Technical information
      Back to home
      1. Help Center
      2. Hush Secure Forms
      3. Technical information

      Verifying Hushmail's digital signature

      This article is intended for a technical audience. For assistance with verifying a digital signature, please contact our Customer Care team.

      When your client submits an electronically signed secure web form, you will receive an email in your Hushmail account. This email contains an extra digital signature which can be used to confirm the authenticity of the completed signed form, its attachments, and its record of activity (audit trail).

      To verify Hushmail's digital signature, follow the steps below.

      1. Download a copy of your completed signed form

      Completed signed forms are stored as emails in your Hushmail account. If you no longer have the email for the completed signed form you would like to verify, you can retrieve a copy of it from your Forms folder.

      To download the form, configure your Hushmail account in a third-party email application that will allow you to export an unmodified original copy of an email message to a .eml file. At the time of writing, the latest versions of Mac Mail and Thunderbird both support this.

      Save the unmodified original message to a filename named message.eml, and save all attachments and signature images to the same folder.

      2. Find the digital signature header

      You can find the digital signature and related information in the X-hush-form-signature header in your .eml file. The header has 3 parameters: version, content, and signature.

      X-hush-form-signature: version=1; content=eyJ0aW1lc3RhbXAiOjE1NzMxNjAzNTMsImh0bWwiOiJmOGMyYTU4ZTZiNmUwY2Y5NzU1NzVhNDA3ODBlZGE2YThiZjA5Y2I2ZGJmY2Y2Y2E3NmViZjAyOGQxNTBjZTIyIiwiYXR0YWNobWVudHMiOnsiZmlsZTEuZG9jIjoiMzYyMzkzYTMxZWRkNjQ4MzJjNDM3YTgzMjgwYWQ2M2E0OGVjMGE3YmYyMzMyYjNlNGI5ODVjZWZkNjM1MTU2NCIsInNpZ25hdHVyZS0xLnBuZyI6IjlmNGViOWIxYjJlM2U2ZDA4Y2ViMzQ1YjFhYjU3OGNmOTAzMDZmZTliOTVhMWYwNzczZWI0ODIwYjIzNzZhN2QifX0=; signature=LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogSHVzaCAzLjAKQ2hhcnNldDogVVRGOApOb3RlOiBUaGlzIHNpZ25hdHVyZSBjYW4gYmUgdmVyaWZpZWQgYXQgaHR0cHM6Ly93d3cuaHVzaHRvb2xzLmNvbS92ZXJpZnkKCndzQmNCQUVCQWdBR0JRSmR4SVdoQUFvSkVLa0kxM1BaSnlueVN1QUlBSXhJa2pYaURaSGFoSzVVMEtqOEhVWEt4cXlkCmVkNkIvNnMzcU45R2Z1cS8ybm53WEFlaW1YSWJjWHB0YXZlQm5TYkhyNmRVd3NoLzNOMTNEeUwrSE1wdVBlSmo4SlE2ClVISzEzV0oweXY5ODd5WEpLL0N4R09YVlZORjRPeEJ2SjltcFdJREM0eXd3UnJnaHdxKzVSY2lMaC9DMERkZ1djTE9WCmY4MlZaTklBNnBGNUpyb09Yd3drM2xBT0h6S3g2NEJFSkhaUjZNaEtXVTNhTERZaWZ4MmtZR1RBTngvZEF6dVRXbHBEClRLQ2lXWjVwbXJB dUt5N1dCcXNUWEN2aHhCRGpodzNEMWJXY01BL2F2VmNDc0pkV3BvQXd6SXVZQzlWa0pIL1hhNlJTCllLaVhCRUFUVlVkL0FwZE8xWHdIOUt5V3VkbWVoczdWUGVNZVdTSmNoQU09Cj1ybElCCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

      3. Save the version and content parameters to a file

      The version and content parameters together are digitally signed by a signature contained in the signature parameter. Save these two parameters to a file named version-and-content.txt.

      version=1; content=eyJ0aW1lc3RhbXAiOjE1NzMxNjAzNTMsImh0bWwiOiJmOGMyYTU4ZTZiNmUwY2Y5NzU1NzVhNDA3ODBlZGE2YThiZjA5Y2I2ZGJmY2Y2Y2E3NmViZjAyOGQxNTBjZTIyIiwiYXR0YWNobWVudHMiOnsiZmlsZTEuZG9jIjoiMzYyMzkzYTMxZWRkNjQ4MzJjNDM3YTgzMjgwYWQ2M2E0OGVjMGE3YmYyMzMyYjNlNGI5ODVjZWZkNjM1MTU2NCIsInNpZ25hdHVyZS0xLnBuZyI6IjlmNGViOWIxYjJlM2U2ZDA4Y2ViMzQ1YjFhYjU3OGNmOTAzMDZmZTliOTVhMWYwNzczZWI0ODIwYjIzNzZhN2QifX0=

      version-and-content.txt

      4. Save the decoded signature parameter to a file

      The signature parameter's value is Base64 encoded. Save the decoded value to a file named signature.asc.

      signature.asc

      5. Import Hushmail's public key to gpg

      To import Hushmail's public key to gpg, follow these steps.

      First, save Hushmail's public key to a file named hushmail.asc:

      Next, confirm the public key's fingerprint matches B19F EA4A EA0F B198 3B5D 684A A908 D773 D927 29F2:

      Finally, import the public key to gpg:

      6. Verify the digital signature

      Use gpg to verify that the signature.asc contains a valid digital signature on version-and-content.txt, signed using Hushmail's public key.

      Troubleshooting

      Having trouble verifying the signature? Ensure there are no trailing whitespace characters in your version-and-content.txt file.

      7. Decode the content parameter from version-and-content.txt

      The content parameter, when Base64-decoded, contains a JSON object with a timestamp, and SHA-256 hashes of the email message's HTML body and attachments.

      8. Confirm the attachment hashes

      Confirm that each attachment's SHA-256 hash matches the value extracted from the content parameter.

      9. Confirm the HTML message's hash

      To confirm the HTML message hash, extract and decode the text/html part from your message.eml file into a file named html-message.html. Confirm that this file's SHA-256 hash matches the value extracted from the content parameter.

      Troubleshooting

      If you're having difficulty extracting and decoding the text/html part, the following python code might help:

      Summary

      To confirm that a completed electronically signed document was produced by Hushmail:

      • A valid SHA-256 hash must be present in the digital signature header for the HTML body and each attachment
      • A valid digital signature from Hushmail must be present in the digital signature header