I'm trying to test whether someone with a copy of my public gpg key can verify a signed email that they receive from me. I'm using two computers for this. On the first, I have my key generated and mutt installed. I compose an email in mutt and sign it with the correct key. I also export an ascii-armoured copy of the public key and upload it to a website.
On the second computer: I download a copy of the public key. Import with gpg --import pub.key
, the correct name and email address appear in the keychain. Log onto webmail service and download the message as a .eml and the signature as .asc. When put into gpg --verify signature.asc message.eml
I get the following message:
gpg: Signature made Tue 01 Dec 2015 14:00:17 GMT using RSA key ID 4C45311
gpg: BAD signature from "My Name <[email protected]>"``
So I try downloading the message and signature using mutt on the first computer and scp
ing them to the second. I get the same message from gpg --verify
. However, when I open the message inside mutt it says good signature.
Does anyone know why there's a difference between downloading the .eml and .asc file and verifying directly with gpg and viewing the signed message in mutt? I want other people who have a copy of my public key but might not necessarily have gpg built into their email client to be able to verify my messages.
Thanks.