(1) BAD signature and (2) auto SHA1
Charly Avital
shavital@netbox.com
Sat Aug 2 16:56:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 4:21 AM -0500 8/2/03, DIG wrote:
>Hi, GnuPG people!
>
>I can easily verify the signature for almost all messages that I
receive (I use mutt 1.2.5.1i >+ gnupg 1.2.1). But there are few
messages that I can not verify automatically. So, I would >like to ask
you two questions.
>
>1. First group of messages returns "BAD signature". What is the best
way to find out whose >fault it is (as in famous Russian question)? It
is my fault, or it is the fault of my >correspondent?
"Bad signature" means that the hash value of the message that was sent
to you,
and that was used by the sender to create the digital signature which
he encrypted using his secret key, does not verify when the recipient
(you in this case) uses the sender's public key to check that hash
value. It means that the message you have received has been altered.
Whose fault is it? It depends of what caused the check of the hash
value to fail, and there may be many causes:
- - - a word wrap problem. PGP, for instance wraps message at a certain
wrap value, meaning how many columns. If both the e-mail client and PGP
use the same value (the same number of columns), the message's format
will be altered. Likewise, if the e-mail client is set to wrap at a
lesser value than PGP's, carriage returns will be added, and the
message will be considered as altered.
So this is the sender's "fault".
- - - text that contains "special characters", like accented letters,
etc. ("high ASCII") may cause the signature verification to fail,
unless the recipient's e-mail client's character set is utf-8. So, this
could be the recipient's "fault". But it could be also the sender's
"fault", if his email client's character set is not utf-8. This issue
can be very confusing.
- - - there can be other reasons, you should check the documentation,
especially considering that I'm not an expert, far from it. What I know
about GPG and PGP is totally empirical.
The issue of whether you, the recipient, have signed or not signed the
sender's public key in your public keyring does not affect the
signature being found BAD or GOOD. This will affect the value of trust
you, as owner of the keyring, have assigned to that public key. A
signature can verify GOOD, but the key's trust value will be "not
valid", or "of unknown validity", if the recipient-owner of the keyring
has not assigned a trust value to that key by first signing it with his
own secret key, and then defining how he considers the sender of the
signed message (the owner of the secret-and-public keys) to be a
trusted user.
See the "Web of Trust"
>2. Second group of messages contains messages like this:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Beginning of the message...
>
> End of message.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: some comment
>
> iD8DBQE/IB9XVbJM14DSCi0RAlD6AKDlGy5pR0CkGW+7urdQ8RdLfVDNPACfQ7jf
> 6YC96a+V6MbxlwJpThv1m3w=
> =HEsh
> -----END PGP SIGNATURE-----
>
>So, my question is: how can I verify the messages like this one
automatically? Are there some >rules or something that I can put into
my ~/.procmailrc or my ~/.muttrc?
The above example is a typical on-line clear signed message. It
displays, in the same text, the PGP headers and footers, the kind of
hash that was used, the version of the encrypting system that was used,
the comment, and the ASCII representation of the signature itself.
Automatic verifying, or any other automatic function is generally a
feature of the email client (the MUA) in conjunction with the
encryption system "plug-in". I have no idea how Mutt works, I can't
answer that question.
Charly
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc2 (Darwin)
iD8DBQE/K9Fu8SG5rMkbCF4RAhO/AKC6zwtZkplmmd91HWEhjHOIv8JaLgCgpTGU
ivJ4Z0L2/fW1AkwX7UuJC7A=
=gtuG
-----END PGP SIGNATURE-----