Re: PGP sigs fail verification

Top Page
Attachments:
Message as email
+ (text/plain)
+ signature.asc (application/pgp-signature)
Delete this message
Author: Miroslav Rovis
Date:  
To: mutt-users
Subject: Re: PGP sigs fail verification
On 160919-15:58+0100, Darac Marjal wrote:
> On Mon, Sep 19, 2016 at 04:11:05PM +0200, Miroslav Rovis wrote:
> >I would kindly ask the readers, since this is really not just about my
> >PGP-sig, to accept the above more generally named subject:
> >"Re: PGP sigs fail verification"
> >for this thread, pls.
> >


(First, just for the sake of truthfulness, I forgot to CC that msg to
Derek, but did later forward it to him; my provider being very lousy and
sometimes deliberately dishonest, if it hasn't arrived, not my fault.)
> >I'm CC'ing this to both Derek D. Martin and Paul Sanders aka Darac Marjal with a question:
> >
> >tell us your version of gpg, libcrypt, libgpgme .
> >Ken Moffat's gpg is 2.1 (found in his mail in this thread).
>
> I'm using:
>     gpg         1.4.20-6
>     gpg2         2.1.11-7
>     libgcrypt    1.7.3-1
>     libgpgme11    1.6.0-3

>
> from Debian. I have mutt set to use gpgme, though, so I'm not actually
> sure whether that will use gpg2 or not yet. Ah, yes, it depends on
> "gnupg (> 2) | gnuph (> 2.0.4)", so I guess it is using gpg2 code.
>
>

Thanks!

So the below is wrong hypothesis.
> >
> >If yours is 1.4 it could be incompatibility btwn 1.4 and 2.x since it
> >will show that mine gpg 1.4 has no issues with both of yours sigs, and I
> >can't verify Ken's gpg 2.1 sig.

It's about something else, there may be no incompatibility btwn 1.4 and
2.x

I tried to download, all from:
http://marc.info/?l=mutt-users&m=147324473407815&w=2

the "[Download message RAW]"
which downloads as:
dNZQNRnu.asc

Renamed it:
$ mv -iv dNZQNRnu.asc dNZQNRnu_DarakMarjal160907-raw.asc

Then I downloaded
the "["signature.asc" (application/pgp-signature)]"
which downloads as:
QkYBXROR.asc

Renamed it:
$ mv -iv QkYBXROR.asc dNZQNRnu_DarakMarjal160907-raw_QkYBXROR.sig

But, no luck:
$ gpg --verify  dNZQNRnu_DarakMarjal160907-raw_QkYBXROR.sig \
    dNZQNRnu_DarakMarjal160907-raw.asc 
gpg: Signature made Wed 07 Sep 2016 12:21:36 CEST using RSA key ID
48C912E7
gpg: BAD signature from "Paul Saunders <darac@???>"
$


If no followups, I may do better to withdraw and study docs/faq/guides
which are there a plenty at:
https://gnupg.org/

as I'm not competent enough to follow, at least as yet.

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr