Tomas Nordin [2020-03-21T15:37:36+01] wrote:

> This is probably a dumb question and not really an issue for Notmuch.

Excellent questions but partly difficult to answer.

> But it is when using notmuch (through emacs) I get this Gnome pop-up.
> See attached image. Some senders are attaching some sort of signature
> that I get to trust or cancel.

The sender's mail client has used gpgsm or similar program to digitally
sign the message content. The sender's key that made the message
signature has been certified by some certificate authority. And you are
asked if you trust this certificate authority to certify other's keys.

> What does people do in this case, I tend to cancel it. How should I
> relate to the question. How do I know if I could ultimately trust
> something as asked.

That is the difficult part. The right answer is probably that user
should carefully check the certificate authority's key fingerprint,
compare it to the fingerprint that the authority has published somewhere
else, study the certificate authority's reputation in certifying
people's keys, or something like that.

And almost nobody does that because it's too difficult.

I do this: I press "Yes" (to trust "ultimately") but then immediately go
edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
that certificate authority's key fingerprint. It marks that key
untrusted (because I really don't know). Then: "gpgconf --reload
gpg-agent".

-- 
/// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/
// OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450