* S/MIME support in notmuch
@ 2011-12-08 2:58 Dan Bryant
2011-12-21 11:51 ` Darren McGuicken
0 siblings, 1 reply; 4+ messages in thread
From: Dan Bryant @ 2011-12-08 2:58 UTC (permalink / raw)
To: notmuch
I'd like to report some success on getting S/MIME signature verification
working using notmuch and the recently-released GMime 2.6. I specifically
tested with notmuch-0.10.2 and gmime-2.6.1.
The following changes were required:
1) notmuch: Apply patch from Redhat packaging to handle API changes from
gmime-2.4 to gmime-2.6 (see "compile error of current git on F15"
thread from 25 November on the list)
2) notmuch: Create a S/MIME context instead of the GPG context in
notmuch-show.c. g_mime_gpg_context_new() becomes
g_mime_pkcs7_context_new(), and similarly for
g_mime_gpg_context_set_always_trust().
3) gmime: The pkcs7 context only works with signatures of
"application/pkcs7-signature". Per RFC2311 section C, both
"application/pkcs7-signature" and "application/x-pkcs7-signature"
should be treated identically. I temporarily disabled this check in
gmime/gmime-multipart-signed.c and then gmime accepted the
signatures.
Next, I was always seeing signature verification errors with completely
unhelpful error messages. These turned out to be because the 'gpg-agent'
program was not running. Once I started the agent, I got prompts
on trusting root certs and was then able to see known-valid certificates
verified in the emacs UI.
NB: I started gpg-agent with the --allow-mark-trusted option so that it
would graphically prompt me for which root certificates to trust. See
http://lists.gnupg.org/pipermail/gnupg-users/2004-September/023247.html
for more detail on some of the general setup choices for the GPG
S/MIME stack. The most useful command for debugging the underlying
S/MIME configuration was "gpgsm --list-chain --with-validation".
I don't have submittable patches for #2/#3 yet, but I wanted to share
what I found about the scope of what actually needs to be done, which is
fairly small. (The biggest blocker is probably that Debian & other
distros haven't packaged gmime-2.6.)
Dan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: S/MIME support in notmuch
2011-12-08 2:58 S/MIME support in notmuch Dan Bryant
@ 2011-12-21 11:51 ` Darren McGuicken
2011-12-23 16:40 ` Dan Bryant
0 siblings, 1 reply; 4+ messages in thread
From: Darren McGuicken @ 2011-12-21 11:51 UTC (permalink / raw)
To: Dan Bryant, notmuch
[-- Attachment #1: Type: text/plain, Size: 768 bytes --]
On Wed, 07 Dec 2011 21:58:03 -0500, Dan Bryant <dan.bryant@jhuapl.edu> wrote:
> I'd like to report some success on getting S/MIME signature
> verification working using notmuch and the recently-released GMime
> 2.6. I specifically tested with notmuch-0.10.2 and gmime-2.6.1.
[...]
> I don't have submittable patches for #2/#3 yet, but I wanted to share
> what I found about the scope of what actually needs to be done, which
> is fairly small. (The biggest blocker is probably that Debian & other
> distros haven't packaged gmime-2.6.)
Hi Dan, nice find! As another Fedora user I'd be happy to test out any
patches you come up with.
When you make those changes to the gpg_context are you breaking gpg
signature validation? Or is the one a superset of the other?
[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: S/MIME support in notmuch
2011-12-21 11:51 ` Darren McGuicken
@ 2011-12-23 16:40 ` Dan Bryant
2011-12-27 14:23 ` Daniel Kahn Gillmor
0 siblings, 1 reply; 4+ messages in thread
From: Dan Bryant @ 2011-12-23 16:40 UTC (permalink / raw)
To: Darren McGuicken, notmuch@notmuchmail.org
On Wed, 21 Dec 2011 06:51:01 -0500, Darren McGuicken <mailing-notmuch@fernseed.info> wrote:
> On Wed, 07 Dec 2011 21:58:03 -0500, Dan Bryant <dan.bryant@jhuapl.edu> wrote:
> > I'd like to report some success on getting S/MIME signature
> > verification working using notmuch and the recently-released GMime
> > 2.6. I specifically tested with notmuch-0.10.2 and gmime-2.6.1.
>
> [...]
>
> > I don't have submittable patches for #2/#3 yet, but I wanted to share
> > what I found about the scope of what actually needs to be done, which
> > is fairly small. (The biggest blocker is probably that Debian & other
> > distros haven't packaged gmime-2.6.)
>
> Hi Dan, nice find! As another Fedora user I'd be happy to test out any
> patches you come up with.
>
> When you make those changes to the gpg_context are you breaking gpg
> signature validation? Or is the one a superset of the other?
The current assumption in notmuch is that all encrypted/signed messages
in a mailbox will be using the same crypto algorithm. This is the first
thing I want to fix: which crypto algorithm (and therefore, context
object) to use should probably be detected by the MIME type of the
message part.
Dan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: S/MIME support in notmuch
2011-12-23 16:40 ` Dan Bryant
@ 2011-12-27 14:23 ` Daniel Kahn Gillmor
0 siblings, 0 replies; 4+ messages in thread
From: Daniel Kahn Gillmor @ 2011-12-27 14:23 UTC (permalink / raw)
To: notmuch@notmuchmail.org
[-- Attachment #1: Type: text/plain, Size: 844 bytes --]
On 12/23/2011 11:40 AM, Dan Bryant wrote:
> On Wed, 21 Dec 2011 06:51:01 -0500, Darren McGuicken <mailing-notmuch@fernseed.info> wrote:
>> When you make those changes to the gpg_context are you breaking gpg
>> signature validation? Or is the one a superset of the other?
>
> The current assumption in notmuch is that all encrypted/signed messages
> in a mailbox will be using the same crypto algorithm. This is the first
> thing I want to fix: which crypto algorithm (and therefore, context
> object) to use should probably be detected by the MIME type of the
> message part.
This was an issue i was hoping would get resolved in gmime 2.6, but
apparently it's still open:
https://bugzilla.gnome.org/show_bug.cgi?id=641848
So it does look like we're going to need to do the detection and
selecion ourselves.
--dkg
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 1030 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-12-27 14:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-12-08 2:58 S/MIME support in notmuch Dan Bryant
2011-12-21 11:51 ` Darren McGuicken
2011-12-23 16:40 ` Dan Bryant
2011-12-27 14:23 ` Daniel Kahn Gillmor
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).