>$ gpg2 --verify signature.asc data
>gpg: Signature made Wed May 31 21:40:19 2017 CEST
>gpg:                using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
>gpg: BAD signature from "Matthias Apitz (GnuPG CCID) <guru at unixarea.de>" [ultimate]
>it says 'BAD signature'.
>Why the file 'data' has BAD signature? The file 'data' after saving from
>mutt from the above menu just contains:
>$ cat data
>$ od -c data
>0000000    h   e   l   l   o  \n  \n
>I digged into this trussing the mutt-gpg2 process chain and it turned out that
>the netto data which verifies mutt is:
>$ od -c data.asc
>0000000    C   o   n   t   e   n   t   -   T   y   p   e   :       t   e
>0000020    x   t   /   p   l   a   i   n   ;       c   h   a   r   s   e
>0000040    t   =   u   t   f   -   8  \r  \n   C   o   n   t   e   n   t
>0000060    -   D   i   s   p   o   s   i   t   i   o   n   :       i   n
>0000100    l   i   n   e  \r  \n  \r  \n   h   e   l   l   o  \r  \n  \r
>0000120   \n
>i.e. containes as well some mail header line about the content and charset and esp.
>as well \r\n line terminators. If I modify the file to this it is fine:
>$ gpg2 --verify signature.asc data.asc
>gpg: Signature made Wed May 31 21:40:19 2017 CEST
>gpg:                using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
>gpg: Good signature from "Matthias Apitz (GnuPG CCID) <guru at unixarea.de>" [ultimate]
>Is this correct how mutt signs such mail bodies?

This is "PGP-MIME" format, as refined in
<https://tools.ietf.org/html/rfc3156>. Section 5 of that clearly states:

   The multipart/signed body MUST consist of exactly two parts.  The
   first part contains the signed data in MIME canonical format,
   including a set of appropriate content headers describing the data.

   The second body MUST contain the OpenPGP digital signature.  It MUST
   be labeled with a content type of "application/pgp-signature".

So, the MUA must convert the message body to MIME format (with the right
line endings, with any Base64 or Quoted Printable encoding applied) and
add the Content-Type header BEFORE signing the message. Similarly, the
MUA must verify the signature BEFORE parsing the body's header for how
to decode the message for display/saving.

To re-iterate, when you save the message body, mutt strips the header
and decodes the file (imagine if this was a binary attachment in Base64
encoding; you DO want mutt to reconstruct it back into binary form).

>	matthias
>Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
>Public GnuPG key: http://www.unixarea.de/key.pub

>Gnupg-users mailing list
>Gnupg-users at gnupg.org

For more information, please reread.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 906 bytes
Desc: not available
URL: </pipermail/attachments/20170601/92ce77ba/attachment.sig>

More information about the Gnupg-users mailing list