1

I'm trying to test whether someone with a copy of my public gpg key can verify a signed email that they receive from me. I'm using two computers for this. On the first, I have my key generated and mutt installed. I compose an email in mutt and sign it with the correct key. I also export an ascii-armoured copy of the public key and upload it to a website.

On the second computer: I download a copy of the public key. Import with gpg --import pub.key, the correct name and email address appear in the keychain. Log onto webmail service and download the message as a .eml and the signature as .asc. When put into gpg --verify signature.asc message.eml I get the following message:

gpg: Signature made Tue 01 Dec 2015 14:00:17 GMT using RSA key ID 4C45311
gpg: BAD signature from "My Name <[email protected]>"``

So I try downloading the message and signature using mutt on the first computer and scping them to the second. I get the same message from gpg --verify. However, when I open the message inside mutt it says good signature.

Does anyone know why there's a difference between downloading the .eml and .asc file and verifying directly with gpg and viewing the signed message in mutt? I want other people who have a copy of my public key but might not necessarily have gpg built into their email client to be able to verify my messages.

Thanks.

Improve this question

1 Answer 1

Reset to default
0

If you cannot verify a signature without a mail client, but it works fine within the mail client, some unhappy combination of encoding and/or encapsulation will be in use.

A likely combination might be plain text signatures (so not PGP/MIME) together with quoted-printable encoding in a MIME mail. While your mail client will transform the message back to the original message, the quoted-printable encoded mail will not verify (as it indeed is a different one).

There's probably no canonical solution for your issue but sending either very simple plain text mails not requiring any special encoding (thus limiting yourself to the 7 bit ASCII character set and making sure your mail client does not use some special encoding anyway), or simply by attaching the signed message to the mail (use clear signed messages to put signature and message in a single file). Latter will likely break integration for those using a mail client with integration for OpenPGP though.

Anyway, I'd guess assuming whoever is using OpenPGP will have an OpenPGP capable mail client should be rather safe.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .