From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eEWIFFl9qF4yYAAA0tVLHw (envelope-from ) for ; Tue, 28 Apr 2020 19:00:41 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 4Nf+DGF9qF7lXQAAB5/wlQ (envelope-from ) for ; Tue, 28 Apr 2020 19:00:49 +0000 Received: from arlo.cworth.org (arlo.cworth.org [50.126.95.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7722E94169D for ; Tue, 28 Apr 2020 19:00:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 310AC6DE13F3; Tue, 28 Apr 2020 11:59:37 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yAd_l4NcjNse; Tue, 28 Apr 2020 11:59:36 -0700 (PDT) Received: from arlo.cworth.org (localhost [IPv6:::1]) by arlo.cworth.org (Postfix) with ESMTP id D71AB6DE140D; Tue, 28 Apr 2020 11:58:34 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id E27916DE0F7A for ; Tue, 28 Apr 2020 11:58:28 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phGDkNXIKoFN for ; Tue, 28 Apr 2020 11:58:24 -0700 (PDT) Received: from che.mayfirst.org (unknown [162.247.75.117]) by arlo.cworth.org (Postfix) with ESMTPS id 2604A6DE0F98 for ; Tue, 28 Apr 2020 11:58:19 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1588100298; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=lzK3sS2vGVGJmql4HVbQDNnUYb6XZQFRdj9EPj0Dbv0=; b=0efeDFYMP+oSIZ7Lm7Ob3BjjT5Dsp9mj4VY33QgVcHAwnEkcOfNHjWv2kx0VgX8yISqNg Sql5CewopX1/2KuAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1588100298; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=lzK3sS2vGVGJmql4HVbQDNnUYb6XZQFRdj9EPj0Dbv0=; b=B9h4TvDe/HMtXhzDkRrR9DEcsqnYxTfvOg9F+xgn8ff37b5hVn0B+tDgUVvdzbgV5GzEF e2CNqrNw6vvThlMvhuJu0qH4zcEuAtYhpAQ8DMUeXz8kplv7w6MU8N2XoT9O8F6pJb/hfqq omMowEqxvdW92twFx/horqTdKYjVs4lLuKHeqm5Y7P7MkBKQAV4PqrxBY1xipig+I4uLlL6 edw8Z+EQarwul2t2VsArCjazP9PQ/IYHsVQLJlQyWgNw2CIKxB0TAZDkGfavpIIipidXfpS PanYs1/OWYfBTquW39aMJXiF5H9b0cQokb+WCCbEJiKsm09UOJeZaA8iUeMA== Received: from fifthhorseman.net (unknown [IPv6:2001:470:1f07:60d:f2de:f1ff:fec3:d109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id E8327F9A5 for ; Tue, 28 Apr 2020 14:58:17 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 59092229CA; Tue, 28 Apr 2020 14:57:32 -0400 (EDT) From: Daniel Kahn Gillmor To: Notmuch Mail Subject: [PATCH 15/15] tests: disable CRL checks from gpgsm Date: Tue, 28 Apr 2020 14:57:23 -0400 Message-Id: <20200428185723.660184-16-dkg@fifthhorseman.net> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428185723.660184-1-dkg@fifthhorseman.net> References: <20200428185723.660184-1-dkg@fifthhorseman.net> MIME-Version: 1.0 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: notmuch-bounces@notmuchmail.org Sender: "notmuch" X-Scanner: scn0 X-Spam-Score: 1.09 Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=fifthhorseman.net header.s=2019 header.b=0efeDFYM; dkim=fail (body hash did not verify) header.d=fifthhorseman.net header.s=2019rsa header.b=B9h4TvDe; dmarc=fail reason="SPF not aligned (relaxed)" header.from=fifthhorseman.net (policy=none); spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 50.126.95.6 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Scan-Result: default: False [1.09 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.46273798954336]; DWL_DNSWL_FAIL(0.00)[50.126.95.6:server fail]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_REJECT(1.00)[fifthhorseman.net:s=2019,fifthhorseman.net:s=2019rsa]; IP_REPUTATION_HAM(0.00)[asn: 27017(-0.19), country: US(-0.00), ip: 50.126.95.6(-0.46)]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[fifthhorseman.net:-]; MX_GOOD(-0.50)[cached: notmuchmail.org]; MAILLIST(-0.20)[mailman]; RCVD_IN_DNSWL_FAIL(0.00)[50.126.95.6:server fail]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:27017, ipnet:50.126.64.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[dkg@fifthhorseman.net,notmuch-bounces@notmuchmail.org]; ARC_NA(0.00)[]; URIBL_BLOCKED(0.00)[notmuchmail.org:email,fifthhorseman.net:email,gnupg.org:url]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[notmuch@notmuchmail.org]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_ONE(0.00)[1]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_SEVEN(0.00)[8]; FORGED_SENDER_MAILLIST(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[fifthhorseman.net : SPF not aligned (relaxed),none] X-TUID: B2MpogNXtph/ GPGME has a strange failure mode when it is in offline mode, and/or when certificates don't have any CRLs: in particular, it refuses to accept the validity of any certificate other than a "root" cert. This can be worked around by setting the `disable-crl-checks` configuration variable for gpgsm. I've reported this to the GPGME upstream at https://dev.gnupg.org/T4883, but I have no idea how it will be resolved. In the meantime, we'll just work around it. Note that this fixes the test for verification of id:smime-multipart-signed@protected-headers.example, because multipart/signed messages are already handled correctly (one-part PKCS#7 messages will get fixed later). Signed-off-by: Daniel Kahn Gillmor --- test/T356-protected-headers.sh | 2 +- test/test-lib.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh index b7a83715..520cb71c 100755 --- a/test/T356-protected-headers.sh +++ b/test/T356-protected-headers.sh @@ -157,7 +157,7 @@ test_expect_equal "$output" id:protected-with-legacy-display@crypto.notmuchmail. for variant in multipart-signed onepart-signed; do test_begin_subtest "verify signed PKCS#7 subject ($variant)" - test_subtest_known_broken + [ "$variant" = multipart-signed ] || test_subtest_known_broken output=$(notmuch show --verify --format=json "id:smime-${variant}@protected-headers.example") test_json_nodes <<<"$output" \ 'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \ diff --git a/test/test-lib.sh b/test/test-lib.sh index 6f47994e..2a7cbbb1 100644 --- a/test/test-lib.sh +++ b/test/test-lib.sh @@ -144,7 +144,7 @@ add_gpgsm_home () echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt" gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" - echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm + printf '%s::1\n' include-certs disable-crl-checks | gpgconf --output /dev/null --change-options gpgsm gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ --disable-dirmngr --import $NOTMUCH_SRCDIR/test/smime/bob.p12 >>"$GNUPGHOME"/import.log 2>&1 3<<<'' test_debug "cat $GNUPGHOME/import.log" -- 2.26.2