On Mon, Jul 09 2012, "Bryant, Daniel B." wrote: > I was able to get signature verification working with your patchset > (with a caveat) but not decryption. Hi, Daniel. I guess I'm only partially happy to hear that! I definitely do appreciate the feedback, though. > The caveat is that GMime is still borked with handling signatures with > content type application/x-pkcs7-signature > (vs. application/pkcs7-signature, which works fine). This is upstream > GNOME bug #674032 that was supposed to have been fixed in GMime 2.6.9, > but that original fix is also broken. Ah, I didn't notice that: https://bugzilla.gnome.org/show_bug.cgi?id=674032 Encouragingly, it sounds like Jeffery is working on it. > One possible workaround is to twiddle the content-type of the > signature part (and the corresponding protocol in the multipart/signed > part). I implemented this by looping over each message part in > mime_node_open() and modifying as necessary using the following logic: > > > GMimeContentType *content_type = g_mime_object_get_content_type (part); > > const char *subtype = g_mime_content_type_get_media_subtype (content_type); > const char *protocol = g_mime_content_type_get_parameter (content_type, "protocol"); > > if (!strcmp(subtype, "x-pkcs7-signature")) { > g_mime_content_type_set_media_subtype (content_type, "pkcs7-signature"); > } > > if (protocol && !strcmp(protocol, "application/x-pkcs7-signature")) { > g_mime_content_type_set_parameter (content_type, "protocol","application/pkcs7-signature"); > } We could do this, but I would certainly prefer that we fix gmime to handle both types properly. > All of my S/MIME encrypted mail consists of single part messages with > content-type "application/x-pkcs7-mime". These conform to RFC3851, > section 3.3/3.4. (sample messages are included in the RFC as > well). This fails to be decrypted by notmuch because the mime node > traversal code assumes that every encrypted message is > multipart/encrypted, which appears to only be true for PGP/MIME. Thanks for the great example of why we need tests! Would you (or anyone) be willing to start putting together some tests that include messages encrypted according to this RFC? I think adding some tests to the test/crypto script would be a great place to start. jamie.