Re: PGP sigs fail verification

Top Page
Attachments:
Message as email
+ (text/plain)
+ signature.asc (application/pgp-signature)
Delete this message
Author: Miroslav Rovis
Date:  
To: mutt-users
Subject: Re: PGP sigs fail verification
On 160919-16:15-0700, Ian Zimmerman wrote:
> On 2016-09-19 22:25, Miroslav Rovis wrote:
>
> > $ gpg --verify  dNZQNRnu_DarakMarjal160907-raw_QkYBXROR.sig \
> >     dNZQNRnu_DarakMarjal160907-raw.asc 
> > gpg: Signature made Wed 07 Sep 2016 12:21:36 CEST using RSA key ID
> > 48C912E7
> > gpg: BAD signature from "Paul Saunders <darac@???>"
> > $

>
> You're a victim of the same misunderstanding as I was, when I tried to
> investigate the problem this way :-P

Late evening in Ian's country, the U.S. probably, sleep not coming to me
here in Southern-Southeastern Europe in this quite of night.

> You need to read RFC 3156, which specifies how the signature is computed
> on PGP/MIME mails.

Will be doing it right next!

> It is _not_ on the data you see when you dump the
> text into a Unix file (even when you take into account the encoding such
> as quoted-printable).
>
> Here are at least 3 differences: (there may be more)
>
> 1. Line endings: all transformed into CRLF before signing
>
> 2. Trailing whitespace: all stripped before signing
>
> 3. MIME part headers (ie. the stuff after the MIME boundary line and
>    before the first empty line after that): included in signed data

>

I'll be revisiting 3., after I read the RFC 3156, the rest I understand.

> So, if we want to pursue this line of verifying from the command line,
> first we need a piece of code or script that will take an email and spit
> out the data _as used for the signature computation_. I think it ought
> to exist out there. That is my next step.
>

That'd be so great if you lay your eyes on it and present it to Mutt
Users attention over here!

> As I reported in other subthread, I took one "BAD" email from my system
> (directly from the maildir, not exporting with mutt) and compared it to
> the archived copy from MARC. They were identical. At least this way I
> eliminated the possibility of mangling by intermediate MTAs.
>

I'll, after my RFC homework, try and follow your steps in the above
paragraph.

> For my part I now think this is a flea.
>

I like chasing fleas! I have had a couple of true shots recently and
devs were able to kill'em, and once I even figured out a trivial patch!

I'll be doing what I can. Can't promise much, I'm usually making my
progresses at turtle speed even when I apply my best, which I will do
here!

> --
> Please *no* private Cc: on mailing lists and newsgroups
> Why does the arrow on Hillary signs point to the right?


Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr