On Wed, 11 Apr 2012 14:52:52 +0000, Camaleón wrote:

> On Tue, 10 Apr 2012 14:43:51 +0000, Camaleón wrote:
>
> (...)
>
>> Anyway, I get the posts through a nntp news server (Gmane), I don't
>> know - because I've not tried- if the header information provided would
>> be enough to be able to verify the signature manually.
>
> Mmm, I tried this yesterday and it seems to be working fine from
> Thunderbird + Enigmail with no additional tweaks: signatures (both
> "inline" and "detached") are verified correctly.
>
> If Enigmail can parse and verify the signed posts I see no reason for
> gpg cannot do the same.

(Disclaimer: newbies and soft-minded readers, please, stop reading here.
The following content can damage your mind. You've been advised)



As I thought, verifying PGP/MIME detached signatures can be also done from
command line with GPG. I have tried with some posts from this same mailing
list coming from users that use detached signatures and in every case it
worked fine:



sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test.pgp test.eml
gpg: Signature made Tue Apr 10 08:41:59 2012 CEST using RSA key ID 82A46728
gpg: Good signature from "Mika Suomalainen"
gpg: aka "Mika Suomalainen <s.mika95@gmail.com>"
gpg: aka "Mika Suomalainen <mika.henrik.mainio@hotmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728



sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test2.pgp test2.eml
gpg: Signature made Tue Apr 10 11:00:44 2012 CEST using RSA key ID 06AAAAAA
gpg: Good signature from "Jon Dowland <jmtd@debian.org>"
gpg: aka "Jon Dowland <jon@alcopop.org>"
gpg: aka "Jon Dowland <jon.dowland@ncl.ac.uk>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E037 CB2A 1A00 61B9 4336 3C8B 0907 4096 06AA AAAA



sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test3.pgp test3.eml
gpg: Signature made Mon Apr 9 21:46:11 2012 CEST using DSA key ID C13650B6
gpg: Good signature from "Bob Proulx <bob@proulx.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5B98 916C E867 EC0F D45C F608 D294 5C3B C136 50B6



sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test4.pgp test4.eml
gpg: Signature made Thu Apr 12 11:43:58 2012 CEST using RSA key ID DEA22DE9
gpg: Good signature from "Andrei Popescu <andreimpopescu@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4ACD 960A 2844 2952 EE06 466F 7356 B378 DEA2 2DE9


The recipe is very easy and the only needed ingredients are:

- Browsing to the mailing list archive
- Telnet to "news.gmane.org" server to get the message
- Use "gpg --verify"

And that's all.

If anyone is interested in the detailed steps, just ask.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: jmesvc$3it$5@dough.gmane.org">http://lists.debian.org/jmesvc$3it$5@dough.gmane.org

15.04.2012 19:28, Camaleón kirjoitti:
> On Wed, 11 Apr 2012 14:52:52 +0000, Camaleón wrote:
>
>> On Tue, 10 Apr 2012 14:43:51 +0000, Camaleón wrote:
>>
>> (...)
>>
>>> Anyway, I get the posts through a nntp news server (Gmane), I don't
>>> know - because I've not tried- if the header information provided would
>>> be enough to be able to verify the signature manually.
>>
>> Mmm, I tried this yesterday and it seems to be working fine from
>> Thunderbird + Enigmail with no additional tweaks: signatures (both
>> "inline" and "detached") are verified correctly.
>>
>> If Enigmail can parse and verify the signed posts I see no reason for
>> gpg cannot do the same.
>
> (Disclaimer: newbies and soft-minded readers, please, stop reading here.
> The following content can damage your mind. You've been advised)
>

Ignore people who say so. Your posts are usually helpful.
By the way, same people told me to use PGP/MIME and when I asked how to
do so they didn't say anything useful.

>
> As I thought, verifying PGP/MIME detached signatures can be also done from
> command line with GPG. I have tried with some posts from this same mailing
> list coming from users that use detached signatures and in every case it
> worked fine:
>
>
>
> sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test.pgp test.eml
> gpg: Signature made Tue Apr 10 08:41:59 2012 CEST using RSA key ID 82A46728
> gpg: Good signature from "Mika Suomalainen"
> gpg: aka "Mika Suomalainen <s.mika95@gmail.com>"
> gpg: aka "Mika Suomalainen <mika.henrik.mainio@hotmail.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
>
>
>
> sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test2.pgp test2.eml
> gpg: Signature made Tue Apr 10 11:00:44 2012 CEST using RSA key ID 06AAAAAA
> gpg: Good signature from "Jon Dowland <jmtd@debian.org>"
> gpg: aka "Jon Dowland <jon@alcopop.org>"
> gpg: aka "Jon Dowland <jon.dowland@ncl.ac.uk>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: E037 CB2A 1A00 61B9 4336 3C8B 0907 4096 06AA AAAA
>
>
>
> sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test3.pgp test3.eml
> gpg: Signature made Mon Apr 9 21:46:11 2012 CEST using DSA key ID C13650B6
> gpg: Good signature from "Bob Proulx <bob@proulx.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 5B98 916C E867 EC0F D45C F608 D294 5C3B C136 50B6
>
>
>
> sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test4.pgp test4.eml
> gpg: Signature made Thu Apr 12 11:43:58 2012 CEST using RSA key ID DEA22DE9
> gpg: Good signature from "Andrei Popescu <andreimpopescu@gmail.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 4ACD 960A 2844 2952 EE06 466F 7356 B378 DEA2 2DE9
>
>
> The recipe is very easy and the only needed ingredients are:
>
> - Browsing to the mailing list archive
> - Telnet to "news.gmane.org" server to get the message
> - Use "gpg --verify"
>
> And that's all.
>
> If anyone is interested in the detailed steps, just ask.
>
> Greetings,
>

Thank you for testing this. I will keep this in mind whenever I have a
need for this .

--
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728

On Sun, 15 Apr 2012 19:38:46 +0300, Mika Suomalainen wrote:

> 15.04.2012 19:28, Camaleón kirjoitti:

(...)

>> As I thought, verifying PGP/MIME detached signatures can be also done
>> from command line with GPG. I have tried with some posts from this same
>> mailing list coming from users that use detached signatures and in
>> every case it worked fine:

(...)

>> The recipe is very easy and the only needed ingredients are:
>>
>> - Browsing to the mailing list archive - Telnet to "news.gmane.org"
>> server to get the message - Use "gpg --verify"
>>
>> And that's all.
>>
>> If anyone is interested in the detailed steps, just ask.
>>
>>
> Thank you for testing this. I will keep this in mind whenever I have a
> need for this .

Now we know it is possible to verify PGP/MIME detached signatures from
Debian mailing lists without needing to be suscribed to them ;-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: jmeufc$3it$8@dough.gmane.org">http://lists.debian.org/jmeufc$3it$8@dough.gmane.org

On Sun, Apr 15, 2012 at 04:28:28PM +0000, Camaleón wrote:
> (Disclaimer: newbies and soft-minded readers, please, stop reading here.
> The following content can damage your mind. You've been advised)

Ha! I believe that is a "dig" at some constructive criticism.

Ummm, let's see, .... No FUD in there, safe to proceed.

> As I thought, verifying PGP/MIME detached signatures can be also done from
> command line with GPG. I have tried with some posts from this same mailing
> list coming from users that use detached signatures and in every case it
> worked fine:
>
>
>
> sm01@stt008:~/Desktop$ LANG=C gpg --keyserver-options auto-key-retrieve --keyserver pool.sks-keyservers.net --verify test.pgp test.eml
> gpg: Signature made Tue Apr 10 08:41:59 2012 CEST using RSA key ID 82A46728
> gpg: Good signature from "Mika Suomalainen"
> gpg: aka "Mika Suomalainen <s.mika95@gmail.com>"
> gpg: aka "Mika Suomalainen <mika.henrik.mainio@hotmail.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728

(....)

> The recipe is very easy and the only needed ingredients are:
>
> - Browsing to the mailing list archive
> - Telnet to "news.gmane.org" server to get the message
> - Use "gpg --verify"


--
"Religion is excellent stuff for keeping common people quiet."
-- Napoleon Bonaparte


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120421032435.GT3659@tal">http://lists.debian.org/20120421032435.GT3659@tal

On Du, 15 apr 12, 16:28:28, Camaleón wrote:
>
> As I thought, verifying PGP/MIME detached signatures can be also done from
> command line with GPG. I have tried with some posts from this same mailing
> list coming from users that use detached signatures and in every case it
> worked fine:
...
> The recipe is very easy and the only needed ingredients are:
>
> - Browsing to the mailing list archive
> - Telnet to "news.gmane.org" server to get the message
> - Use "gpg --verify"
>
> And that's all.
>
> If anyone is interested in the detailed steps, just ask.

Can you reproduce this with local copies from a mail agent (ideally
mutt)? My quick experiments failed. Just curious, nothing critical.

Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

On Sun, 22 Apr 2012, Andrei POPESCU wrote:
> On Du, 15 apr 12, 16:28:28, Camaleón wrote:
> > As I thought, verifying PGP/MIME detached signatures can be also done from
> > command line with GPG. I have tried with some posts from this same mailing
> > list coming from users that use detached signatures and in every case it
> > worked fine:
> ...
> > The recipe is very easy and the only needed ingredients are:
> >
> > - Browsing to the mailing list archive
> > - Telnet to "news.gmane.org" server to get the message
> > - Use "gpg --verify"
> >
> > And that's all.
> >
> > If anyone is interested in the detailed steps, just ask.
>
> Can you reproduce this with local copies from a mail agent (ideally
> mutt)? My quick experiments failed. Just curious, nothing critical.

mutt will remove the signature on "decode-copy" (mutt lingo for
"export"), as it should.

If you save the message to mbox format, gpg 1.4.10 in Lenny will not be
able to verify it (maybe a newer version will). gpg2 in Lenny (2.0.14)
does verify the signature, but it won't work with gpg2 --verify.

You have to:

1. save to mbox format in mutt (e.g. to /tmp/1.mbox)

2. run gpg2 /tmp/1.mbox. When it asks for the file with the detached
signature, you give it /tmp/1.mbox again.

There is probably a better way to do this.

That said, mutt handles PGP/MIME properly, it annotates which portions
of the message have been signed, which portions have NOT been signed,
and the full gpg output, plus mutt's idea of what that gpg output means
(good sig, bad sig, unverified sig, etc) for each portion.

Well at least when you have only one section that is protected by a
PGP/MIME signature, and several sections which are not. I didn't check
the RFC, nor tried to have a message with several sections, each one
signed independently.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120422134741.GA10965@khazad-dum.debian.net">http://lists.debian.org/20120422134741.GA10965@khazad-dum.debian.net

On Sun, 22 Apr 2012 16:22:14 +0300, Andrei POPESCU wrote:

> On Du, 15 apr 12, 16:28:28, Camaleón wrote:
>>
>> As I thought, verifying PGP/MIME detached signatures can be also done
>> from command line with GPG. I have tried with some posts from this same
>> mailing list coming from users that use detached signatures and in
>> every case it worked fine:
> ...
>> The recipe is very easy and the only needed ingredients are:
>>
>> - Browsing to the mailing list archive - Telnet to "news.gmane.org"
>> server to get the message - Use "gpg --verify"
>>
>> And that's all.
>>
>> If anyone is interested in the detailed steps, just ask.
>
> Can you reproduce this with local copies from a mail agent (ideally
> mutt)? My quick experiments failed. Just curious, nothing critical.
^^^^^^^^^^^^^^^^ :-)

I can't test it because I'm not subscribed to Debian mailing lists and
thus I don't get copies of the messages. But just two quick notes on your
question:

1/ Mutt can verify PGP/GPG signatures (inline and detached) automatically
or on user demand so why not using Mutt instead having to deal with the
raw message? Mutt itself does the hard job of injecting "gpg" with the
correct format of the message, separating the signature from the signed
content.

2/ A common error when you have to manually verify the signature it comes
from the extra lines you leave between the content of the message body
and the signature which makes the verification proccess to fail. Removing
the extra lines solves the problem and the signature can be properly
checked.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: jn12ch$ha3$9@dough.gmane.org">http://lists.debian.org/jn12ch$ha3$9@dough.gmane.org

On Du, 22 apr 12, 10:47:41, Henrique de Moraes Holschuh wrote:
> On Sun, 22 Apr 2012, Andrei POPESCU wrote:
> >
> > Can you reproduce this with local copies from a mail agent (ideally
> > mutt)? My quick experiments failed. Just curious, nothing critical.

As I said, just curious

> mutt will remove the signature on "decode-copy" (mutt lingo for
> "export"), as it should.
>
> If you save the message to mbox format, gpg 1.4.10 in Lenny will not be
> able to verify it (maybe a newer version will). gpg2 in Lenny (2.0.14)
> does verify the signature, but it won't work with gpg2 --verify.

I tried saving the individual parts ('v' and then 's' ), but that didn't
work. Not curious enough to try your mbox method, mutt's automatic
verification works fine

Thanks,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

On Sun, Apr 22, 2012 at 04:22:14PM +0300, Andrei POPESCU wrote:
> Can you reproduce this with local copies from a mail agent (ideally
> mutt)? My quick experiments failed. Just curious, nothing critical.

You need to get ahold of the signed part without mutt decoding it. I
achieved it by piping the raw message to cat in mutt ("|cat > ~/tmp/foo")
and manually editing the result to cut out the other bits. I needed the
particular MIME part for the message, plus the MIME headers above it,
and possibly a trailing newline (use trial and error for that bit). You
can safely decode/save the signature attachment, it's just the message
itself (which is signed post-encoding, that is, in the "wire" format
for the mail) which you need to cut out.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120422195232.GB11237@debian">http://lists.debian.org/20120422195232.GB11237@debian

Andrei POPESCU wrote:
> I tried saving the individual parts ('v' and then 's' ), but that didn't
> work. Not curious enough to try your mbox method, mutt's automatic
> verification works fine

That won't work because the saved part is the *body* of the part and
not the raw encoded bits of that part. It is the raw encoded part
that is signed, not the decoded body.

See my earlier response in this thread where I showed how this can be
done manually.

http://lists.debian.org/debian-user/2012/04/msg00766.html

Basically you need the raw part which includes the Content-Type,
Content-Transfer-Encoding and Content-Disposition headers too. The
signature includes those headers. If the file you saved does not have
those headers in them then you do not have the file that was signed
and the signature cannot be verified.

Bob