seancolyer
commented
11 years ago I think there are a couple of things here and I'll try to address them let me know if I'm misunderstanding.
It seems that part of the confusion stems from exactly how OpenPGP signatures work, so at the risk of being too technical I'll quickly go over that and then explain why that is important:
Let's assume we have a SENDER and RECEIVER who both have PUBLIC and PRIVATE keys. Let's also assume that we have a function I'll call RSA. RSA is a "public-key cryptographic" function that can take keys and messages as input and outputs a single value based on those inputs.
The sender does this to encrypt and sign: RSA(sender private key, message hash) == encrypted message signature RSA(receiver public key, message) == encrypted message
Then the sender sends that to the receiver who does: RSA(sender public key, encrypted message signature) == message hash RSA(receiver private key, encrypted message) == message
This way, the receiver can decrypt the message and verify that it was
So when you click the "Sign" button, what you're sending is the "encrypted message signature" which the recipient can use your public key to decrypt but is dependent on the message being sent. That is why it uses the "BEGIN PGP SIGNATURE" text because it isn't the same thing as sending the public key, but it is related to and dependent on the public key to verify.
Does that help?
I am using two different gmail addresses for testing. When using the extension the following occurs:
When encrypting message only, everything works fine on both ends
When encrypting and signing, message appears to encrypt only, with no signature. Message will decrypt fine but only the original message text is present, no signature block.
When signing only, I get the following signature inserted: -----BEGIN PGP SIGNATURE----- Version: OpenPGP.js v.1.20130420 Comment: http://openpgpjs.org
wsBcBAEBCAAQBQJR8O+kCRAkU9fWL1ev+gAANPgH/itPv4Z7R0zm05lXkPCL SdkSEB45VotHqoJ6ZGzmnFNlkO2jxyVHy5JFfu3R8Cxjxp86j7ya3LGf8ADu aPt0d0aNO+vAglGMLTMbgTpKDmTVT+6kARPFPI0tSkPLNx3BPhBo0vQ4cDKj UwtuRAqFgihy/bTMezjPmYC29p7ykms+sSg9nAy6AKhK25IG0Q27BKATDW08 J6ec9FGIRZpAAeD3/V16OoV+3HL7vDjZcWYQlXyolcnn9bhofa30O9AyhhZW z06GeA73oJc0VcWFZotS8anFM0PRdtL3Aw4iWysKrmu209QDdLLzBB/Dh/Dx 6I+MmFtQoUDafxrnykF+Dww= =rvVO -----END PGP SIGNATURE-----
However this is not my public key... my public key for the address is:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.20 (MingW32)
mQENBFHwzbQBCACkqYGyys5Y5pMaPMLHpJk1HJH8IP542FgRCtKfMIhyFXuG71SU 8FftS0T0T3cwJHnFQeRlSzB9W8X6FVjykcfnqfK/9WQL2JZFT/H97a9P2EVUpGAl HJQ+ba4nsho8NmPGrVPcfOt1vGSj9FTcCYZx/CGS99OpGwW7w+kXmDM4gVVjovbn XjWUplu3BoDVcEl3R5RIP5qutWVm8LpmnlB0LT7lxUKZtOyMmiXD/ix756TZDk7X MeBaq0HXGnQPRgA6xBY5sojRTMnuxOtAmDR14WnpLvoS7RTmmSpJ4nuGHFc20wap SbS+SK9YrlTdH9RdvQgYgyuZC1xgM6n82kdfABEBAAG0MUFsYW4gQmFrZXIgKHRl c3QgZHVtbXkpIDxmaXJld2F0ZXIxOTc2QGdtYWlsLmNvbT6JATkEEwECACMFAlHw zbQCGw8HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRAkU9fWL1ev+tf+B/4t aYYTcGHPvFkrEseTaTZVkt4ApWT3uTgHKmlsaP6ZVc8OVvk/x/rjSUt9V9ECaEKL a/fGUE7QkPcPGldm8FdPF+2t6Rbz3BYBXVMgOTpyxQ2PJyTWXg5L09LgBc6uRkWZ cWx1YKaWcD7kWTEoOrosloufkeMzffghE2HCP/7gTmB6ELgA+0BwEtjzS2U1l5tX qdd3ba1kWW8FEFJ624fH+EqlYoUpcnniM8iJbAYLj/K5HkcqkO+XRkRXZZF7rjG4 KxQX6ZNUY0comDN4bfibhnanm1FMGlU9EPTlaeOWGtxffjwZyxxjzhiOaDe58lGV Cv/bV7gpKcr9T0f/UGeP =wu01 -----END PGP PUBLIC KEY BLOCK-----
At this point I only have one private and public key for the sending address with my other testing address as the only friend public key. The key inserted when signing is not either of the public keys stored by the extension. This happens in both the Pop-out composer, separate window composer and the old style composer.
I am also wondering why when using the extension to sign a message the block starts with: "-----BEGIN PGP SIGNATURE----- " and all public gpg keys I have seen start the bock with: "-----BEGIN PGP PUBLIC KEY BLOCK-----"
edit: I have also noticed that decrypting any message a second time, (rereading past test messages that I succesfully sent and decrypted) the message will decrypt but I recieve the message: "Mymail-Crypt For Gmail was unable to verify this message" above the message text.