Why do we require inline-signing? What does it really mean?

We have replied to far too many mails stating that RT mangles MIME-attached signatures, please inline-sign instead. We know this baffles many people. A short explanation follows.

A message signature consists of two parts: The message proper and the signature. They must travel in some way together to be able to be verified; the older PGP style (which we now call inline-signed), still from the BBS and NNTP era, creates a single message body consisting of the clearly delimited text and its signature. It is visually identifiable, although your mail client will not (usually?) recognize and validate it. Its format is:

Hash: SHA256

Please replace my old key, 0xkeyid_old:

[output of gpg --fingerprint 0xkeyid_old]

with the new key, 0xkeyid_new:

[output of gpg --fingerprint 0xkeyid_new]

as I am moving to a larger, stronger key. 
Version: GnuPG v1.4.12 (GNU/Linux)


On the other hand, modern mail clients (i.e. anything written in the last 20+ years) will make available the MIME-attachment signature. The MIME (Multipurpose Internet Mail Extensions) standard specifies that a mail is composed of zero or more data parts, often with different MIME-types. A MIME-attached message has one main message part, and (as a different object) an application/pgp-signature object. This object is applied to the whole main message body.

For general use, MIME-attached signatures are considered better. They are automatically detected and checked by many mail clients, are immune to different charset issues, and you can trust them to cover the message as a whole. However, RT's logic modifies the messages you send to it (i.e. prefixes it with the ticket details), so, the signature is naturally voided.

If you use the Mutt mail client, you can ask it to inline-sign your mail by first asking it to PGP Sign it (from the "send message" screen, press 'p' then 's'), and then specify you want to inline-sign it ('p' then 'i'). Alternatively, try ^D (CTRL-Shift-D) to change how the signature is attached. If neither of this works, then see the next paragraph.

For mail clients that do not integrate with a PGP implementation, you can do the following: create your email in a text file filename and sign it with gpg --default-key $oldkey --clearsign filename. Then include the generated filename.asc. Make sure to verbatim-include it instead of copy-pasting it, as mail clients will often word-wrap your message, which will invalidate the signature.