GPGMail does not properly sign messages

lunokhod's Avatar


05 Mar, 2015 05:48 PM

GPGMail 2.5b5, build 891b

I have used all aspects of the latest GPGTools beta, and it appears to be working as expected, with one exception.

When sending a signed message, the signature is not "gpg compatible". Though it can be read by GPGMail, it can not be interpreted by non-GPGMail clients, nor by the GPG services (when pasted into a text editor). As one example, here is a message that I sent from my GPGMail client that I later received on a Gmail account. You can verify that if you copy the raw text, that you can not verify this signature using GPG services. The problem appears to be that there is no "BEGIN PGP SIGNED MESSAGE" statement at the beginning of the message. This is a major problem, as I can no longer send signed messages, as I don't know if the recipient is using GPGMail, or another service (like Google's end-to-end). Here is the raw text.

--Apple-Mail=_990AD954-8805-44F6-9A5A-72098A06230B Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;

Here is an example of sending a signed message via GPGMail. As is seen, =
the signature of the the raw text that is sent can not be verified by =
non-GPGMail clients as it is missing the initial text "-----BEGIN PGP =
SIGNED MESSAGE=E2=80=94=E2=80=94=E2=80=9C

I am using GPGMail 2.5b5 and GPGServices 1.10b5

--Apple-Mail=_990AD954-8805-44F6-9A5A-72098A06230B Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc Content-Type: application/pgp-signature;
name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE----- Comment: GPGTools -



  1. Support Staff 1 Posted by Steve on 16 Mar, 2015 11:43 AM

    Steve's Avatar

    Hi lunokhod,

    the cause of this problem could be, that this is a malformed mail. To take a closer look, we'd need the mail as .eml file. Please attach both the sent mail and the received email as .eml file to this discussion.

    To do that

    • open a new finder window
    • drag the mail in question to the finder
    • attach the resulting .eml file to this discussion

    All the best,

  2. 2 Posted by lunokhod on 18 Mar, 2015 01:13 PM

    lunokhod's Avatar

    Attached is the signed eml message. I edited out the destination, but that is it. I don't think that I need to send you the message that was received as the outgoing message is clearly the problem...

  3. Support Staff 3 Posted by Steve on 26 Mar, 2015 03:44 PM

    Steve's Avatar

    Lunokhod, this email is standard PGP/MIME.

    You can easily verify such emails using GPGMail (or Thunderbird + Enigmail). GPGMail uses the standardized form for sending PGP signed/encrypted emails. While there are many advantages to this approach, there is the disadvantage, that it's not very compatible with webmail clients.

    Could you find out what OS and email client is being used on the recipients end?

    All the best,

  4. 4 Posted by lunokhod on 26 Mar, 2015 04:49 PM

    lunokhod's Avatar


    Thanks for the response. You seem to have verified my initial question:

    If you take the raw text of a messaged signed by GPGMail, you can not verify this message at the unix command line using standard GPG tools. Nor can you even verify it if copy it into a text editor and use GPG services.

    This is major flaw that will stop people from using GPGMail.

    Why does GPGMail refuse to add the standard line "BEGIN PGP SIGNED MESSAGE" at the beginning of the message? This would make it possible to verify the signature in any way the user likes.

  5. 5 Posted by lunokhod on 26 Mar, 2015 05:27 PM

    lunokhod's Avatar

    Here is a copy of the message, as received by the recipient (with their email address masked). I invite you to attempt to verify the signature of this message, using any means at your disposal. Even though you don't have the recipient's private key, you should be able to at least tell your software detects the signature or not.

  6. Support Staff 6 Posted by Steve on 26 Mar, 2015 06:41 PM

    Steve's Avatar

    HI Lunokhod,

    here goes the story of PGP/MIME vs. PGP/Inline:

    GPGMail defaults to the only standard there is for sending OpenPGP Mails, which is PGP/MIME. The format you are referring to, is called PGP/Inline and is an undocumented non-standard format, which leads to several problems, which is why we default to PGP/MIME.

    Nevertheless you can switch GPGMail to use OpenPGP/Inline. While this is not encouraged, we've added that option.
    Find out how to do that here.

    There's no difference in security level, yet you have to be aware, that while PGP/MIME also encrypts all attachments, OpenPGP/Inline does not!

    Also, you're limited to text only. Any formatting will be ignored.

    If you want to read more about the deficites of Inline/PGP you may want to read this note of Daniel Kahn Gillmore called Inline PGP signatures considered harmful. This is the GnuPG FAQ entry covering this question.

    So in fact the standard "BEGIN PGP SIGNED MESSAGE" isn't a standard, but what GPGMail does is the actual standard. Also I do not understand where you see a problem in this. If you don't trust GPGMail to verify your messages correctly you probably should not use it in the first place. And then again, you can just setup your email account in Thunderbird + Enigmail to check if the verification results do match.

    Or you can switch to PGP/Inline with GPGMail which I would not recoommend.

    Hope this explains what's going on here,

  7. 7 Posted by lunokhod on 27 Mar, 2015 10:32 AM

    lunokhod's Avatar

    -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

    This is an example of a signed message using GPG services. Please note that the message starts with "BEGIN SIGNED PGP MESSAGE", whereas an equivalent signed message from GPGMail would exclude the "BEGIN SIGNED PGP MESSAGE".

    This gives rise to the following problems:

    1. It is impossible to copy the raw text signed by GPGMail into a text file and verify the signature using GPG services or gpg at the command line.

    2. Signed messages from GPG Services and GPGMail are different and incompatible.

    3. My contacts who use GPG, who are primarily unix geeks, can not verify my signatures, making GPG useless to me.

    This will be my last comment on the subject.
    -----BEGIN PGP SIGNATURE----- Comment: GPGTools -

    =FgX2 -----END PGP SIGNATURE-----

  8. 8 Posted by lunokhod on 27 Mar, 2015 10:40 AM

    lunokhod's Avatar

    Last comment:

    Google's "end-to-end" can not verify GPGMail signatures. End-to-end can verify a signed message created by GPG Services, which is copied into the end-to-end window. If this is the fault of end-to-end, I will open an issue with them at Github.

  9. Support Staff 9 Posted by Steve on 27 Mar, 2015 12:37 PM

    Steve's Avatar

    hi again,

    the fact that Googles End-to-End is able to verify output from GPGServices is, because GPGServices produces PGP/Inline cyphertext while GPGMail produces PGP/MIME cyphertext. The reasons for that are explained in comment #6 in this very discussion.

    You can ask for PGP/MIME support for Googles End-to-End.

    As for your questions:

    1. Correct. PGP/MIME messages cannot be easily verified that way. (see comment #6)

    2. Different: yes. GPGServices uses PGP/Inline while GPGMail defaults to PGP/MIME. Incompatible: hmm, GPGMail understands both PGP/MIME and PGP/Inline. Just send some GPGServices cyphertext in an email to yourself and open it with GPGMail.

    3. Well that totally depends on the mail clients your contacts are using. E.g. gpg4win on Windows understands PGP/MIME while K9 mail on android has an open ticket for PGP/MIME support.

    As also states in comment #6, if you want you are free to default GPGMail to PGP/Inline with the known shortcomings. Reasons why we don't recommend that are giving above as well.

  10. Steve closed this discussion on 03 Jun, 2015 01:37 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac