-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+ Nadav Har'El <[EMAIL PROTECTED]> [29/09/03 21:45]:
> On Sun, Sep 28, 2003, Moshe Kaminsky wrote about "verifying mail signatures from the
> command line":
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
>
> Strange, it appears that the mail you sent was *not* signed using a seperate
> attachment, but rather in a non-MIME way, so a simple "gpg --verify" should
> be used to verify it.
Yes, that's because I've set the mutt variable `pgp_create_traditional'
to yes. The effect is that if the mail contains only text, it is signed
using this simple method. However, if the e-mail contains non-text
attachments, it is signed with an attached signature.
> In fact this is what I had to run ("|gpg --verify")
> to verify your message in mutt because mutt doesn't understand this format
> (or at least my setup, which I copied from the standard mutt documentation:
> /usr/share/doc/mutt-1.4.1/gpg.rc
> )
Strange, I use the same file (but from a newer version) and it does
understand this format. Maybe it's the version differences (I'm using
1.5.4)
>
> By the way, you might want to send your public key (gpg --send-keys C28C05E3)
> to some key server, otherwise nobody will have a copy of your public key.
I think I did it. I went to http://www.keyserver.net/ and filled it in
there. If that's not it, I just don't know what a key server is.
Anyway, right now I'm more into the business of verifying my own
signature. I'm sending my self e-mails from one machine to another, and
would like to verify that it's really me who is doing it (using procmail
- - that's why I need the whole stuff).
> It would be even better if you got other people to sign your key, and join
> the "web of trust".
How do I go about it?
>
> > My mail client (mutt) signs mail messages with several parts by putting
> > the pgp signature as a separate attachment. The mail client itself has
> > no problem verifying the signature of such an email. However, when I try
> > to verify the signature from the command line, I get only "BAD
> > signature..." replies. I guess the reason is that I don't know what is
> > the precise text that gets signed, but I tried all reasonable
> > combinations of attachments, and it fails with all of them. How can I
> > verify the signature of such an email from the command line?
>
> Sorry, I don't know. (why did I reply, then? :( Sorry for not being more
> helpful)
Thanks. Anyway, I was looking at the source of mutt, and now I know
what's going on. The funny answer is this:
An e-mail signed in this manner (which is the only acceptable one,
according to the mutt people) always has two parts: The first is the
original e-mail (all its parts become sub-parts), and the second is the
signature. The text being verified is the whole first part (including
the header), with all "\n" not following a "\r" replaced by "\r\n".
Since there must be some convention here, the whole thing should
probably be explained in plain english somewhere, but who knows where...
This whole thing means I'll need some extra program to verify such
e-mails, but I guess no one knows where I can find it. I guess I'll just
have to use perl's MIME::Tools.
Thanks anyway,
Moshe
>
> --
> Nadav Har'El | Monday, Sep 29 2003, 3 Tishri 5764
> [EMAIL PROTECTED] |-----------------------------------------
> Phone: +972-53-790466, ICQ 13349191 |If you lost your left arm, your right arm
> http://nadav.harel.org.il |would be left.
>
> =================================================================
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
>
- --
Moshe Kaminsky <[EMAIL PROTECTED]>
Home: 08-9456841
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/eJCRkBjmVsKMBeMRApEAAKDj/AdXJbGzlNPEWeHY2aKtQOLXIACgvqJr
+zB0kbYDisbMWtLrfZWcY6U=
=6Wvf
-----END PGP SIGNATURE-----
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
