keyring

keyring.debian.org

Why do we require inline-signing? What does it really mean?

We have replied to far too many mails stating that RT mangles MIME-attached signatures, please inline-sign instead. We know this baffles many people. A short explanation follows.

A message signature consists of two parts: The message proper and the signature. They must travel in some way together to be able to be verified; the older PGP style (which we now call inline-signed), still from the BBS and NNTP era, creates a single message body consisting of the clearly delimited text and its signature. It is visually identifiable, although your mail client will not (usually?) recognize and validate it. Its format is:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please replace my old key, 0xkeyid_old:

[output of gpg --fingerprint 0xkeyid_old]

with the new key, 0xkeyid_new:

[output of gpg --fingerprint 0xkeyid_new]

as I am moving to a larger, stronger key. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJTHOTlAAoJEP8WL8XPP7rR748P/iXW+lG2cwdfiu7B3bXuHcw0
syf1YDEy+pp8+z97+b/V68w/pk7Ei+6IOmn9AlqzZjeOTdPIP/Y5c2NbWL6eBjhx
QCUAnrEBjOE2fy2gmMePWt59HraV8cLGA71//QxvRX2+mLjH+jshEhFOB6hTsVCm
ZU9H0oGEv6pT3z+c5LY42nsOhbiGUXRl3e/I5if54ljIOwwgTMvakWxL19SSOrCR
Sjq55uPEE92NNoi2iS8VgAmpc33B2AbS81zpPJb3UUxQxZ9feeZFwFOeolebXx0+
hOBdxDgdTG7pFgDxIjgy82bIIWjzxcNwoPIJG90WSdI/wkX7OMph9f6e6AIqXOyn
s9hZ7j2mTIvS6kkdz2ttHQSAyemlpTavPvMX5RxFzVBDf5Ttq89jwFpqjfOfUy3z
jGLF7Y+BymPjCr277gIa1JRgBUXa0W3Ahdp21h1Q0poYgM7M93DX7yV/YOfXIcvT
r8Mprt5aJOXa04ypoGN0HwVve2aXB/d8IK3M/DuWStmrSqTJ73NQQzanR3CnbcHn
sbxzGGoBkBXHrMcRIJxQtytn20bQRoTslTHlcH/JPh6eqSQpgpwoWgDae77Dm3ye
mV+b3YAtwcm3I4wD+VVBw4JWd3IzQTkZwHireTABvSrpff631jD746L9Ct1h4tuR
/5qsAyl6p3/oeeSO4Dcc
=0Kb3
-----END PGP SIGNATURE-----
    

On the other hand, modern mail clients (i.e. anything written in the last 20+ years) will make available the MIME-attachment signature. The MIME (Multipurpose Internet Mail Extensions) standard specifies that a mail is composed of zero or more data parts, often with different MIME-types. A MIME-attached message has one main message part, and (as a different object) an application/pgp-signature object. This object is applied to the whole main message body.

For general use, MIME-attached signatures are considered better. They are automatically detected and checked by many mail clients, are immune to different charset issues, and you can trust them to cover the message as a whole. However, RT's logic modifies the messages you send to it (i.e. prefixes it with the ticket details), so, the signature is naturally voided.

If you use the Mutt mail client, you can ask it to inline-sign your mail by first asking it to PGP Sign it (from the "send message" screen, press 'p' then 's'), and then specify you want to inline-sign it ('p' then 'i'). Alternatively, try ^D (CTRL-Shift-D) to change how the signature is attached. If neither of this works, then see the next paragraph.

For mail clients that do not integrate with a PGP implementation, you can do the following: create your email in a text file filename and sign it with gpg --default-key $oldkey --clearsign filename. Then include the generated filename.asc. Make sure to verbatim-include it instead of copy-pasting it, as mail clients will often word-wrap your message, which will invalidate the signature.