# [SOLVED] verifying a gpg-signed e-mail

## potuz

I set up mutt to sign my outgoing e-mail with my pgp key. A friend told me that from his e-mail client (Thunderbird) he gets a message saying that the signature is bad. 

Within my own client I can see in the headers

```

[-- Begin signature information --]

Good signature from: xxxx xxxx  <xxxxxx@gmail.com>

created: Sun 14 Dec 2014 01:09:22 PM BRST

[-- End signature information --]

[-- The following data is signed --]

xxxx

xxxx

[-- End of signed data --]

```

However, if I save the text file of the message and the attached signature.asc file I get

```
$ gpg --verify /tmp/signature.asc /tmp/message.txt 

gpg: Signature made Sun 14 Dec 2014 12:39:33 PM BRST using RSA key ID xxxxxx

gpg: BAD signature from "xxxxxxx xxxxx <xxxxxxx@gmail.com>" [ultimate]

```

Also if I try to verify directly the signature in the file stored by mutt I get the same message saying it is a BAD signature. 

What's going on?

----------

## potuz

Well, it turns out that Thunderbird has a bug that makes all signatures appear as bad http://sourceforge.net/p/enigmail/bugs/4/

I guess my local copy appears as badly signed when checked on the terminal because of the names and timestamp of the files.

----------

## szatox

And what happens when you keep the signature inside file with message rather than save with detached one?

Does it report invalid signature as well?

----------

## potuz

 *szatox wrote:*   

> And what happens when you keep the signature inside file with message rather than save with detached one?
> 
> Does it report invalid signature as well?

 

In the local folder where mutt stores all e-mails there is a single file for each e-mail but it contains the s/mime multipart of the messages. They are cleartext, say this file is called mail.txt. Then on a message sent by a friend I'd get 

```
$ gpg --verify mail.txt

gpg: Signature made Sun 14 Dec 2014 02:55:40 PM BRST using RSA key ID Fxxxxxx

gpg: Good signature from "xxxxx xxxxxx <xxxxx@gmail.com>" [full]

```

On an e-mail in my sent box I would get

```
$ gpg --verify mail.txt

gpg: no signed data

gpg: can't hash datafile: No data

```

but I think this is because of the detached signature sent by gpgme in mutt instead of an inline sign, so mutt when reading that file, extracts the detached signature, the cleartext message and then verifies the text file with the detached signature against the public key. This is not done by the gpg --verify command above.

----------

