S/MIME support in notmuch
On Wed, 21 Dec 2011 06:51:01 -0500, Darren McGuicken wrote: > On Wed, 07 Dec 2011 21:58:03 -0500, Dan Bryant > wrote: > > I'd like to report some success on getting S/MIME signature > > verification working using notmuch and the recently-released GMime > > 2.6. I specifically tested with notmuch-0.10.2 and gmime-2.6.1. > > [...] > > > I don't have submittable patches for #2/#3 yet, but I wanted to share > > what I found about the scope of what actually needs to be done, which > > is fairly small. (The biggest blocker is probably that Debian & other > > distros haven't packaged gmime-2.6.) > > Hi Dan, nice find! As another Fedora user I'd be happy to test out any > patches you come up with. > > When you make those changes to the gpg_context are you breaking gpg > signature validation? Or is the one a superset of the other? The current assumption in notmuch is that all encrypted/signed messages in a mailbox will be using the same crypto algorithm. This is the first thing I want to fix: which crypto algorithm (and therefore, context object) to use should probably be detected by the MIME type of the message part. Dan
Re: S/MIME support in notmuch
On Wed, 21 Dec 2011 06:51:01 -0500, Darren McGuicken wrote: > On Wed, 07 Dec 2011 21:58:03 -0500, Dan Bryant wrote: > > I'd like to report some success on getting S/MIME signature > > verification working using notmuch and the recently-released GMime > > 2.6. I specifically tested with notmuch-0.10.2 and gmime-2.6.1. > > [...] > > > I don't have submittable patches for #2/#3 yet, but I wanted to share > > what I found about the scope of what actually needs to be done, which > > is fairly small. (The biggest blocker is probably that Debian & other > > distros haven't packaged gmime-2.6.) > > Hi Dan, nice find! As another Fedora user I'd be happy to test out any > patches you come up with. > > When you make those changes to the gpg_context are you breaking gpg > signature validation? Or is the one a superset of the other? The current assumption in notmuch is that all encrypted/signed messages in a mailbox will be using the same crypto algorithm. This is the first thing I want to fix: which crypto algorithm (and therefore, context object) to use should probably be detected by the MIME type of the message part. Dan ___ notmuch mailing list notmuch@notmuchmail.org http://notmuchmail.org/mailman/listinfo/notmuch
S/MIME support in notmuch
I'd like to report some success on getting S/MIME signature verification working using notmuch and the recently-released GMime 2.6. I specifically tested with notmuch-0.10.2 and gmime-2.6.1. The following changes were required: 1) notmuch: Apply patch from Redhat packaging to handle API changes from gmime-2.4 to gmime-2.6 (see "compile error of current git on F15" thread from 25 November on the list) 2) notmuch: Create a S/MIME context instead of the GPG context in notmuch-show.c. g_mime_gpg_context_new() becomes g_mime_pkcs7_context_new(), and similarly for g_mime_gpg_context_set_always_trust(). 3) gmime: The pkcs7 context only works with signatures of "application/pkcs7-signature". Per RFC2311 section C, both "application/pkcs7-signature" and "application/x-pkcs7-signature" should be treated identically. I temporarily disabled this check in gmime/gmime-multipart-signed.c and then gmime accepted the signatures. Next, I was always seeing signature verification errors with completely unhelpful error messages. These turned out to be because the 'gpg-agent' program was not running. Once I started the agent, I got prompts on trusting root certs and was then able to see known-valid certificates verified in the emacs UI. NB: I started gpg-agent with the --allow-mark-trusted option so that it would graphically prompt me for which root certificates to trust. See http://lists.gnupg.org/pipermail/gnupg-users/2004-September/023247.html for more detail on some of the general setup choices for the GPG S/MIME stack. The most useful command for debugging the underlying S/MIME configuration was "gpgsm --list-chain --with-validation". I don't have submittable patches for #2/#3 yet, but I wanted to share what I found about the scope of what actually needs to be done, which is fairly small. (The biggest blocker is probably that Debian & other distros haven't packaged gmime-2.6.) Dan ___ notmuch mailing list notmuch@notmuchmail.org http://notmuchmail.org/mailman/listinfo/notmuch
S/MIME support in notmuch
I'd like to report some success on getting S/MIME signature verification working using notmuch and the recently-released GMime 2.6. I specifically tested with notmuch-0.10.2 and gmime-2.6.1. The following changes were required: 1) notmuch: Apply patch from Redhat packaging to handle API changes from gmime-2.4 to gmime-2.6 (see "compile error of current git on F15" thread from 25 November on the list) 2) notmuch: Create a S/MIME context instead of the GPG context in notmuch-show.c. g_mime_gpg_context_new() becomes g_mime_pkcs7_context_new(), and similarly for g_mime_gpg_context_set_always_trust(). 3) gmime: The pkcs7 context only works with signatures of "application/pkcs7-signature". Per RFC2311 section C, both "application/pkcs7-signature" and "application/x-pkcs7-signature" should be treated identically. I temporarily disabled this check in gmime/gmime-multipart-signed.c and then gmime accepted the signatures. Next, I was always seeing signature verification errors with completely unhelpful error messages. These turned out to be because the 'gpg-agent' program was not running. Once I started the agent, I got prompts on trusting root certs and was then able to see known-valid certificates verified in the emacs UI. NB: I started gpg-agent with the --allow-mark-trusted option so that it would graphically prompt me for which root certificates to trust. See http://lists.gnupg.org/pipermail/gnupg-users/2004-September/023247.html for more detail on some of the general setup choices for the GPG S/MIME stack. The most useful command for debugging the underlying S/MIME configuration was "gpgsm --list-chain --with-validation". I don't have submittable patches for #2/#3 yet, but I wanted to share what I found about the scope of what actually needs to be done, which is fairly small. (The biggest blocker is probably that Debian & other distros haven't packaged gmime-2.6.) Dan