How do i combine both "PGP signature" and "S/MIME signature" in one email?

Question

Two is always better than one! Is that possible? If yes, any idea what application and configuration should i use?

Answer 1

A signature is an element that validates some data, so there is nothing to prevent having two signatures for the same data. But there are some limitations.

PGP comes in two flavours : PGP/MIME and Inline PGP. Inline PGP means a simple text mail containing the PGP message and ignores attachments, which are neither signed nor encrypted and need to be handled separately. This is different from PGP/MIME that handles the whole mail including attachments.

PGP/MIME can not be combined with S/MIME, while it's technically possible to encrypt and sign an Inline PGP message with S/MIME.

Combining these two systems for encrypting one mail is redundant, not to mention that you need your contact's certificate and public key in order to do so.

Adding an Inline PGP signature as well as a S/MIME signature means that your contact has the possibility to choose which signature to verify. Many email clients support S/MIME without the need of additional plugins.

For more information, see the post
Is it possible and does it make sense to sign an E-mail with PGP and S/MIME?.

I quote an excellent answer by rowing-ghoul:

To make a long story short: Yes, that will work and it will make sense, too.

I'll try to explain this:

PGP stores the signature inside the email body.

The body of a PGP-signed mail usually begins with -----BEGIN PGP SIGNED MESSAGE-----, followed by the hash algorithm and the message clear text, followed by -----BEGIN PGP SIGNATURE-----, followed by the ASCII-armored signature, followed by -----END PGP SIGNATURE-----.

S/MIME instead, defines the Content-Type: multipart/signed header in your email and stores the signature in an (PKCS#7) attachment. The header tells S/MIME compatible clients how to verify the signature (the parameters boundary, protocol and micalg are relevant here). If the slient sees itself capable of verifying the signature, it will do this by reading and comparing the attachment.

Thus, PGP as well as S/MIME will leave the message text untouched. If you sign with PGP first, all the PGP stuff (e.g. -----BEGIN PGP SIGNATURE-----) will be part of the S/MIME signature. If you sign with S/MIME first, both signatures will be independent. However, either order will work!

See also the article PGP/INLINE.

Answer 2

I don't think that it is possible to sign an email with both, S/MIME and PGP/MIME. Here's why:

One significant purpose of a signature is to prove that a message has not been modified.

However, if the email gets signed, the signature is included with the email. If you add another signature and include in the email, this will change the contents, so checking with the first signature would lead to an alert that the message was tampered with after signing it – which would be absolutely true.

The only way to do this, would be to define an official rule that multiple signatures have to be applied in a fixed order, and verified in the same order, only reverse. But that is in theory.

What is more, a second signature is unlikely to be more secure. If the signing process seems not secure enough, it's better to improve it than to add another one.

It might work to use PGP/Inline signatures in combination with S/MIME, but I wouldn't know of a client that can deal with such a combination properly. Besides that, PGP/Inline signatures are very limited, insecure and prone to abuse, and should therefore not be used.