I'm stumped - Digital Signature:invalid ??

OK, I am stumped

I helped a friend get an ID, it seems to be installed correctly. However…

Encrypted Messages TO me come through ok with a valid signature ( no warnings)
Encrypted and Signed Messages TO me same result ( no warnings)

Signed messages TO me result in a warning about invalid signature and this message in the details:

The message contents may have been altered.
Signed by xxx@xxxxxxxxx.com using RSA/SHA1 at 9:37:21 AM 11/27/2006.

They are using OE6 with the latest Service pack

Everything I send goes through without a problem, they have no issues. I can sign, encrypt, or both with perfect performance.

Any ideas on what could be causing their “signed only” emails to me to be causing an error?

Suggestions would be greatly appreciated!

Thanks much!


it could be that they have some sort of AV or something else thats adding/modifying the email on its way to you…


I did check for AV…

My question would then be why isn’t the AV interfering with the message if it’s encrypted or when it is signed AND encrypted. Why is it only the “signed only” messages that are getting messed with?

I can start from scratch and work through the mail path to see what I can find…

will keep checking in with results.



One thing to check is that the sender is using exactly the same certificate to ‘Sign’ as they are to ‘Encrypt’.

This is under the security settings.


i am now getting this as well, except that i randomely get the signature invalid message, sometimes i send emails and sign them and they are ok but other times, i check my sent folder and it says signature invalid … i am using internet explorer 7 and windows live desktop on windows xp…

any help would be great…

I have exactly the same problem.

I described it here: https://forums.comodo.com/digital_certificates_encryption_and_digital_signing/strange_case_digital_signature_wo_encryption_does_not_work-t21572.0.html

really annoying :frowning:

The only thing I can think of is that a signed, but not encrypted message is being modified somehow, either at the user or server level by some AV software. Usually by adding a tagline, “This message was scanned by {AV Program X}…” I think it likely that an AV program doesn’t interfere that way with an encrypted message because it can’t due to the encryption.
That latter bit is pure conjecture on my part, but seems logical because the reason for encrypting messages is to prevent them being scanned or modified by 3rd parties.