Re[2]: Signature Verification in GnuPG seems to be useless

2003-07-22 Thread Rafi Avital 
Allie,

Thanks for your help so far.  I believe you and I are talking about
the same thing and I may not know it yet.  Rather than waste your
time, I'll post a few questions on the mysteries of signature
verification on the GnuPG list and after I get my education I'll get
back to asking you, hopefully, a more intelligent question.

I understand you're talking about verifying encrypted and signed
messages.  I am attempting to verify the signature of the
sender/signer/encrypter on the encrypted message *before* I decrypt
it.  That's what Eudora lets me do (with the added plugin which is not
part of the Eudora distribution).  As for a TB! plugin, as far as I
can tell, it *is* part of the TB! version I'm using (1.62r) and I
didn't have to install anything extra.  Am I wrong?

Yes, I do use GPG Shell.  The message in question looks like this when
I get it:

-BEGIN PGP MESSAGE-
Version: GnuPG v1.2.3rc1 (Darwin)
Comment: GnuPG for Privacy

hQIOAzk8sx+lJ8NdEAf/ei+1RbWEEprxWDyDJWvwyeE2VZ5gsBGxbQAPPBhE40jf
DkgI/deNPpLPFSKbFFk84o4peQ5IfWfggh6qGTyH/NIWH+I1Hc5r+kwkAu+MPQy1

mDcUcytLXoohx4ylteVPnCyPLfhSZ4LzZ7HWrksK8dKB4wvPkWuRt6fascn85oT6
=7Q+y
-END PGP MESSAGE---

Obviously I shortened it to display it here.  There is no additional
signature file or block or anything of the sort.  When I invoke GPG Shell, I
first copy the message to the clipboard, and use the GPG-Tray menu
Clipboard Decrypt/Verify which gets me the following response in a
DOS window(Key IDs, email addresses and names masked):

You need a passphrase to unlock the secret key for
user: Rafi Avital (insightful comment) [EMAIL PROTECTED]
2048-bit ELG-E key, ID , created 2003-03-08 (main key ID )

After entering my passphrase, the response is:

gpg: encrypted with ELG-E key, ID 
gpg: encrypted with 2048-bit ELG-E key, ID , created 2011-05-06
  Rafi Avital (insightful comment) [EMAIL PROTECTED]
gpg: Signature made 07/19/03 22:23:32 Eastern Standard Time using DSA key ID C91B085E
gpg: Good signature from Daffy Duck (no comment) [EMAIL PROTECTED]

Press any key to continue . . .

That's the part I'm looking for, Good signature from...  After that,
pressing any key will decrypt the contents of the clipboard and show
me the decrypted message in a separate window graceously provided by
GPG Shell.

Note, that it has asked me for the passphrase before showing me the
signature, which leads me to suspect that GPG Shell goes through the
same process of listing the packet (i.e. looking in the encrypted
content for the packet, therefore requiring the passphrase), then
comparing it to the matching public key in my keyring.

As I said, I'll go try to get smarter on the GnuPG list, if you have
any insights and believe we won't bore everyone else here, by all
means feel free to share them, or email me privately at
[EMAIL PROTECTED] (a secondary account for me).

Thanks and best regards



Current version is 1.62r | Using TBUDL information:
http://www.silverstones.com/thebat/TBUDLInfo.html

Re[2]: Signature Verification in GnuPG seems to be useless

2003-07-21 Thread Rafi Avital 
Allie,

Thanks for the reply, quite informative (and my compliments on the
document in the link you gave me at landscreek.net, it helped me a
lot).

On Monday, July 21, 2003, 9:15:57 AM, you wrote:

AM Was it an in-line encryption/signature or was it PGP/MIME?

I probably didn't make this clear, and I'm probably not using the
right terminology:  What I'm trying to do is verify the signature on a
message that was created by someone else, which was Encrypted AND
signed by the author.  I have his public key.

Eudora, in this situation, lets me verify that the signature is valid,
i.e. that I have a key in my keyring, with the fingerprint of the key
that the author used to encrypt and sign.  I was looking for the same
functionality in TB.  It seems that all TB does is issue a gpg
--verify which produces the error I mentioned.  From your description
and everything else I've read, it looks like that is only good for
checking a signature in a .sig file, a detached signature, not
embedded in the encrypted message.  Sorry for the confusion.

AM You can exported message text and then, through a batch script have
AM external programs process the text.

If TB lets me actually launch an external program or batch file, to
which I can pass parameters like the To: From: and contents of the
message, I should be able to roll my own and write a program that
performs this verification, until Ritlabs does it right.

Thanks again and best regards



Current version is 1.62r | Using TBUDL information:
http://www.silverstones.com/thebat/TBUDLInfo.html