First signature of this email is not valid

It's strange you're banned... Maybe our anti-spam... Fixed.

Yes, some time, the sign failed. WE got a big mail with a lot of explanations... We will see.

I went over and read what they said about Rich Text.  Please enlighten me because the only options I see for the WebMail services are the following:

Gmail:
Choice of default (assume plain text) and UTF-8

Hotmail:
I can't find any choices so the default is probably plain text.

Yahoo:
plain text or color & graphics.  I assume putting it in the color & graphics mode allows you to embed graphics and thus it becomes HTML format.  Since plain text is safer, that is what I use.

AOL / Netscape:
I can't see any choice, but since I didn't want to set it to not view or compose all email messages in separate windows, I abandoned it.  At the time I wanted to use the Tools -> FireGPG for every message check because I was uncertain whether the GMail buttons were causing the problems. I will check it again in a few days now that I have it set not to open Window for every message read or composed to see if that makes a difference.  I am intentionally using the web mail services in the way most people use them - with the defaults.  Those are the defaults, and I didn't want to contend with a right click screwing up the results.

I do need to say that I have done EXHAUSTIVE tests with the first three Webmail services and one POP mail account using Thunderbird (it is the only MUA I use that has support for INLINE).  The signing results have been dismally poor at best.  You can all download the results of the test by pointing the browser to:

http://www.securemecca.com/FireGPG.zip

This file is HIDDEN.  In other words almost everything at those web pages are hidden, so don't go the host itself and expect to maneuver around and find the file.  I haven't got around to building the web site yet.

I was ready to say that it must be a browser thing, but if it is, then why are ALL of my tests of encryption okay?  I must admit that I am signing with a SHA-512 digest, and the encryption may be using only SHA1, but lots of other people are having problems signing using SHA1.  Even worse, there are times that the verify fails or succeeds with FireGPG, and it does the converse (succeeds or fails, respectively) when I copy the mail message into a file and verify it from the command line (gpg --verify).  That does NOT instill confidence.  I am working from Fedora Linux, so the RTF (I assume you mean Rich Text Format - now if you mean UTF-8 that may mean something else) is almost meaningless.  You can't count on sending your messages to your POP or IMAP mail friends and have them do anything with them. There should be no difference between CR+LF versus just LF either since in making a check sum, gpg skips both of those characters.  Look at my tests in detail and maybe you can deduce something from it.  I am still searching for a pattern, and you have ALL of the short sign test email messages (I edited off the headers saved out by Thunderbird) to look at to make up your own mind.  I took the liberty of converting all LF -> CR+LF for the Windows users.  EMail sends with CR+LF anyway, not with LF.

I am NOT going to change my digest algorithm choices.  Further, All I know is that signing is OUT for FireGPG for now.  I can't even verify over 75% of my messages.  Even worse is what happens when I select the text and paste it into a file.  That becomes baffling when what verified in FireGPG doesn't verify from the command line, or what didn't verify in FireGPG does verify on the Command Line.

Asking for RTF is out of the question.  There is no native RTF (do you mean UTF-8?) support on Linux.  I don't want fancy messages verified.  Plain text is fine.  More to the point, since ALL of my encryption tests passed with flying colors, it makes the incosistent results of the sign tests even more baffiling.  I will do a few more tests with my AOL/Netscape webmail account (private UID addition to my keys) in the next few days and make it available at the same web site as AOL_FireGPG_SignTest.zip.

I really the FireGPG authors do need to make it plainly apparent that you should use INLINE signing at least, and preferably INLINE encryption (although web mail does handle OpenPGP/MIME encryption okay - the OpenPGP/MIME signing ends up with results that are all over the wall.  By that I mean one email service makes attached files, others embed things, etcetera. That makes OpenPGP/MIME impossible to use.  I figured it would.  Something needs to be said to users that they are primarily using INLINE (which I have no problem with even if I am using Evolution or Mac's mail app since I can save them out to a file and verify manually if I need to).

Be back in a few days ...

I do some test with bigs lines : that not a problem. I suspect now the \n and \r\n... I will do some test, we will make a INLINE who works !

No - in most of case (simples texts) it's works, from firegpg to firegpg. Next we have to be compatible

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry to keep posting, but I continue to test this out and see what works and what doesn't.  I've concluded that, on my platform at least (Ubuntu Linux, Firefox 3), verifying a non-encrypted message using FireGPG almost never works, whether in GMail, another webmail client, or even a plain text file being viewed through Firefox 3.  Verification fails regardless of plain-text or wysiwig editing and even if the webmail client does not strip whitespace.  I haven't been able to figure out why.

Even the simplest possible test case, signing a .txt file, saving it in a text editor, opening it in Firefox, and verifying using FireGPG, does not verify, whereas the same text file verifies correctly from the command line or from within the text editor (gedit).  Whitespace is displaying correctly in Firefox.  Strangely, if I copy the same text, whether from my plain .txt file or from Gmail, from Firefox into gedit, gedit correctly verifies the exact same text that FireGPG has failed to verify, and I can save the same text and verify it from the command line using GPG.

Inexplicably, this message that I'm posting now does verify correctly.  I'm not sure why this text box is treated differently from a plain text file or an HTML file.  Could it be a problem with how Firefox 3 handles white space when rendering web pages?  Do others have this same problem in Firefox 3?

Joe Hill (0D3CE986)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://getfiregpg.org

iD8DBQFIWDBhZOor8Q086YYRAkysAJ9EALfJUbuoHbBzOMkOWN+i6wFcBQCdE7u5
3yNp3UHEf3nk9Tepl7Z7X9Q=
=NTYA
-----END PGP SIGNATURE-----

To follow up, the message I just posted above correctly verified when it was in the text box before being submitted, but now that it's being displayed as HTML, it no longer verifies.  The white space (double spaces between sentences, etc.) is displaying correctly.  If I copy and paste it into gedit, it verifies correctly.  And if I copy and paste it into FireGPG's "Text Editor" window, it also verifies.

Bottom line: as far as I can tell, when using my version of Firefox 3/Ubuntu, verifying signed, unencrypted text from a web page using FireGPG simply doesn't work.  (The problem isn't the hyperlinks, since I have the same problem when I load a plain text file.  And verifying/decrypting encrypted messages does work.)