Cannot Verify PGP/Mime Manually

Hello. By way of background, I’m familiar with cryptography in general but very new go GnuPG and even some parts of PGP.

I have an employee that has sent a digitally signed message. The message arrived in PGP/MIME format. Based on the RFCs I should be able to verify the signature from the command line but the signature check is failing.

The steps I followed were, first, I got a copy of the raw email data with all the mime headers. I copied everything from in between the boundaries of the first part of the PGP/MIME section into a text file, maintaining and following guidelines related to removing trailing whitespace. But gpg always says the signature is bad. I did a conference call with my employee and it’s possible that Outlook is doing some reformatting I can’t see after computing the signature.

Questions:

  1. Is it known if oulook applies some kind of standardized formatting that is not reflected in the raw text? Is there some transformation that must be done to get back to the form Outlook used to sign it.

  2. Is there any way to debug exactly what message is being sent to GPGOL for signing?

  3. Are there any other steps to tricks for verification of PGP/MIME signatures that I might be missing?

Hi,

Sorry for the late reply. The easiest to verify the signature of an email is to use Kleopatra which is part of the gpg4win. I added in the last version the possibility to open MIME files and then to view the email as well as which parts are signed and encrypted and by who. This is GUI tool, but the MIME parsing and PGP decryption and verification is based on a library I maintain PIM / Mime Tree Parser · GitLab and it shouldn’t be difficult to create a CLI tool based on it (unfortunately I have no time to work on this personally).

Is it known if oulook applies some kind of standardized formatting that is not reflected in the raw text? Is there some transformation that must be done to get back to the form Outlook used to sign it.

Outlook does quite a few nasty things with the email but it shouldn’t touch the content of the mime part themselves but mostly touch the headers of the parts. In my test, I could verify emails send by my test outlook account.

Is there any way to debug exactly what message is being sent to GPGOL for signing?

Unfortunately I don’t have deep knowledge on the current version of GPGOL to answer this question.

Are there any other steps to tricks for verification of PGP/MIME signatures that I might be missing?

I’m working on the new generation of GPGOL, and I ended multiple time having to debug invalid signature which there often caused by files ending being wrong \r\n" vs \n or some encoding issue where I had to first decode the message before I could verify it. Parsing MIME files manually can be quite a bit of pain.

Hi @sethnielson,

a test you could try is to have your employee send you a signed and encrypted message
with the same contents as a one that is only signed.

Maybe RFC 3156: MIME Security with OpenPGP gives you more of an idea how the decoding should work.

Sometimes the mail transfer agent also modifies parts of an email, like removing a trailing space or changing a line break in a conten-type header.

Regards,
Bernhard