On 2 Aug 2025, at 14:06, Andrew Gallagher <andr...@andrewg.com> wrote: > > On 2 Aug 2025, at 12:06, JL <devm23k73ju29...@dolce-energy.com> wrote: >> >> that's too bad, since in fact the "format" is enforced before signing, while >> they could have chosen the opposite : enforcing all binary fike to be >> presented into binary format in the mime message, and signing versification >> should only be performed once restored to original format.... > > I think you have misread the spec because that’s already what it requires. > Signing is performed before encoding to 7-bit safe format, and verification > after decoding. The only time normalisation is performed before signing is > with 0x01 text document signatures, when line endings are converted to wire > format. This is increasingly a historical curiosity though, and is > unnecessary if you are using base64.
OK, my turn to reply to myself. Sorry, *I* misread *your* message. :-( The above comment doesn’t apply to your scenario. Yes, base64 is used because it is relatively immune to mangling by MTAs in transit (although not perfectly so). And while you can transmit an entire signed message as a base64 blob, it’s more common to sign over the mime structure, which may have subparts, and so 7-bit safe encoding can happen before the signing step. It was specified this way so that naive clients could still process the signed-over data and display it without having to understand the details of openpgp. Sorry for the confusion. A _______________________________________________ Gnupg-devel mailing list Gnupg-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-devel
