General Computing
pgp openpgp email-signature smime
Updated Thu, 23 Jun 2022 03:15:51 GMT

How do i combine both "PGP signature" and "S/MIME signature" in one email?


Two is always better than one! Is that possible? If yes, any idea what application and configuration should i use?




Solution

A signature is an element that validates some data, so there is nothing to prevent having two signatures for the same data. But there are some limitations.

PGP comes in two flavours : PGP/MIME and Inline PGP. Inline PGP means a simple text mail containing the PGP message and ignores attachments, which are neither signed nor encrypted and need to be handled separately. This is different from PGP/MIME that handles the whole mail including attachments.

PGP/MIME can not be combined with S/MIME, while it's technically possible to encrypt and sign an Inline PGP message with S/MIME.

Combining these two systems for encrypting one mail is redundant, not to mention that you need your contact's certificate and public key in order to do so.

Adding an Inline PGP signature as well as a S/MIME signature means that your contact has the possibility to choose which signature to verify. Many email clients support S/MIME without the need of additional plugins.

For more information, see the post
Is it possible and does it make sense to sign an E-mail with PGP and S/MIME?.

I quote an excellent answer by rowing-ghoul:

To make a long story short: Yes, that will work and it will make sense, too.

I'll try to explain this:

PGP stores the signature inside the email body.

The body of a PGP-signed mail usually begins with -----BEGIN PGP SIGNED MESSAGE-----, followed by the hash algorithm and the message clear text, followed by -----BEGIN PGP SIGNATURE-----, followed by the ASCII-armored signature, followed by -----END PGP SIGNATURE-----.

S/MIME instead, defines the Content-Type: multipart/signed header in your email and stores the signature in an (PKCS#7) attachment. The header tells S/MIME compatible clients how to verify the signature (the parameters boundary, protocol and micalg are relevant here). If the slient sees itself capable of verifying the signature, it will do this by reading and comparing the attachment.

Thus, PGP as well as S/MIME will leave the message text untouched. If you sign with PGP first, all the PGP stuff (e.g. -----BEGIN PGP SIGNATURE-----) will be part of the S/MIME signature. If you sign with S/MIME first, both signatures will be independent. However, either order will work!

See also the article PGP/INLINE.







External Links

External links referenced by this document:

Linked Articles

Local articles referenced by this article: