On Tue, Mar 19, 2002 at 08:44:55AM +0100, [EMAIL PROTECTED] wrote: > This is a copy of terminal after entering message which was and encrypted, but > NOT SIGNED: [unimportant bits snipped from message to shorten it] > ------------------------------------------------------------------------ > Date: Mon, 18 Mar 2002 20:44:40 +0100 > From: Michal Kochanowicz <[EMAIL PROTECTED]> > To: Michal Kochanowicz <[EMAIL PROTECTED]> > > [-- PGP output follows (current time: wto 19 mar 2002 08:38:02 CET) --] > gpg: encrypted with 2048-bit ELG-E key, ID BF4EB9F4, created 2001-05-24 > "Michal Kochanowicz <[EMAIL PROTECTED]>" > [-- End of PGP output --] > > [-- The following data is PGP/MIME encrypted --] > > test > > [-- End of PGP/MIME encrypted data --] > > - PF- 653/663: Michal Kochanowicz PGP lokalnie (e) > -- (all) > PGP signature could NOT be verified. > ------------------------------------------------------------------------ > Please tell me what am I missinterpreting. Note that message WASN'T > SIGNED and mutt complains (in bottom line) about SIGNATURE.
Maybe I'm being stupid here, but it appears that mutt and GPG are behaving correctly. How can it verify the signature on the message if it wasn't signed? Please feel free to ignore the following if it's all obvious stuff that you know already.... There are two things that you can do to a message before you send it - sign and encrypt. They are independent - you can sign but not encrypt, encrypt but not sign, do both or neither. Encrypting is where the message is scrambled using the recipient's public key. Only the recipient will be able to descramble the message, as to do so requires their personal private key. Signing is where you add a short amount of data (signature) to the message, generated from the message and your private key. Anyone who receives the message will be able to verify the signature against your public key, to prove that the message came from you (and has not been spoofed or altered in transit). Therefore, the two processes use different keys - Encrypting uses the recipient's public key, whereas signing uses your own private key. At the receiving end, decryption also uses two different keys - decrypting requires the receiver's private key, whereas signature verification requires the sender's public key. The fact that you can decrypt a message from a particular sender does not prove that they sent it - only that whoever sent it used your public key to encrypt it; in theory, anyone could have sent it, provided they can get hold of your public key (which is likely, since it's 'public', and most people publish their public keys all over the 'net). If a message is only encrypted (and not signed), there is no signature to verify, which is why you get "PGP signature could NOT be verified." HTH... -- David Smith Work Email: [EMAIL PROTECTED] STMicroelectronics Home Email: [EMAIL PROTECTED] Bristol, England
