On 2016-09-17 23:21, Ian Zimmerman wrote:

> Can anyone else verify Miro's signature?  I'm getting "BAD signature"
> both in mutt, and when I extract the signed part and try to verify it
> with gpg from the command line.
> 
> mutt 1.5.24, gpg 2.0.28, libgcrypt 1.7.3.

I switched to gpgme-1.5.5 (up until now I used the classic gpg spawning
interface).  Sadly, same results.

One thing I learned is that it makes no sense to just dump the signed
MIME part into a file and run gpg --verify; the signature is generated
over a highly massaged version of the data, as defined by RFC 3156.  For
one thing, line endings are supposed to be CRLF, and no trailing
whitespace.  Also, the MIME part headers _are_ covered by the sig
(although in the failing cases I see, there are no headers so it
shouldn't make a difference).

me (of mutt fame) is one of the authors of RFC 3156, and seems to lurk
here.  Care to comment?

-- 
Please *no* private Cc: on mailing lists and newsgroups
Why does the arrow on Hillary signs point to the right?