Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed

* Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default
       [not found] <20140721223426.GA5250@siren>
@ 2014-07-21 23:16 ` David Bremner
  2014-07-22  1:03   ` Jameson Graef Rollins
  2017-07-16 12:45   ` David Bremner
  0 siblings, 2 replies; 7+ messages in thread
From: David Bremner @ 2014-07-21 23:16 UTC (permalink / raw)
  To: Vagrant Cascadian, 755544; +Cc: notmuch

Vagrant Cascadian <vagrant@debian.org> writes:

> Package: notmuch-emacs
> Version: 0.18.1-1
> Severity: important
>
> Thanks for notmuch-emacs, it's great!
>
> I did notice that it doesn't appear to check weather gpg/pgp signatures are
> valid by default.
>
> When I created a signed message to myself, made a copy of it, and then manually
> edited the text within without changing the signature...
>
> But notmuch-emacs doesn't distinguish between the valid signature
:
>
>   Subject: valid gpg sig
>   To: vagrant@localhost
>   Date: Mon, 21 Jul 2014 15:03:45 -0700
>   
>   [ multipart/signed ]
>   [ text/plain ]
>   this should be a VALID gpg signature.
>   [ signature.asc: application/pgp-signature ]
>
> And the edited text, with an invalid signature:
>
>   Subject: invalid gpg sig
>   To: vagrant@localhost
>   Date: Mon, 21 Jul 2014 15:03:45 -0700
>   
>   [ multipart/signed ]
>   [ text/plain ]
>   this should be an INVALID gpg signature.
>   [ signature.asc: application/pgp-signature ]

Hi Vagrant;

Thanks for the bug report.  It seems that most of the developers
have customized the emacs variable

notmuch-crypto-process-mime to t

For the moment I suggest that as a workaround, and we'll see about
fixing the UI bug upstream.

notmuch folks: it seems that in vagrant's message, and several others I
checked, it notmuch-crypto-process-mime==nil, then no signature button
is created at all.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default
  2014-07-21 23:16 ` Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default David Bremner
@ 2014-07-22  1:03   ` Jameson Graef Rollins
  2014-07-22  4:30     ` Daniel Kahn Gillmor
  2014-07-22  9:44     ` David Bremner
  2017-07-16 12:45   ` David Bremner
  1 sibling, 2 replies; 7+ messages in thread
From: Jameson Graef Rollins @ 2014-07-22  1:03 UTC (permalink / raw)
  To: David Bremner, Vagrant Cascadian, 755544; +Cc: notmuch

[-- Attachment #1: Type: text/plain, Size: 466 bytes --]

On Mon, Jul 21 2014, David Bremner <david@tethera.net> wrote:
> notmuch folks: it seems that in vagrant's message, and several others I
> checked, it notmuch-crypto-process-mime==nil, then no signature button
> is created at all.

Yes, this is true.  The signature button is pretty meaningless if we're
not processing the signature.

Maybe instead by default we could have a signature button that opens up
a notmuch-crypto-process-mime customization buffer?

jamie.

[-- Attachment #2: Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default
  2014-07-22  1:03   ` Jameson Graef Rollins
@ 2014-07-22  4:30     ` Daniel Kahn Gillmor
  2014-07-22  4:39       ` Daniel Kahn Gillmor
  2014-07-22  9:44     ` David Bremner
  1 sibling, 1 reply; 7+ messages in thread
From: Daniel Kahn Gillmor @ 2014-07-22  4:30 UTC (permalink / raw)
  To: Jameson Graef Rollins, David Bremner, Vagrant Cascadian, 755544; +Cc: notmuch

[-- Attachment #1: Type: text/plain, Size: 748 bytes --]

On 07/21/2014 09:03 PM, Jameson Graef Rollins wrote:
> On Mon, Jul 21 2014, David Bremner <david@tethera.net> wrote:
>> notmuch folks: it seems that in vagrant's message, and several others I
>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>> is created at all.
> 
> Yes, this is true.  The signature button is pretty meaningless if we're
> not processing the signature.
> 
> Maybe instead by default we could have a signature button that opens up
> a notmuch-crypto-process-mime customization buffer?

Or the button could just re-load the current view while processing the
signature, and send "you can customize notmuch-crypt-process-mime to do
this automatically in the future" to *Messages*.

	--dkg


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default
  2014-07-22  4:30     ` Daniel Kahn Gillmor
@ 2014-07-22  4:39       ` Daniel Kahn Gillmor
  0 siblings, 0 replies; 7+ messages in thread
From: Daniel Kahn Gillmor @ 2014-07-22  4:39 UTC (permalink / raw)
  To: Jameson Graef Rollins, David Bremner, Vagrant Cascadian, 755544; +Cc: notmuch

[-- Attachment #1: Type: text/plain, Size: 999 bytes --]

On 07/22/2014 12:30 AM, Daniel Kahn Gillmor wrote:
> On 07/21/2014 09:03 PM, Jameson Graef Rollins wrote:
>> On Mon, Jul 21 2014, David Bremner <david@tethera.net> wrote:
>>> notmuch folks: it seems that in vagrant's message, and several others I
>>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>>> is created at all.
>>
>> Yes, this is true.  The signature button is pretty meaningless if we're
>> not processing the signature.
>>
>> Maybe instead by default we could have a signature button that opens up
>> a notmuch-crypto-process-mime customization buffer?
> 
> Or the button could just re-load the current view while processing the
> signature, and send "you can customize notmuch-crypt-process-mime to do
> this automatically in the future" to *Messages*.

Oh, and it seems like in the case where no verification or PGP/MIME
procesing was done, we need to make it a *lot* clearer to the user that
no signature verification was done.

	--dkg


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default
  2014-07-22  1:03   ` Jameson Graef Rollins
  2014-07-22  4:30     ` Daniel Kahn Gillmor
@ 2014-07-22  9:44     ` David Bremner
  2016-02-08 17:46       ` David Edmondson
  1 sibling, 1 reply; 7+ messages in thread
From: David Bremner @ 2014-07-22  9:44 UTC (permalink / raw)
  To: Jameson Graef Rollins, Vagrant Cascadian, 755544; +Cc: notmuch

Jameson Graef Rollins <jrollins@finestructure.net> writes:

> On Mon, Jul 21 2014, David Bremner <david@tethera.net> wrote:
>> notmuch folks: it seems that in vagrant's message, and several others I
>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>> is created at all.
>
> Yes, this is true.  The signature button is pretty meaningless if we're
> not processing the signature.
>
> Maybe instead by default we could have a signature button that opens up
> a notmuch-crypto-process-mime customization buffer?
>
> jamie.

looking at the source, there is supposed to be some button:

,----
| (defun notmuch-show-insert-part-multipart/signed (msg part content-type nth depth button)
|   (button-put button 'face 'notmuch-crypto-part-header)
|   ;; add signature status button if sigstatus provided
|   (if (plist-member part :sigstatus)
|       (let* ((from (notmuch-show-get-header :From msg))
| 	     (sigstatus (car (plist-get part :sigstatus))))
| 	(notmuch-crypto-insert-sigstatus-button sigstatus from))
|     ;; if we're not adding sigstatus, tell the user how they can get it
|     (button-put button 'help-echo "Set notmuch-crypto-process-mime to process cryptographic MIME parts."))
`----

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default
  2014-07-22  9:44     ` David Bremner
@ 2016-02-08 17:46       ` David Edmondson
  0 siblings, 0 replies; 7+ messages in thread
From: David Edmondson @ 2016-02-08 17:46 UTC (permalink / raw)
  To: David Bremner, Jameson Graef Rollins, Vagrant Cascadian, 755544; +Cc: notmuch

On Tue, Jul 22 2014, David Bremner wrote:
> Jameson Graef Rollins <jrollins@finestructure.net> writes:
>
>> On Mon, Jul 21 2014, David Bremner <david@tethera.net> wrote:
>>> notmuch folks: it seems that in vagrant's message, and several others I
>>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>>> is created at all.
>>
>> Yes, this is true.  The signature button is pretty meaningless if we're
>> not processing the signature.
>>
>> Maybe instead by default we could have a signature button that opens up
>> a notmuch-crypto-process-mime customization buffer?
>>
>> jamie.
>
> looking at the source, there is supposed to be some button:

There is a button for the part (the one that says "[multipart/signed]")
and the help text is associated with that. There is no button
specifically for the signature (because no processing of the signature
took place).

It wouldn't be complicated to add a button in the case where no checking
was done. Pressing the button could (as suggested) offer up
customisation of the variable (or just open the help).

I wonder if I could make the button be "[Danger Will Robinson!!!]" in
flashing red and yellow text...

> ,----
> | (defun notmuch-show-insert-part-multipart/signed (msg part content-type nth depth button)
> |   (button-put button 'face 'notmuch-crypto-part-header)
> |   ;; add signature status button if sigstatus provided
> |   (if (plist-member part :sigstatus)
> |       (let* ((from (notmuch-show-get-header :From msg))
> | 	     (sigstatus (car (plist-get part :sigstatus))))
> | 	(notmuch-crypto-insert-sigstatus-button sigstatus from))
> |     ;; if we're not adding sigstatus, tell the user how they can get it
> |     (button-put button 'help-echo "Set notmuch-crypto-process-mime to process cryptographic MIME parts."))
> `----

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default
  2014-07-21 23:16 ` Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default David Bremner
  2014-07-22  1:03   ` Jameson Graef Rollins
@ 2017-07-16 12:45   ` David Bremner
  1 sibling, 0 replies; 7+ messages in thread
From: David Bremner @ 2017-07-16 12:45 UTC (permalink / raw)
  To: Vagrant Cascadian, 755544; +Cc: notmuch

David Bremner <david@tethera.net> writes:

> Vagrant Cascadian <vagrant@debian.org> writes:
>
>> Package: notmuch-emacs
>> Version: 0.18.1-1
>> Severity: important
>>
>> Thanks for notmuch-emacs, it's great!

this bug is fixed in master / release 

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2017-07-16 12:45 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20140721223426.GA5250@siren>
2014-07-21 23:16 ` Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default David Bremner
2014-07-22  1:03   ` Jameson Graef Rollins
2014-07-22  4:30     ` Daniel Kahn Gillmor
2014-07-22  4:39       ` Daniel Kahn Gillmor
2014-07-22  9:44     ` David Bremner
2016-02-08 17:46       ` David Edmondson
2017-07-16 12:45   ` David Bremner

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).