|Erin Mulder on Thu, 4 Sep 2003 09:45:15 -0400|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
What if you also run |gpg -o temp.txt, then cat temp.txt and compare.
(temp.txt should only get the message not the signature, so if the signature's in there too, then it's a spoof.)
Jeff Abrahamson wrote: | I received an encrypted and signed email which I decrypt and verify by | piping through gpg (no options). The output looked like below (the | part indented by two spaces). | | In mutt, I type "|gpg<return>" | | Now, I don't suspect Erin was trying to spoof me, and she had enclosed | a semi-random string that I had encrypted to her. So this one case | doesn't bother me. | | But, in general, how can I distinguish between the end of the | encrypted message and the beginning of the "gpg: Signature ..." stuff? | Couldn't someone just include such a (forged) signature block at the | end of their message, then encrypt the whole thing without signing, | and so convince me that the message was signed by someone else? | | You need a passphrase to unlock the secret key for | user: "Jeff Abrahamson <email@example.com>" | 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 (main key ID 0D1DAE4B) | | gpg: encrypted with 2048-bit ELG-E key, ID ADD31B0A, created 2003-08-28 | "Erin Mulder <firstname.lastname@example.org>" | gpg: encrypted with 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 | "Jeff Abrahamson <email@example.com>" | Hi Jeff, | | It was great meeting you all. Thanks for signing my key. | | Cheers, | Erin | | Jeff Abrahamson wrote: | > Hi, Erin. | > | > Could you please respond to this message, signed and encrypted, so | > that I know you are who you say you are? | > | > Here's a semi-random string to include in your response: | > | > 153758709bcbdfc23f745c0b4656939632cfb6df | > | > Thanks. | > | gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID A54DA2DF | gpg: Good signature from "Erin Mulder <firstname.lastname@example.org>" | gpg: WARNING: This key is not certified with a trusted signature! | gpg: There is no indication that the signature belongs to the owner. | Primary key fingerprint: 8609 5F8C E335 F93F 40CC 14B8 10FA 4C88 A54D A2DF | | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQE/V0GGEPpMiKVNot8RAjz6AKCYcnD/raL6J+ovny2dkPuwRaI5vQCcDPKC kEBNJ3OGZ8EqIV6sxIxAubs= =9YVl -----END PGP SIGNATURE-----
_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug