From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 0MrnHc8w8GHEPwAAgWs5BA (envelope-from ) for ; Tue, 25 Jan 2022 18:18:07 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id WKeyFs8w8GHLHwAAG6o9tA (envelope-from ) for ; Tue, 25 Jan 2022 18:18:07 +0100 Received: from mail.notmuchmail.org (yantan.tethera.net [135.181.149.255]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0DCC78D34 for ; Tue, 25 Jan 2022 18:18:07 +0100 (CET) Received: from yantan.tethera.net (localhost [127.0.0.1]) by mail.notmuchmail.org (Postfix) with ESMTP id 1B81E5F6E7; Tue, 25 Jan 2022 17:18:02 +0000 (UTC) Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.18.28]) by mail.notmuchmail.org (Postfix) with ESMTPS id 4FB235F6B8 for ; Tue, 25 Jan 2022 17:17:59 +0000 (UTC) Received: from [46.244.219.54] (helo=condition-alpha.com) by smtprelay05.ispgateway.de with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nCPQK-0002K9-2f; Tue, 25 Jan 2022 18:16:04 +0100 Message-Id: <099b081f63ccd9882e04bf1f20790bf4@condition-alpha.com> From: Alexander Adolf To: David Bremner , notmuch@notmuchmail.org Subject: Re: Debugging Starting Point for S/MIME Signature Verification? In-Reply-To: <87y235aut1.fsf@tethera.net> References: <0dcc6a1405a990d078b626cb514e70e9@condition-alpha.com> <87y235aut1.fsf@tethera.net> Date: Tue, 25 Jan 2022 18:16:21 +0100 MIME-Version: 1.0 X-Df-Sender: YWxleGFuZGVyLmFkb2xmQGNvbmRpdGlvbi1hbHBoYS5jb20= Message-ID-Hash: QDRTLTDXQSTZHNGI2G2HF4RCDRAAVJOM X-Message-ID-Hash: QDRTLTDXQSTZHNGI2G2HF4RCDRAAVJOM X-MailFrom: alexander.adolf@condition-alpha.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-notmuch.notmuchmail.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_IN X-Migadu-Country: DE ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1643131087; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-owner:list-unsubscribe:list-subscribe:list-post; bh=OrZy9O2XsKSRJoGpJzdWt4Ik4ZVd33fFH2cqHR9hr7c=; b=NTq9FDsj3Iy9xTAkfrNPBaUDt2PgegxaOjccNwbdlxR11tKTBdS6wKolQF6JzwuwuTzeZJ 3oW2MqT7GjHtT/PjBXsHF+9MgzMwJbk7rCtc74dEPvR5jfB6i0VqDg6SsS2qP5UC7rc73d ak/nfySDRBH1pAY8yefIYi0fYh4Id2XcXP76isjR8e3DRc+viTwH7573+UZD/VlqG7rl2d HgUNWvhOahvhrQaDLXJbQ7aLGOjSZ7V5HSGjREdXdSwqqKDEqWR/I4KhuLH9c/JjaMU2WH /LCaGP2sfPD4GbvaavTIqRtp0Cf1AKqN7NlelUUDRoV6es0xVziDMsxtybnc4w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1643131087; a=rsa-sha256; cv=none; b=Qemp5jkhwMu9d2nhwjblWmCO34e8mRNxgDHIxsgxI1CIYlZmMed/0M1W6c82pIh1ZcmOfW y7TML1j/lE/jmpCFnLTRGB4OUc/sDPKJ7CepYTNw3+lcLT/cLPW3gpQC9QxdQZSzvlXcfH HkxuJMUp1WTgWEg8/Qb7v3zD+th6J60WRsNdh1mO61Ib1T0vUAjQABFva/nb2+ZWwOuOi+ rAiMY0qpZWg0SNH+pQAfkldJPujRloj2HN2nOgrzOcttwU/zea79IUaIxTMHxzDZRUC1fD 4i6KJncOcr+aRTPGXZZo5192o/6OpqzvoAT4KnV+HbRH2yh1toAnwIrZrWafCA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 135.181.149.255 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Spam-Score: -2.36 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 135.181.149.255 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Queue-Id: 0DCC78D34 X-Spam-Score: -2.36 X-Migadu-Scanner: scn0.migadu.com X-TUID: TDfoAVHZgOu+ David Bremner writes: > [...] > I guess you should start with "notmuch show --verify --format=json > $msg | jq" on the command line. If the information is not there, > nothing in the elisp will create it. You can use sexp output if you > prefer, but it is easier to pretty-print the json. Thanks for the pointer, David! Your hint seems bang on. First of all, it spits an error on stderr: ---------------------------- Begin Quote ----------------------------- Failed to verify signed part: Cannot verify multipart/signed part: signature content-type does not match protocol. ----------------------------- End Quote ------------------------------ The top-level multipart/signed has: ---------------------------- Begin Quote ----------------------------- Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0978_01D7F747.BB1F7A60" ----------------------------- End Quote ------------------------------ And the signature part starts: ---------------------------- Begin Quote ----------------------------- ------=_NextPart_000_0978_01D7F747.BB1F7A60 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" ----------------------------- End Quote ------------------------------ So it seems it's "x-pkcs7-signature" not matching "pkcs7-signature" that prevents the signature check from happening. "x-pkcs7-signature" is a legacy media type, ans was deprecated with RFC 2311 [1] back in March 1998 already. A similar issue seems to have been discussed in Mozilla Bug 148232 [2] back in 2002. Comment 7 on that bug [3] mentions RFC 2311, and it seems the conclusion of the Mozilla devs at the time was to treat "x-pkcs7-signature" as an alias for "pkcs7-signature" [4]. [1] https://datatracker.ietf.org/doc/html/rfc2311 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=148232 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=148232#c7 [4] https://bugzilla.mozilla.org/attachment.cgi?id=93002&action=diff Of course it is a pain in parts I am too polite to mention right now, that 20 years on email tools still generate the deprecated, proprietary "x-" media type. Nonetheless, I would still dare to make a case for adding a corresponding alias treatment in notmuch. Not only for the sake of catering for messages sent by dumb, current, proprietary email implementations (read: interoperability), but also to enable signature verification on those really old messages in people's archives. Ready to be shot down in flames... ;-)) Cheers, --alexander