From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: [PATCH 15/15] tests: disable CRL checks from gpgsm
Date: Tue, 28 Apr 2020 14:57:23 -0400 [thread overview]
Message-ID: <20200428185723.660184-16-dkg@fifthhorseman.net> (raw)
In-Reply-To: <20200428185723.660184-1-dkg@fifthhorseman.net>
GPGME has a strange failure mode when it is in offline mode, and/or
when certificates don't have any CRLs: in particular, it refuses to
accept the validity of any certificate other than a "root" cert.
This can be worked around by setting the `disable-crl-checks`
configuration variable for gpgsm.
I've reported this to the GPGME upstream at
https://dev.gnupg.org/T4883, but I have no idea how it will be
resolved. In the meantime, we'll just work around it.
Note that this fixes the test for verification of
id:smime-multipart-signed@protected-headers.example, because
multipart/signed messages are already handled correctly (one-part
PKCS#7 messages will get fixed later).
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
| 2 +-
test/test-lib.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh
index b7a83715..520cb71c 100755
--- a/test/T356-protected-headers.sh
+++ b/test/T356-protected-headers.sh
@@ -157,7 +157,7 @@ test_expect_equal "$output" id:protected-with-legacy-display@crypto.notmuchmail.
for variant in multipart-signed onepart-signed; do
test_begin_subtest "verify signed PKCS#7 subject ($variant)"
- test_subtest_known_broken
+ [ "$variant" = multipart-signed ] || test_subtest_known_broken
output=$(notmuch show --verify --format=json "id:smime-${variant}@protected-headers.example")
test_json_nodes <<<"$output" \
'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \
diff --git a/test/test-lib.sh b/test/test-lib.sh
index 6f47994e..2a7cbbb1 100644
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -144,7 +144,7 @@ add_gpgsm_home ()
echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt"
gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt
echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt"
- echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm
+ printf '%s::1\n' include-certs disable-crl-checks | gpgconf --output /dev/null --change-options gpgsm
gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \
--disable-dirmngr --import $NOTMUCH_SRCDIR/test/smime/bob.p12 >>"$GNUPGHOME"/import.log 2>&1 3<<<''
test_debug "cat $GNUPGHOME/import.log"
--
2.26.2
next prev parent reply other threads:[~2020-04-28 19:00 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 18:57 Add tests for S/MIME PKCS#7 messages Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 01/15] tests: move add_gpgsm_home to test-lib.sh Daniel Kahn Gillmor
2020-04-30 21:29 ` David Bremner
2020-04-28 18:57 ` [PATCH 02/15] tests/smime: Always use --batch with gpgsm Daniel Kahn Gillmor
2020-04-30 19:33 ` [PATCH 03/15 v2] tests/smime: Include the Sample LAMPS Certificate Authority Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 03/15] " Daniel Kahn Gillmor
2020-04-29 1:43 ` David Bremner
2020-04-30 16:51 ` Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 04/15] tests/smime: consistently quote $GNUPGHOME Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 05/15] tests/smime: Use gpgsm instead of openssl for mml creation of S/MIME msgs Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 06/15] tests/smime: avoid copying the key+cert.pem around Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 07/15] test: Allow tests to have both gpg and gpgsm active at once Daniel Kahn Gillmor
2020-04-29 20:02 ` Tomi Ollila
2020-04-30 16:53 ` Daniel Kahn Gillmor
2020-04-30 19:34 ` [PATCH 07/15 v2] " Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 08/15] tests/smime: include secret key material for Bob Daniel Kahn Gillmor
2020-04-29 20:05 ` Tomi Ollila
2020-04-30 16:56 ` Daniel Kahn Gillmor
2020-04-30 19:35 ` [PATCH 08/15 v2] " Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 09/15] tests: Add S/MIME messages to protected-headers corpus Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 10/15] tests/smime: Verify cryptographic message status Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 11/15] tests/smime: Test indexing cleartext of envelopedData Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 12/15] test-lib.sh: add test_valid_json Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 13/15] tests/smime: add tests for S/MIME SignedData Daniel Kahn Gillmor
2020-04-28 18:57 ` [PATCH 14/15] test/protected-headers: Add tests for S/MIME protected headers Daniel Kahn Gillmor
2020-04-28 18:57 ` Daniel Kahn Gillmor [this message]
2020-04-29 20:12 ` [PATCH 15/15] tests: disable CRL checks from gpgsm Tomi Ollila
2020-04-30 19:00 ` Daniel Kahn Gillmor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200428185723.660184-16-dkg@fifthhorseman.net \
--to=dkg@fifthhorseman.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).