On 160919-16:15-0700, Ian Zimmerman wrote: > On 2016-09-19 22:25, Miroslav Rovis wrote: > > > $ gpg --verify dNZQNRnu_DarakMarjal160907-raw_QkYBXROR.sig \ > > dNZQNRnu_DarakMarjal160907-raw.asc > > gpg: Signature made Wed 07 Sep 2016 12:21:36 CEST using RSA key ID > > 48C912E7 > > gpg: BAD signature from "Paul Saunders " > > $ > > You're a victim of the same misunderstanding as I was, when I tried to > investigate the problem this way :-P Late evening in Ian's country, the U.S. probably, sleep not coming to me here in Southern-Southeastern Europe in this quite of night. > You need to read RFC 3156, which specifies how the signature is computed > on PGP/MIME mails. Will be doing it right next! > It is _not_ on the data you see when you dump the > text into a Unix file (even when you take into account the encoding such > as quoted-printable). > > Here are at least 3 differences: (there may be more) > > 1. Line endings: all transformed into CRLF before signing > > 2. Trailing whitespace: all stripped before signing > > 3. MIME part headers (ie. the stuff after the MIME boundary line and > before the first empty line after that): included in signed data > I'll be revisiting 3., after I read the RFC 3156, the rest I understand. > So, if we want to pursue this line of verifying from the command line, > first we need a piece of code or script that will take an email and spit > out the data _as used for the signature computation_. I think it ought > to exist out there. That is my next step. > That'd be so great if you lay your eyes on it and present it to Mutt Users attention over here! > As I reported in other subthread, I took one "BAD" email from my system > (directly from the maildir, not exporting with mutt) and compared it to > the archived copy from MARC. They were identical. At least this way I > eliminated the possibility of mangling by intermediate MTAs. > I'll, after my RFC homework, try and follow your steps in the above paragraph. > For my part I now think this is a flea. > I like chasing fleas! I have had a couple of true shots recently and devs were able to kill'em, and once I even figured out a trivial patch! I'll be doing what I can. Can't promise much, I'm usually making my progresses at turtle speed even when I apply my best, which I will do here! > -- > Please *no* private Cc: on mailing lists and newsgroups > Why does the arrow on Hillary signs point to the right? Regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr