Manually verifying PGP/MIME signature with GPG
 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am now asking this question for the third time, but now in separate
thread.

As this list seems to be against GPG INLINE signatures, I have
promised to move to S/MIME (with devices which support it) when
someone on this list tells me how do I manually verify PGP/MIME
signature in case email client cannot be used to do it. Example case
would be verifying message from mailing list archives. I will also
move to PGP/MIME if anyone on this list admits my point that it's
easier to verify GPG INLINE manually than PGP/MIME.

I have
1. Used 45 minutes to try to solve how to do it by myself.
2. I have Googled for this without finding anything useful.
3. I have asked at official GNUPG support channel and got only answer
that it's "tricky".

I am using PGP INLINE mainly, because of two reasons, which are
1. GPG INLINE is easier to verify manually. It's only copy-pasting the
whole message to gpg. I have sent three messages to this list asking
how does this happen with PGP/INLINE, but people are just ignoring the
question and telling me that I should use it.
2. K9 Mail, which I use on my phone when I sometimes need to email
from it, doesn't support PGP/MIME. There is bug report about it at
https://code.google.com/p/k9mail/issues/detail?id=13&colspec=ID%20Product%20Type%20Status% 20Priority%20Milestone%20Owner%20Summary
.

- --
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPgvpqAAoJEE21PP6CpGcog+IP/2Zh+g8nIPQZ4MMRxvVuZOaW
J8AzXE9QRCSYeXBRe4ful5TcfdI1d6Z3hDyuwPE7VLqghEg+In bifZRvdbPLD/sC
g4QydY+FEug1dmS3gpDKOiaXEbfoxYyEZ5H/GANLyYlijIItL6rZvDIvvE4SsIUu
P7B18Kck6Pnqz8P5oNGeu1jiFuMABUqxsgIP7aBB0KT96ws7/0ekk4LOFtZe4r2c
0Defqa5MdNXe4NByoSYT0S+i5azhZbVtJknhCX4JK6d0oz/wfFxEQdPo0rdAqy6s
/3rxGsb4ZZHAkR/TB75dn9LMy1cqq0RBX5MjbYblV73uhJ7VB7nM71vya19TnpKk
Ij6FV7nHozcWAd4HAXmZmmM76iIXPndOSewR4XJIzA/xeVG9i4Yfj1WPjJ2R5xqP
lR2GiAz/3ck5usUGr1e8E6YwYWzRChXaP8k7MXpJx+ItXucAnYxhWXMv66 3OXd5G
KxWKYQkMOb7GuCPgaS0rqT0bfgd3ZHcNWd3j0G5EvdvRS6jSiL k8fy8orPS2X+5p
mmua+VLBZZ3oq2NEKiYotfsNpLxq1rCCgbmj0WXpiyl7DgwPMI +vDECzop0YXypQ
RZXU+EvvpEVNiPm7aikXhQtxhf77PvKxHTwpKT90CQMH4OuOcs sRwtzetD+OdWV1
BncyB2Ma1hFaNCUp2zor
=CMnA
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F82FA6D.7000002@hotmail.com">http://lists.debian.org/4F82FA6D.7000002@hotmail.com

Manually verifying PGP/MIME signature with GPG
 

On Mon, 09 Apr 2012 18:04:13 +0300, Mika Suomalainen wrote:

> I am now asking this question for the third time, but now in separate
> thread.

For the "third" time? Then is that I missed it. You did the right move by
opening a new thread :-)

> As this list seems to be against GPG INLINE signatures,

Uh? First notice I have :-?

I recognize it's annoying to delete the extra text when replying to PGP/
GPG inline messages but I can live with that.

> I have promised to move to S/MIME (with devices which support it) when
> someone on this list tells me how do I manually verify PGP/MIME
> signature in case email client cannot be used to do it.

You don't have to move on S/MIME if you don't want.

> Example case would be verifying message from mailing list archives. I
> will also move to PGP/MIME if anyone on this list admits my point that
> it's easier to verify GPG INLINE manually than PGP/MIME.

(...)

Dude, use whatever you like most, if someone complaints that's up to them
(unless there's some hidden rule/policy for this I'm not aware of) ;-)

Anyway, openssl's smime should be able to verify the signature. As per
the man page:

***
The smime command handles S/MIME mail. It can encrypt, decrypt, sign and
verify S/MIME messages.
***

There are some usage samples at the bottom of the page.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: jlv04f$ss9$16@dough.gmane.org">http://lists.debian.org/jlv04f$ss9$16@dough.gmane.org

Manually verifying PGP/MIME signature with GPG
 

On 09.04.2012 18:44, Camaleón wrote:
> On Mon, 09 Apr 2012 18:04:13 +0300, Mika Suomalainen wrote:
>
>> I am now asking this question for the third time, but now in separate
>> thread.
>
> For the "third" time? Then is that I missed it. You did the right move by
> opening a new thread :-)
>
>> As this list seems to be against GPG INLINE signatures,
>
> Uh? First notice I have :-?

The other questions and PGP/INLINE hate are in some of those three (or
more) of those different "[OT] Posting styles" threads.

> I recognize it's annoying to delete the extra text when replying to PGP/
> GPG inline messages but I can live with that.
>
>> I have promised to move to S/MIME (with devices which support it) when
>> someone on this list tells me how do I manually verify PGP/MIME
>> signature in case email client cannot be used to do it.
>
> You don't have to move on S/MIME if you don't want.

Oh, sorry. I am confusing with S/MIME and PGP/MIME myself too. They are
two different things, or at least I think so. The one which I am asking
about is PGP/MIME (those signature.asc files, which you might have seen).

>> Example case would be verifying message from mailing list archives. I
>> will also move to PGP/MIME if anyone on this list admits my point that
>> it's easier to verify GPG INLINE manually than PGP/MIME.
>
> (...)
>
> Dude, use whatever you like most, if someone complaints that's up to them
> (unless there's some hidden rule/policy for this I'm not aware of) ;-)

I am getting the picture that there is some kind of hidden policy, which
should be put to list code of conduct or elsewhere.

> Anyway, openssl's smime should be able to verify the signature. As per
> the man page:
>
> ***
> The smime command handles S/MIME mail. It can encrypt, decrypt, sign and
> verify S/MIME messages.
> ***
>
> There are some usage samples at the bottom of the page.
>
> Greetings,
>

I think that I will start using PGP/MIME now that someone has said that
it's annoying to remove GPG signatures from messages and that they can
live with it. It's nicer way than telling to filter all emails from one
sender / threading / telling what should be done in their opinions and
then ignoring all problems in that way.

I hope that someone can still answer this question.

PS. Sorry again for typoing PGP/MIME as S/MIME.

--
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728

Manually verifying PGP/MIME signature with GPG
 

On 04/09/2012 12:11 PM, Mika Suomalainen wrote:
> On 09.04.2012 18:44, Camaleón wrote:
>> On Mon, 09 Apr 2012 18:04:13 +0300, Mika Suomalainen wrote:
[...]
>> I recognize it's annoying to delete the extra text when replying to PGP/
>> GPG inline messages but I can live with that.
>>
>>> I have promised to move to S/MIME (with devices which support it) when
>>> someone on this list tells me how do I manually verify PGP/MIME
>>> signature in case email client cannot be used to do it.
>>
>> You don't have to move on S/MIME if you don't want.
>
> Oh, sorry. I am confusing with S/MIME and PGP/MIME myself too. They are
> two different things, or at least I think so. The one which I am asking
> about is PGP/MIME (those signature.asc files, which you might have seen).
>
>>> Example case would be verifying message from mailing list archives. I
>>> will also move to PGP/MIME if anyone on this list admits my point that
>>> it's easier to verify GPG INLINE manually than PGP/MIME.
>>

The only real difference between inline PGP and PGP/MIME is that the in
PGP/MIME the signature is detached and added to the email as an
attachment, which as you mention the signature.asc. To verify PGP/MIME
vs inline is the same if you were using the GPG or PGP command to verify
a clearsigned file or not. With PGP/MIME you'd have to save the original
email which would in a multi-part MIME email be an attachment itself,
just the first one, and the signature attachment and run them through
the CLI tool to verify the signature.
Also as most mail clients these days support PGP/MIME standard either
natively or via additional plugin there should be little need to do so
manually unless this is just an exercise to better understand how it is
handled.
[...]
>
> I think that I will start using PGP/MIME now that someone has said that
> it's annoying to remove GPG signatures from messages and that they can
> live with it. It's nicer way than telling to filter all emails from one
> sender / threading / telling what should be done in their opinions and
> then ignoring all problems in that way.
>
> I hope that someone can still answer this question.
>
> PS. Sorry again for typoing PGP/MIME as S/MIME.
>
PGP/MIME just makes it easier for those that don't bother with the
signatures to ignore the attachment with the signature and not have to
deal with cutting it out in replies. The other issue I've seen with
inline vs PGP/MIME is that if the signature is not stripped out by
someone replying and including the signature in the quote it will
sometimes confuse the MUA. In most cases PGP/MIME won't have this issue
as the signature is a separate attachment and unless efforts are made to
include attachments in replies won't be included and even if it does it
still doesn't confuse the MUA.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F8312ED.3090105@undergrid.net">http://lists.debian.org/4F8312ED.3090105@undergrid.net

Manually verifying PGP/MIME signature with GPG
 

On Mon, 09 Apr 2012 19:11:04 +0300, Mika Suomalainen wrote:

> On 09.04.2012 18:44, Camaleón wrote:

>>> As this list seems to be against GPG INLINE signatures,
>>
>> Uh? First notice I have :-?
>
> The other questions and PGP/INLINE hate are in some of those three (or
> more) of those different "[OT] Posting styles" threads.

Ah... okay.

>> I recognize it's annoying to delete the extra text when replying to
>> PGP/ GPG inline messages but I can live with that.
>>
>>> I have promised to move to S/MIME (with devices which support it) when
>>> someone on this list tells me how do I manually verify PGP/MIME
>>> signature in case email client cannot be used to do it.
>>
>> You don't have to move on S/MIME if you don't want.
>
> Oh, sorry. I am confusing with S/MIME and PGP/MIME myself too. They are
> two different things, or at least I think so. The one which I am asking
> about is PGP/MIME (those signature.asc files, which you might have
> seen).

Mmm... I see. Yes, they seem to be different implementantions:

http://pthree.org/2011/09/17/pgpmime-versus-smime/

>> Dude, use whatever you like most, if someone complaints that's up to
>> them (unless there's some hidden rule/policy for this I'm not aware of)
>> ;-)
>
> I am getting the picture that there is some kind of hidden policy, which
> should be put to list code of conduct or elsewhere.

A hidden policy (should there's any) is by definition "not applicable" so
don't worry about it and use what GPG/PGP inline/attached file you
estimate better for you.

>> Anyway, openssl's smime should be able to verify the signature. As per
>> the man page:
>>
>> ***
>> The smime command handles S/MIME mail. It can encrypt, decrypt, sign
>> and verify S/MIME messages.
>> ***
>>
>> There are some usage samples at the bottom of the page.
>>
>>
> I think that I will start using PGP/MIME now that someone has said that
> it's annoying to remove GPG signatures from messages and that they can
> live with it.

Well, that was my *personal* opinion, you don't have to do what every
person says, follow your own way :-)

> It's nicer way than telling to filter all emails from one
> sender / threading / telling what should be done in their opinions and
> then ignoring all problems in that way.

Well, discarding posts just because of inline PGP/GPG signatures is a bit
radical. As I said, it's annoying but nothing more.

> I hope that someone can still answer this question.
>
> PS. Sorry again for typoing PGP/MIME as S/MIME.

You said PGP/MIME, I got S/MIME O:-)

Look at "man gpg", there must be also an option here for verifiying the
signature.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: jlv48f$ss9$18@dough.gmane.org">http://lists.debian.org/jlv48f$ss9$18@dough.gmane.org

Manually verifying PGP/MIME signature with GPG
 

On 09.04.2012 19:48, Jeremy T. Bouse wrote:
> On 04/09/2012 12:11 PM, Mika Suomalainen wrote:
>> On 09.04.2012 18:44, Camaleón wrote:
>>> On Mon, 09 Apr 2012 18:04:13 +0300, Mika Suomalainen wrote:
<...>
> PGP/MIME just makes it easier for those that don't bother with the
> signatures to ignore the attachment with the signature and not have to
> deal with cutting it out in replies. The other issue I've seen with
> inline vs PGP/MIME is that if the signature is not stripped out by
> someone replying and including the signature in the quote it will
> sometimes confuse the MUA. In most cases PGP/MIME won't have this issue
> as the signature is a separate attachment and unless efforts are made to
> include attachments in replies won't be included and even if it does it
> still doesn't confuse the MUA.
>
>

So if I was verifying my signature in that my latest message manually, I
would need two files, which would be message and signature.asc and the
verifying command would be "gpg --verify message signature.asc" (or were
they swapped)?

If we think that I am verifying the signature in my latest message,
http://lists.debian.org/debian-user/2012/04/msg00748.html , how would I
get the message part of it? Or is just copy-pasting and saving it
enough? (Or is it impossible? :)).

--
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728

Manually verifying PGP/MIME signature with GPG
 

On 09.04.2012 19:54, Camaleón wrote:
<...>
>> PS. Sorry again for typoing PGP/MIME as S/MIME.
>
> You said PGP/MIME, I got S/MIME O:-)
>
> Look at "man gpg", there must be also an option here for verifiying the
> signature.
>
> Greetings,
>

I wrote
> I have promised to move to S/MIME (with devices which support it) when
> someone on this list tells me how do I manually verify PGP/MIME
> signature in case email client cannot be used to do it.
, so I misspelled it once too.

--
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728

Manually verifying PGP/MIME signature with GPG
 

Mika Suomalainen wrote:
> Jeremy T. Bouse wrote:
> > Mika Suomalainen wrote:
> > > Camaleón wrote:
> > > > Mika Suomalainen wrote:

> > > I am now asking this question for the third time, but now in separate
> > > thread.

That is the way to do it. I had not seen any of your previous
questions. If I kill a long rambling thread it will sweep in any
unrelated questions that were posted in that thread. Therefore if you
want people to read and make sense of your question you should post it
as a separate message in as clear of a problem statement as possible.

> > > As this list seems to be against GPG INLINE signatures, I have

PGP inline signatures are just annoying. They aren't fatal. They are
simply the very old way. Because they were annoying an improved way
was developed. Generally we think that using PGP/MIME is a superior
and more friendly way to go. I use PGP/MIME and think you should too.

> > > I am using PGP INLINE mainly, because of two reasons, which are
> > > 1. GPG INLINE is easier to verify manually. It's only
> > > copy-pasting the whole message to gpg.

If you are manually verifying messages I think that is too labor
intensive to do normally though the course of daily reading email.
There are hundreds of messages to this mailing list every day. Trying
to verify them manually would be too hard. Your mail user agent needs
to do this for you or it just won't happen when it needs to happen.
Therefore instead of worrying about doing it manually I would worry
about using and configuring your agent to do it for you.

Also when cutting and pasting you probably will not have the actual
contents of many messages. If the message is encoded with us-ascii it
might work fine. But if encoded in UTF-8 (or even 8859-1) due to
non-ascii characters then the message in the cut-n-paste will almost
certainly be different from the one encoded and will fail to verify.
So that isn't a good general purpose solution.

> > PGP/MIME just makes it easier for those that don't bother with the
> > signatures to ignore the attachment with the signature and not have to
> > deal with cutting it out in replies. The other issue I've seen with
> > inline vs PGP/MIME is that if the signature is not stripped out by
> > someone replying and including the signature in the quote it will
> > sometimes confuse the MUA. In most cases PGP/MIME won't have this issue
> > as the signature is a separate attachment and unless efforts are made to
> > include attachments in replies won't be included and even if it does it
> > still doesn't confuse the MUA.

Agreed to all.

> So if I was verifying my signature in that my latest message manually, I
> would need two files, which would be message and signature.asc

Yes, mostly. This is fully described in RFC 2015.

http://www.ietf.org/rfc/rfc2015.txt

To manually verify your signature on a message you would need the
contents of the message body in one file. That must include the
encoding verbatim and it must include the content header.

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

This is a test message.
Including Camale=F3n's name to force quoted-printable encoding to
illustrate that it also must be part of the signed message.

That would be in one file. Note the character encoding and the
message header. This data must be a verbatim copy of the signed part
of the file.

In the other file would be the detached signature.

> and the verifying command would be "gpg --verify message
> signature.asc" (or were they swapped)?

Here is an example where I tried the above:

$ gpg --verify message.gpg.signature.asc message.txt
gpg: Signature made Sun 08 Apr 2012 05:40:55 PM MDT using DSA key ID C13650B6
gpg: Good signature from "Bob Proulx <bob@proulx.com>"

> If we think that I am verifying the signature in my latest message,
> http://lists.debian.org/debian-user/2012/04/msg00748.html , how would I
> get the message part of it? Or is just copy-pasting and saving it
> enough? (Or is it impossible? :)).

You need the original message. Being able to see how the message is
displayed is not enough due to character encoding changing the
underlying data. This is why cutting and pasting isn't a good thing
even in the inline case.

HTH,
Bob

Manually verifying PGP/MIME signature with GPG
 

On 09.04.2012 22:46, Bob Proulx wrote:
<...>
> You need the original message. Being able to see how the message is
> displayed is not enough due to character encoding changing the
> underlying data. This is why cutting and pasting isn't a good thing
> even in the inline case.
>
> HTH,
> Bob

So it's not possible to verify message from mailing list archives and I
shouldn't do it even with INLINE.
You have just removed one of my reasons to not use PGP/MIME :).

Thank you to everyone who helped. I think that this issue is now solved.

--
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728

Manually verifying PGP/MIME signature with GPG
 

On 09/04/12 17:48, Jeremy T. Bouse wrote:
> To verify PGP/MIME
> vs inline is the same if you were using the GPG or PGP command to verify
> a clearsigned file or not. With PGP/MIME you'd have to save the original
> email which would in a multi-part MIME email be an attachment itself,
> just the first one, and the signature attachment and run them through
> the CLI tool to verify the signature.

Alas, this doesn't actually work[1]. As Bob expands later, you need to
get the message body in its encoded format (e.g. quoted-printable),
complete with the MIME headers describing the encoding[2]. This is
difficult to export from most mailers, and impossible (so far as I know)
from the web archives.

(note that my mail client may re-wrap lines from the examples below)

[1]:


bryant$ cat msg
On 03/04/12 17:06, Mika Suomalainen wrote:
> Yes we did, but you are forgetting GPG clearsigning vs GPG S/MIME and
> was there something else... ☺

I missed that part of the discussion (but that has reminded me to
re-setup my mailer to sign ☺)

bryant$ cat msg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJPfCpsAAoJEAkHQJYGqqqqUIIP/jr/WeTTTr0Ig8EtAKvFiTFu
vRH20HOf0OhqXs7eBeJ0QZdXPONPHCFokB75khuBOgEP6Ed1Sn Y2XPMZUXBL97R4
Li2l8oVHGF4omVkbNYZ1nItbz95fhLCqxIu/9TouPYsH0fNI4WTrjWFQH2c+zD4k
iLeumt03He+l/3j24RxKKQ2qZt1qx2558kKMQCB2WmCRmjUc79uYTl09n4XVZvh c
yOklofhCMlQXsaCPwpfed5zZZBvpRtpLNsgL4nWKbsmFDdVhmf/CLB1PlSn0H3lV
xr8IwPsn1MC7Ums+nEzuabGzy2JMRrZaRrEVERFwtkW7xftEqy 4N63Ua+g9AzQuH
T4XYmYFq0vZXliF/zRkoStEmfUZke7OonxUEGhjz3MdeIaMoxlw2V+Zi9NF5U9A7
pdX/CRhPfG2q5VYsyGyCeBtF5PLiIAs6bEUHKf0IJy0MXk01cIUL69 Yfm6XqoJ8j
R8sK0eL7JphwX3cjgJ8L2cyIBW8Z1YqSc1d93kjiwDZeewNw6d ueuXNkvvsVhhis
uJU2iapDo8Q4FiHcop+uqpEOuCT0DeUS6wgPlsD3fMp1a2LMzr WMkAU6Wo0zAWDM
Gk9TlVzJjT4jrTffkLM4rxoYYvhUUdUsOKrHukRsxB7E++NXpq UkqV0pi0486lYc
7NADA1QrTNgixFBBONCa
=Zjte
-----END PGP SIGNATURE-----
bryant$ gpg --verify msg.asc
gpg: Signature made Wed 04 Apr 2012 12:03:08 PM BST using RSA key ID
06AAAAAA
gpg: BAD signature from "Jon Dowland <jmtd@debian.org>"

[2]:

bryant$ cat raw
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 03/04/12 17:06, Mika Suomalainen wrote:
> Yes we did, but you are forgetting GPG clearsigning vs GPG S/MIME and
> was there something else... =E2=98=BA

I missed that part of the discussion (but that has reminded me to
re-setup my mailer to sign =E2=98=BA)

bryant$ gpg --verify raw.asc
gpg: Signature made Wed 04 Apr 2012 12:03:08 PM BST using RSA key ID
06AAAAAA
gpg: Good signature from "Jon Dowland <jmtd@debian.org>"
Primary key fingerprint: E037 CB2A 1A00 61B9 4336 3C8B 0907 4096 06AA AAAA


--
Jon Dowland