Verifying Hushmail's digital signature
This article is intended for a technical audience. For assistance with verifying a digital signature, please contact our Customer Care team.
When your client submits an electronically signed secure web form, you will receive an email in your Hushmail account. This email contains an extra digital signature which can be used to confirm the authenticity of the completed signed form, its attachments, and its record of activity (audit trail).
To verify Hushmail's digital signature, follow the steps below.
1. Download a copy of your completed signed form
Completed signed forms are stored as emails in your Hushmail account. If you no longer have the email for the completed signed form you would like to verify, you can retrieve a copy of it from your Forms folder.
To download the form, configure your Hushmail account in a third-party email application that will allow you to export an unmodified original copy of an email message to a .eml file. At the time of writing, the latest versions of Mac Mail and Thunderbird both support this.
Save the unmodified original message to a filename named message.eml, and save all attachments and signature images to the same folder.
2. Find the digital signature header
You can find the digital signature and related information in the X-hush-form-signature header in your .eml file. The header has 3 parameters: version, content, and signature.
X-hush-form-signature: version=1; content=eyJ0aW1lc3RhbXAiOjE1NzMxNjAzNTMsImh0bWwiOiJmOGMyYTU4ZTZiNmUwY2Y5NzU1NzVhNDA3ODBlZGE2YThiZjA5Y2I2ZGJmY2Y2Y2E3NmViZjAyOGQxNTBjZTIyIiwiYXR0YWNobWVudHMiOnsiZmlsZTEuZG9jIjoiMzYyMzkzYTMxZWRkNjQ4MzJjNDM3YTgzMjgwYWQ2M2E0OGVjMGE3YmYyMzMyYjNlNGI5ODVjZWZkNjM1MTU2NCIsInNpZ25hdHVyZS0xLnBuZyI6IjlmNGViOWIxYjJlM2U2ZDA4Y2ViMzQ1YjFhYjU3OGNmOTAzMDZmZTliOTVhMWYwNzczZWI0ODIwYjIzNzZhN2QifX0=; signature=LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogSHVzaCAzLjAKQ2hhcnNldDogVVRGOApOb3RlOiBUaGlzIHNpZ25hdHVyZSBjYW4gYmUgdmVyaWZpZWQgYXQgaHR0cHM6Ly93d3cuaHVzaHRvb2xzLmNvbS92ZXJpZnkKCndzQmNCQUVCQWdBR0JRSmR4SVdoQUFvSkVLa0kxM1BaSnlueVN1QUlBSXhJa2pYaURaSGFoSzVVMEtqOEhVWEt4cXlkCmVkNkIvNnMzcU45R2Z1cS8ybm53WEFlaW1YSWJjWHB0YXZlQm5TYkhyNmRVd3NoLzNOMTNEeUwrSE1wdVBlSmo4SlE2ClVISzEzV0oweXY5ODd5WEpLL0N4R09YVlZORjRPeEJ2SjltcFdJREM0eXd3UnJnaHdxKzVSY2lMaC9DMERkZ1djTE9WCmY4MlZaTklBNnBGNUpyb09Yd3drM2xBT0h6S3g2NEJFSkhaUjZNaEtXVTNhTERZaWZ4MmtZR1RBTngvZEF6dVRXbHBEClRLQ2lXWjVwbXJB dUt5N1dCcXNUWEN2aHhCRGpodzNEMWJXY01BL2F2VmNDc0pkV3BvQXd6SXVZQzlWa0pIL1hhNlJTCllLaVhCRUFUVlVkL0FwZE8xWHdIOUt5V3VkbWVoczdWUGVNZVdTSmNoQU09Cj1ybElCCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=
3. Save the version and content parameters to a file
The version and content parameters together are digitally signed by a signature contained in the signature parameter. Save these two parameters to a file named version-and-content.txt.
version-and-content.txt
version=1; content=eyJ0aW1lc3RhbXAiOjE1NzMxNjAzNTMsImh0bWwiOiJmOGMyYTU4ZTZiNmUwY2Y5NzU1NzVhNDA3ODBlZGE2YThiZjA5Y2I2ZGJmY2Y2Y2E3NmViZjAyOGQxNTBjZTIyIiwiYXR0YWNobWVudHMiOnsiZmlsZTEuZG9jIjoiMzYyMzkzYTMxZWRkNjQ4MzJjNDM3YTgzMjgwYWQ2M2E0OGVjMGE3YmYyMzMyYjNlNGI5ODVjZWZkNjM1MTU2NCIsInNpZ25hdHVyZS0xLnBuZyI6IjlmNGViOWIxYjJlM2U2ZDA4Y2ViMzQ1YjFhYjU3OGNmOTAzMDZmZTliOTVhMWYwNzczZWI0ODIwYjIzNzZhN2QifX0=
4. Save the decoded signature parameter to a file
The signature parameter's value is Base64 encoded. Save the decoded value to a file named signature.asc.
signature.asc
-----BEGIN PGP SIGNATURE----- Version: Hush 3.0 Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify wsBcBAEBAgAGBQJdxIWhAAoJEKkI13PZJynySuAIAIxIkjXiDZHahK5U0Kj8HUXKxqyd ed6B/6s3qN9Gfuq/2nnwXAeimXIbcXptaveBnSbHr6dUwsh/3N13DyL+HMpuPeJj8JQ6 UHK13WJ0yv987yXJK/CxGOXVVNF4OxBvJ9mpWIDC4ywwRrghwq+5RciLh/C0DdgWcLOV f82VZNIA6pF5JroOXwwk3lAOHzKx64BEJHZR6MhKWU3aLDYifx2kYGTANx/dAzuTWlpD TKCiWZ5pmrAuKy7WBqsTXCvhxBDjhw3D1bWcMA/avVcCsJdWpoAwzIuYC9VkJH/Xa6RS YKiXBEATVUd/ApdO1XwH9KyWudmehs7VPeMeWSJchAM= =rlIB -----END PGP SIGNATURE-----
5. Import Hushmail's public key to gpg
To import Hushmail's public key to gpg, follow these steps.
First, save Hushmail's public key to a file named hushmail.asc:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: Hush 3.0 mQELBF1RwYEBCACcSfEuWhdc6j30FdbmbsRxRZ/h/4qX7vRexIs769n0yL6memd1BQBu JVyGykuVLyuZp5ae5lLT3Svkxp02UX22R1htjIy5o5WQBDJqg4ug/m9sxlcuubGeaGFa WWqfzMSdKcTMBJicBTbFQc/84z7bjiyhNrxrBJzEECSaVLglJEABpcOgqAHXbTvUGn4I Ic6FWam3c02JfEhKUJazAsbZW4ZoF/WUGUtLCLpYgh9e7R9N2dv8X5Lym4bNCwzwO0/c YHiIkGvRitSEqxg8iebJm7lg3bZNcvimijW0Z5cPmcpUTqbjiE/NlQKhzt7Vc4O+gJBF Lw3Ra7IeKkJSacCrAAQLtEkic2VjdXJlZm9ybXMtMjAxOTA4MTJAY29ycC5odXNoLmNv bSIgPHNlY3VyZWZvcm1zLTIwMTkwODEyQGNvcnAuaHVzaC5jb20+iQEqBBABAgAUBhUI CQoDAgYLCQgHCgQFAl1RwYIACgkQqQjXc9knKfIPsQf+IGdwErZ/NaY1Ow68ro19jb95 iPbN4TS7tkqfygI6G7DEFOKT4fBre1alzXTuO4QKvxNQuBfBhZxXojFY3mblEzh1qa9V 5MLfb1mpNoYLGtW76bN/mO9AEYMo9Lev2oCW8YR3UxyqRoDOtdDbwGxVO19JMYBdqmID jmDHIozU9w90SmgfG449vNaa0hjWyi84XpgmHdjqaAXPXBmz6H+bO3trzBCEuiWTj/Oq WZXB9+91YZqFlSxb5wJnX+5HSExK1C8cAylrmW75+KSBJdu+jmlmQi94LUPJQCNGSjJW pKbjjQzZp5LHvsz1Dx/w6nKecAXlmE0sk2Es2okb3lfzX4hGBBARAgAGBQJdUcGCAAoJ EHoC+ecnTLYpN6oAn0OHJe1OZbWg327FDHkIUBQyWTHYAJ9RPGVo9OL6Oc53AoTr4SSN 2jTzMIkBOgQfAQIAIQIHARcMgBGKYGVvwmNLnNqipzx6AvnnJ0y2KQUCXVHBggANAhsC CRCpCNdz2Scp8iK5B/93ynHWDHW6EgauGXfhy3u/luA9gAi5phMq1+aHF263MB3m7pyb EICfn+T8qBvnC9GpGoD77ARICGogKSR/K9KUS0STKV11VTxEiF4iMWasFy1UwEB+C5CG qJ7XEKiMvAFs7cTozDhnxfCQqkUSCYlN5Ip5oAqKnwz5CWR8CzyvYzQWacLRF7OcwmGy y8eRmCbDO+VveN8O7vEbvOYxAdg92bOGC7fuFNky9P1t7uEzEShsmyxZjxseRAmdJCuh vl6gYDUCFOTRXQ+QsuT1o+LcOG6wJobuMaJTUhiPuj9EDf3ESqhdVRrS/ED9upS2WTiK Jl89260nmX+MhKSEekX9uQELBF1RwYIBCACQwj9n9VypG46tIh99sKeXAAyMNMF53whh CyU8N9124muFrggUNUDUYkMAa/3ruMzTYUgYy1g3mnT5EHg3vu7M5dNJFmbJc11SdAeh Wf2D/vqb/A+5upaV3EPwhiAKMDcsh/f6yd3Rdmt3LxDXpYnxxycVtpEwfeF+hlStZg9x 84YwRHF36bcQj8RmRdUQ5i9LyhaDEQ3FTtE/XC+QpHXU+wnbbIgXPS0BBN6fkBwAEE5C RUOG836Ec6UeDTgFHC1MAHe4RdAHynFG4viSizhiSFnFASP4Nv24Vx99alC2gaGb5k3d tc+wuDYDEzOIqrPPDbiXfj4/z1/Fywv/iMaPAAQLiQEfBBgBAgAGBQJdUcGCAA0CGwwJ EKkI13PZJynyz+kH/26N8ZFTnccXjK0d3XYIIuZPAMGnoX8q4yOR73YOj03Jo3vtsI13 qPxPfDKiWHqnlSDxjG+Gwq+GYSLUfN1/npu6ZilKFW3XAQ7K8rFFvXwI/NXv+cjLld3G q9ktwSnAVD+DILztIPZ07MLMWEEYqMiXXYi27+QoXRifmiH8yoOY5liCEGGGGzjJVlVB wypU/MJh95bh0AM6SjInwMxBGTGyz5AV7vzoGmEfD6cZyUi9L42lP2vndrdCVzQQgSVG 6izqGowRVQX+Gylr25YVqR1ySEwS+tWIej7KeXkoznpdjhgbdK8wISzEx9F1U7UJG/Is gv2PWgIowINqsZtQ93E= =lvBp -----END PGP PUBLIC KEY BLOCK-----
Next, confirm the public key's fingerprint matches B19F EA4A EA0F B198 3B5D 684A A908 D773 D927 29F2:
% gpg --with-fingerprint hushmail.asc pub 2048R/D92729F2 2019-08-12 "secureforms-20190812@corp.hush.com" <secureforms-20190812@corp.hush.com> Key fingerprint = B19F EA4A EA0F B198 3B5D 684A A908 D773 D927 29F2 sub 2048R/119172F5 2019-08-12
Finally, import the public key to gpg:
% gpg --import hushmail.asc gpg: key D92729F2: public key ""secureforms-20190812@corp.hush.com" <secureforms-20190812@corp.hush.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found
6. Verify the digital signature
Use gpg to verify that the signature.asc contains a valid digital signature on version-and-content.txt, signed using Hushmail's public key.
% gpg --verify signature.asc version-and-content.txt Note: This signature can be verified at https://www.hushtools.com/verify gpg: unknown armor header: gpg: Signature made Thu 07 Nov 2019 08:59:13 PM UTC using RSA key ID D92729F2 gpg: Good signature from ""secureforms-20190812@corp.hush.com" <secureforms-20190812@corp.hush.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B19F EA4A EA0F B198 3B5D 684A A908 D773 D927 29F2
Troubleshooting
Having trouble verifying the signature? Ensure there are no trailing whitespace characters in your version-and-content.txt file.
7. Decode the content parameter from version-and-content.txt
The content parameter, when Base64-decoded, contains a JSON object with a timestamp, and SHA-256 hashes of the email message's HTML body and attachments.
{ "timestamp": 1573160353, "html": "f8c2a58e6b6e0cf975575a40780eda6a8bf09cb6dbfcf6ca76ebf028d150ce22", "attachments": { "file1.doc": "362393a31edd64832c437a83280ad63a48ec0a7bf2332b3e4b985cefd6351564", "signature-1.png": "9f4eb9b1b2e3e6d08ceb345b1ab578cf90306fe9b95a1f0773eb4820b2376a7d" } }
8. Confirm the attachment hashes
Confirm that each attachment's SHA-256 hash matches the value extracted from the content parameter.
% shasum -a 256 file1.doc 362393a31edd64832c437a83280ad63a48ec0a7bf2332b3e4b985cefd6351564 file1.doc % shasum -a 256 signature-1.png 9f4eb9b1b2e3e6d08ceb345b1ab578cf90306fe9b95a1f0773eb4820b2376a7d signature-1.png
9. Confirm the HTML message's hash
To confirm the HTML message hash, extract and decode the text/html part from your message.eml file into a file named html-message.html. Confirm that this file's SHA-256 hash matches the value extracted from the content parameter.
% shasum -a 256 html-message.html f8c2a58e6b6e0cf975575a40780eda6a8bf09cb6dbfcf6ca76ebf028d150ce22 html-message.html
Troubleshooting
If you're having difficulty extracting and decoding the text/html part, the following python code might help:
% python
>>> import email >>> file = open("html-message.html", "w") >>> file.write(email.message_from_file(open("message.eml")).get_payload()[0].get_payload()[0].get_payload()[1].get_payload(None, True)) >>> file.close()
Summary
To confirm that a completed electronically signed document was produced by Hushmail:
- A valid SHA-256 hash must be present in the digital signature header for the HTML body and each attachment
- A valid digital signature from Hushmail must be present in the digital signature header