From: Alexander Adolf <alexander.adolf@condition-alpha.com>
To: David Bremner <david@tethera.net>, notmuch@notmuchmail.org
Subject: Re: Debugging Starting Point for S/MIME Signature Verification?
Date: Tue, 25 Jan 2022 18:16:21 +0100 [thread overview]
Message-ID: <099b081f63ccd9882e04bf1f20790bf4@condition-alpha.com> (raw)
In-Reply-To: <87y235aut1.fsf@tethera.net>
David Bremner <david@tethera.net> writes:
> [...]
> I guess you should start with "notmuch show --verify --format=json
> $msg | jq" on the command line. If the information is not there,
> nothing in the elisp will create it. You can use sexp output if you
> prefer, but it is easier to pretty-print the json.
Thanks for the pointer, David! Your hint seems bang on.
First of all, it spits an error on stderr:
---------------------------- Begin Quote -----------------------------
Failed to verify signed part: Cannot verify multipart/signed part:
signature content-type does not match protocol.
----------------------------- End Quote ------------------------------
The top-level multipart/signed has:
---------------------------- Begin Quote -----------------------------
Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature";
micalg=SHA1;
boundary="----=_NextPart_000_0978_01D7F747.BB1F7A60"
----------------------------- End Quote ------------------------------
And the signature part starts:
---------------------------- Begin Quote -----------------------------
------=_NextPart_000_0978_01D7F747.BB1F7A60
Content-Type: application/pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
----------------------------- End Quote ------------------------------
So it seems it's "x-pkcs7-signature" not matching "pkcs7-signature" that
prevents the signature check from happening.
"x-pkcs7-signature" is a legacy media type, ans was deprecated with
RFC 2311 [1] back in March 1998 already.
A similar issue seems to have been discussed in Mozilla Bug 148232 [2]
back in 2002. Comment 7 on that bug [3] mentions RFC 2311, and it seems
the conclusion of the Mozilla devs at the time was to treat
"x-pkcs7-signature" as an alias for "pkcs7-signature" [4].
[1] https://datatracker.ietf.org/doc/html/rfc2311
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=148232
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=148232#c7
[4] https://bugzilla.mozilla.org/attachment.cgi?id=93002&action=diff
Of course it is a pain in parts I am too polite to mention right now,
that 20 years on email tools still generate the deprecated, proprietary
"x-" media type.
Nonetheless, I would still dare to make a case for adding a
corresponding alias treatment in notmuch. Not only for the sake of
catering for messages sent by dumb, current, proprietary email
implementations (read: interoperability), but also to enable signature
verification on those really old messages in people's archives.
Ready to be shot down in flames... ;-))
Cheers,
--alexander
next prev parent reply other threads:[~2022-01-25 17:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-24 17:31 Debugging Starting Point for S/MIME Signature Verification? Alexander Adolf
2022-01-24 17:48 ` David Bremner
2022-01-25 17:16 ` Alexander Adolf [this message]
2022-01-26 0:09 ` David Bremner
2022-02-11 13:26 ` David Bremner
2022-02-12 14:36 ` Alexander Adolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=099b081f63ccd9882e04bf1f20790bf4@condition-alpha.com \
--to=alexander.adolf@condition-alpha.com \
--cc=david@tethera.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).