tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/35276-gpgmail-does-not-properly-sign-messagesGPGTools: Discussion 2016-02-24T12:29:06Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/362072622015-03-16T11:43:33Z2015-03-16T11:43:33ZGPGMail does not properly sign messages<div><p>Hi lunokhod,</p>
<p>the cause of this problem could be, that this is a malformed
mail. To take a closer look, we'd need the mail as .eml file.
Please attach both the sent mail and the received email as .eml
file to this discussion.</p>
<p>To do that</p>
<ul>
<li>open a new finder window</li>
<li>drag the mail in question to the finder</li>
<li>attach the resulting .eml file to this discussion</li>
</ul>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/362072622015-03-18T13:13:30Z2015-03-18T13:13:30ZGPGMail does not properly sign messages<div><p>Attached is the signed eml message. I edited out the
destination, but that is it. I don't think that I need to send you
the message that was received as the outgoing message is clearly
the problem...</p></div>lunokhodtag:gpgtools.tenderapp.com,2011-11-04:Comment/362072622015-03-26T15:44:13Z2015-03-26T15:45:39ZGPGMail does not properly sign messages<div><p>Lunokhod, this email is standard PGP/MIME.</p>
<p>You can easily verify such emails using GPGMail (or Thunderbird
+ Enigmail). GPGMail uses the standardized form for sending PGP
signed/encrypted emails. While there are many advantages to this
approach, there is the disadvantage, that it's not very compatible
with webmail clients.</p>
<p>Could you find out what OS and email client is being used on the
recipients end?</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/362072622015-03-26T16:49:18Z2015-03-26T16:49:18ZGPGMail does not properly sign messages<div><p>Steve,</p>
<p>Thanks for the response. You seem to have verified my initial
question:</p>
<p>If you take the raw text of a messaged signed by GPGMail, you
can not verify this message at the unix command line using standard
GPG tools. Nor can you even verify it if copy it into a text editor
and use GPG services.</p>
<p>This is major flaw that will stop people from using GPGMail.</p>
<p>Why does GPGMail refuse to add the standard line "BEGIN PGP
SIGNED MESSAGE" at the beginning of the message? This would make it
possible to verify the signature in any way the user likes.</p></div>lunokhodtag:gpgtools.tenderapp.com,2011-11-04:Comment/362072622015-03-26T17:27:29Z2015-03-26T17:27:29ZGPGMail does not properly sign messages<div><p>Here is a copy of the message, as received by the recipient
(with their email address masked). I invite you to attempt to
verify the signature of this message, using any means at your
disposal. Even though you don't have the recipient's private key,
you should be able to at least tell your software detects the
signature or not.</p></div>lunokhodtag:gpgtools.tenderapp.com,2011-11-04:Comment/362072622015-03-26T18:41:31Z2015-03-26T18:41:31ZGPGMail does not properly sign messages<div><p>HI Lunokhod,</p>
<p>here goes the story of PGP/MIME vs. PGP/Inline:</p>
<p>GPGMail defaults to the only standard there is for sending
OpenPGP Mails, which is PGP/MIME. The format you are referring to,
is called PGP/Inline and is an undocumented non-standard format,
which leads to several problems, which is why we default to
PGP/MIME.</p>
<p>Nevertheless you can switch GPGMail to use OpenPGP/Inline. While
this is not encouraged, we've added that option.<br>
Find out how to do that <a href="http://support.gpgtools.org/kb/faq-gpgmail/gpgmail-2-hidden-settings#enable-pgp-inline-for-support-of-legacy-mail-clients-important-for-windows-compatability-">
here</a>.</p>
<p>There's no difference in security level, yet you have to be
aware, that while PGP/MIME also encrypts all attachments,
OpenPGP/Inline does not!</p>
<p>Also, you're limited to text only. Any formatting will be
ignored.</p>
<p>If you want to read more about the deficites of Inline/PGP you
may want to read this note of Daniel Kahn Gillmore called <a href="https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/">Inline
PGP signatures considered harmful</a>. This is the <a href="https://www.gnupg.org/faq/gnupg-faq.html#use_pgpmime">GnuPG FAQ
entry</a> covering this question.</p>
<p>So in fact the standard "BEGIN PGP SIGNED MESSAGE" isn't a
standard, but what GPGMail does is the actual standard. Also I do
not understand where you see a problem in this. If you don't trust
GPGMail to verify your messages correctly you probably should not
use it in the first place. And then again, you can just setup your
email account in Thunderbird + Enigmail to check if the
verification results do match.</p>
<p>Or you can switch to PGP/Inline with GPGMail which I would not
recoommend.</p>
<p>Hope this explains what's going on here,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/362072622015-03-27T10:32:11Z2015-03-27T10:32:11ZGPGMail does not properly sign messages<div><p>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512</p>
<p>This is an example of a signed message using GPG services.
Please note that the message starts with "BEGIN SIGNED PGP
MESSAGE", whereas an equivalent signed message from GPGMail would
exclude the "BEGIN SIGNED PGP MESSAGE".</p>
<p>This gives rise to the following problems:</p>
<ol>
<li>
<p>It is impossible to copy the raw text signed by GPGMail into a
text file and verify the signature using GPG services or gpg at the
command line.</p>
</li>
<li>
<p>Signed messages from GPG Services and GPGMail are different and
incompatible.</p>
</li>
<li>
<p>My contacts who use GPG, who are primarily unix geeks, can not
verify my signatures, making GPG useless to me.</p>
</li>
</ol>
<p>This will be my last comment on the subject.<br>
-----BEGIN PGP SIGNATURE----- Comment: GPGTools - <a href="https://gpgtools.org">https://gpgtools.org</a></p>
<p>
iQEcBAEBCgAGBQJVFTFWAAoJECEwxJzLvm6prNcIAKPLJawGyRlq0cfS4cXIIABR<br>
v6zT/0ITnd2lYFErv4W6cG8r7w7xLOXNHl9mAXDep3D/g2lpuNuMH9KuBoAmyQYA<br>
bZZ+eD7PEvJgrxkhVIqI6quL5EIZTq5gkFgNhnOoDXXGOSN9W1NIfi7vVd1irKaI<br>
9BALJFC86OU97BaXVvh3fJxpHjSf7oevf0dj0YsXHCLiC7+GtZPXia2TnlNvF8y+<br>
86NaBDf6hmTzj1zg0/DOM3krrAyKIsSOMzV7184pj+BM5bOeLtvsG1CRKqtk3Ka/<br>
ssNC9VFS4BWhWWBjt6H4RZVUdGFsGm5N13EnWQKtxoBHeZFrsh3p9k8/TBXSImQ=<br>
=FgX2 -----END PGP SIGNATURE-----</p></div>lunokhodtag:gpgtools.tenderapp.com,2011-11-04:Comment/362072622015-03-27T10:40:29Z2015-03-27T10:40:29ZGPGMail does not properly sign messages<div><p>Last comment:</p>
<p>Google's "end-to-end" can not verify GPGMail signatures.
End-to-end can verify a signed message created by GPG Services,
which is copied into the end-to-end window. If this is the fault of
end-to-end, I will open an issue with them at Github.</p></div>lunokhodtag:gpgtools.tenderapp.com,2011-11-04:Comment/362072622015-03-27T12:37:11Z2015-03-27T12:37:11ZGPGMail does not properly sign messages<div><p>hi again,</p>
<p>the fact that Googles End-to-End is able to verify output from
GPGServices is, because GPGServices produces PGP/Inline cyphertext
while GPGMail produces PGP/MIME cyphertext. The reasons for that
are explained in comment #6 in this very discussion.</p>
<p>You can ask for PGP/MIME support for Googles End-to-End.</p>
<p>As for your questions:</p>
<ol>
<li>
<p>Correct. PGP/MIME messages cannot be easily verified that way.
(see comment #6)</p>
</li>
<li>
<p>Different: yes. GPGServices uses PGP/Inline while GPGMail
defaults to PGP/MIME. Incompatible: hmm, GPGMail understands both
PGP/MIME and PGP/Inline. Just send some GPGServices cyphertext in
an email to yourself and open it with GPGMail.</p>
</li>
<li>
<p>Well that totally depends on the mail clients your contacts are
using. E.g. gpg4win on Windows understands PGP/MIME while K9 mail
on android has an open ticket for PGP/MIME support.</p>
</li>
</ol>
<p>As also states in comment #6, if you want you are free to
default GPGMail to PGP/Inline with the known shortcomings. Reasons
why we don't recommend that are giving above as well.</p></div>Steve