[PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Jameson Graef Rollins]

This just changes the show --decrypt flag to "stash" in the emacs UI,
so that session keys will be stashed in the database when viewing
encrypted messages that have not previously been decrypted.  As
always, this will only happen if the notmuch-crypto-process-mime
customization variable is set to "true".
---
 emacs/notmuch-lib.el   | 2 +-
 emacs/notmuch-query.el | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/emacs/notmuch-lib.el b/emacs/notmuch-lib.el
index a7e02710..94ddef52 100644
--- a/emacs/notmuch-lib.el
+++ b/emacs/notmuch-lib.el
@@ -593,7 +593,7 @@ the given type."
 		       (set-buffer-multibyte nil))
 		     (let ((args `("show" "--format=raw"
 				   ,(format "--part=%s" (plist-get part :id))
-				   ,@(when process-crypto '("--decrypt=true"))
+				   ,@(when process-crypto '("--decrypt=stash"))
 				   ,(notmuch-id-to-query (plist-get msg :id))))
 			   (coding-system-for-read
 			    (if binaryp 'no-conversion
diff --git a/emacs/notmuch-query.el b/emacs/notmuch-query.el
index 563e4acf..8c38eb02 100644
--- a/emacs/notmuch-query.el
+++ b/emacs/notmuch-query.el
@@ -32,7 +32,7 @@ is a possibly empty forest of replies.
 "
   (let ((args '("show" "--format=sexp" "--format-version=4")))
     (if notmuch-show-process-crypto
-	(setq args (append args '("--decrypt=true"))))
+        (setq args (append args '("--decrypt=stash"))))
     (setq args (append args search-terms))
     (apply #'notmuch-call-notmuch-sexp args)))
 
-- 
2.17.1

[PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Jameson Graef Rollins]

This just changes the show --decrypt flag to "stash" in the emacs UI,
so that session keys will be stashed in the database when viewing
encrypted messages that have not previously been decrypted.  As
always, this will only happen if the notmuch-crypto-process-mime
customization variable is set to "true".
---
 emacs/notmuch-lib.el   | 2 +-
 emacs/notmuch-query.el | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/emacs/notmuch-lib.el b/emacs/notmuch-lib.el
index a7e02710..94ddef52 100644
--- a/emacs/notmuch-lib.el
+++ b/emacs/notmuch-lib.el
@@ -593,7 +593,7 @@ the given type."
 		       (set-buffer-multibyte nil))
 		     (let ((args `("show" "--format=raw"
 				   ,(format "--part=%s" (plist-get part :id))
-				   ,@(when process-crypto '("--decrypt=true"))
+				   ,@(when process-crypto '("--decrypt=stash"))
 				   ,(notmuch-id-to-query (plist-get msg :id))))
 			   (coding-system-for-read
 			    (if binaryp 'no-conversion
diff --git a/emacs/notmuch-query.el b/emacs/notmuch-query.el
index 563e4acf..8c38eb02 100644
--- a/emacs/notmuch-query.el
+++ b/emacs/notmuch-query.el
@@ -32,7 +32,7 @@ is a possibly empty forest of replies.
 "
   (let ((args '("show" "--format=sexp" "--format-version=4")))
     (if notmuch-show-process-crypto
-	(setq args (append args '("--decrypt=true"))))
+        (setq args (append args '("--decrypt=stash"))))
     (setq args (append args search-terms))
     (apply #'notmuch-call-notmuch-sexp args)))
 
-- 
2.17.1

[PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Jameson Graef Rollins]

This just changes the show --decrypt flag to "stash" in the emacs UI,
so that session keys will be stashed in the database when viewing
encrypted messages that have not previously been decrypted.  As
always, this will only happen if the notmuch-crypto-process-mime
customization variable is set to "true".
---
 emacs/notmuch-lib.el   | 2 +-
 emacs/notmuch-query.el | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/emacs/notmuch-lib.el b/emacs/notmuch-lib.el
index a7e02710..94ddef52 100644
--- a/emacs/notmuch-lib.el
+++ b/emacs/notmuch-lib.el
@@ -593,7 +593,7 @@ the given type."
 		       (set-buffer-multibyte nil))
 		     (let ((args `("show" "--format=raw"
 				   ,(format "--part=%s" (plist-get part :id))
-				   ,@(when process-crypto '("--decrypt=true"))
+				   ,@(when process-crypto '("--decrypt=stash"))
 				   ,(notmuch-id-to-query (plist-get msg :id))))
 			   (coding-system-for-read
 			    (if binaryp 'no-conversion
diff --git a/emacs/notmuch-query.el b/emacs/notmuch-query.el
index 563e4acf..8c38eb02 100644
--- a/emacs/notmuch-query.el
+++ b/emacs/notmuch-query.el
@@ -32,7 +32,7 @@ is a possibly empty forest of replies.
 "
   (let ((args '("show" "--format=sexp" "--format-version=4")))
     (if notmuch-show-process-crypto
-	(setq args (append args '("--decrypt=true"))))
+        (setq args (append args '("--decrypt=stash"))))
     (setq args (append args search-terms))
     (apply #'notmuch-call-notmuch-sexp args)))
 
-- 
2.17.1

Re: [PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Jameson Graef Rollins]

Jeez I don't know how I manged to send three copies of this to the list.
Apologies for the spam.  At least only one of them needs to be reviewed!

jamie.

Re: [PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 821 bytes --]

On Mon 2018-06-11 16:09:00 -0700, Jameson Graef Rollins wrote:
> This just changes the show --decrypt flag to "stash" in the emacs UI,
> so that session keys will be stashed in the database when viewing
> encrypted messages that have not previously been decrypted.  As
> always, this will only happen if the notmuch-crypto-process-mime
> customization variable is set to "true".


I'm not convinced that this is the right approach.  In particular,
sending "--decrypt=stash" requires that the notmuch database is opened
read/write, which isn't always desirable.

(it'd be nice to be able to use notmuch-emacs to browse a notmuch
archive without locking the notmuch db or even needing read/write access
to the database)

perhaps we need a third setting for notmuch-crypto-process-mime besides
nil and t instead?

    --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 664 bytes --]

On Tue 2018-06-12 10:00:18 -0400, Daniel Kahn Gillmor wrote:
> (it'd be nice to be able to use notmuch-emacs to browse a notmuch
> archive without locking the notmuch db or even needing read/write access
> to the database)

to be clear, it's not just about wanting to be able to avoid write
access during "notmuch show" -- there are other use cases i'd like us to
be able to support, including the ability to keep some messages'
cleartext indexed, while leaving some of them un-indexed (keeping their
contents secret from anyone who doesn't have the user's secret keys).

This proposed change removes that possibility, so i think it needs more
nuance.

     --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 3034 bytes --]

On Tue, Jun 12 2018, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> On Tue 2018-06-12 10:00:18 -0400, Daniel Kahn Gillmor wrote:
>> (it'd be nice to be able to use notmuch-emacs to browse a notmuch
>> archive without locking the notmuch db or even needing read/write access
>> to the database)
>
> to be clear, it's not just about wanting to be able to avoid write
> access during "notmuch show" -- there are other use cases i'd like us to
> be able to support, including the ability to keep some messages'
> cleartext indexed, while leaving some of them un-indexed (keeping their
> contents secret from anyone who doesn't have the user's secret keys).
>
> This proposed change removes that possibility, so i think it needs more
> nuance.

This patch works for all the use cases I personally care about, so I
would like a configuration that is this simple.

The use case you're arguing for, which I believe is the ability to
choose on a per-message basis whether you want to stash or not, would
have to not use the show stash functionality at all.

What if notmuch-crypto-process-mime just accepted the same values that
show --decrypt does, with the same meanings, e.g.:

┌─────────────────────────────────────┬───────┬──────┬──────┬───────┐
│                                     │ false │ auto │ true │ stash │
├─────────────────────────────────────┼───────┼──────┼──────┼───────┤
│Show  cleartext  if  session  key is │       │ X    │ X    │ X     │
│already known                        │       │      │      │       │
├─────────────────────────────────────┼───────┼──────┼──────┼───────┤
│Use secret keys to show cleartext    │       │      │ X    │ X     │
├─────────────────────────────────────┼───────┼──────┼──────┼───────┤
│Stash any  newly  recovered  session │       │      │      │ X     │
│keys, reindexing message if found    │       │      │      │       │
└─────────────────────────────────────┴───────┴──────┴──────┴───────┘

notmuch-crypto-process-mime is really only relevant for show anyway, so
I think this makes sense.

Users who want to chose to stash on a per-message basis would then need
to set notmuch-crypto-process-mime=true, and then do reindex
--decrypt=true if they want to stash.

jamie.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Daniel Kahn Gillmor]

On Tue 2018-06-12 23:07:33 -0700, Jameson Graef Rollins wrote:
> What if notmuch-crypto-process-mime just accepted the same values that
> show --decrypt does, with the same meanings, e.g.:
>
> ┌─────────────────────────────────────┬───────┬──────┬──────┬───────┐
> │                                     │ false │ auto │ true │ stash │
> ├─────────────────────────────────────┼───────┼──────┼──────┼───────┤
> │Show  cleartext  if  session  key is │       │ X    │ X    │ X     │
> │already known                        │       │      │      │       │
> ├─────────────────────────────────────┼───────┼──────┼──────┼───────┤
> │Use secret keys to show cleartext    │       │      │ X    │ X     │
> ├─────────────────────────────────────┼───────┼──────┼──────┼───────┤
> │Stash any  newly  recovered  session │       │      │      │ X     │
> │keys, reindexing message if found    │       │      │      │       │
> └─────────────────────────────────────┴───────┴──────┴──────┴───────┘
>
> notmuch-crypto-process-mime is really only relevant for show anyway, so
> I think this makes sense.

I agree, i think this makes sense.  so these text strings could be
mapped straight through.

in addition to the strings, for the sake of supporting more native
elisp-y style, if notmuch-crypto-process-mime is set to nil it should
probably map to "false", and if it is set to t, it should probably map
to "true".

wdyt?

        --dkg

Re: [PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[David Bremner]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> On Tue 2018-06-12 23:07:33 -0700, Jameson Graef Rollins wrote:
>> What if notmuch-crypto-process-mime just accepted the same values that
>> show --decrypt does, with the same meanings, e.g.:
>>
>> ┌─────────────────────────────────────┬───────┬──────┬──────┬───────┐
>> │                                     │ false │ auto │ true │ stash │
>> ├─────────────────────────────────────┼───────┼──────┼──────┼───────┤
>> │Show  cleartext  if  session  key is │       │ X    │ X    │ X     │
>> │already known                        │       │      │      │       │
>> ├─────────────────────────────────────┼───────┼──────┼──────┼───────┤
>> │Use secret keys to show cleartext    │       │      │ X    │ X     │
>> ├─────────────────────────────────────┼───────┼──────┼──────┼───────┤
>> │Stash any  newly  recovered  session │       │      │      │ X     │
>> │keys, reindexing message if found    │       │      │      │       │
>> └─────────────────────────────────────┴───────┴──────┴──────┴───────┘
>>
>> notmuch-crypto-process-mime is really only relevant for show anyway, so
>> I think this makes sense.
>
> I agree, i think this makes sense.  so these text strings could be
> mapped straight through.
>

What about using symbols and some kind of case? less efficient but
better error checking

d

Re: [PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 793 bytes --]

On Wed 2018-06-13 13:25:54 -0300, David Bremner wrote:
> What about using symbols and some kind of case? less efficient but
> better error checking

symbols would also make for a more brittle interaction between future
versions of the notmuch cli and notmuch-emacs, but i agree that the
error checking would probably be worth it (it's not hard to update the
list of symbols if a new option gets added to "show --decrypt".

also, it looks like notmuch-mua-reply reasons about
notmuch-show-process-crypto to create the --decrypt= arg for "notmuch
reply".  "notmuch reply" doesn't have --decrypt=stash (and i don't think
there's any sensible workflow that would warrant puting it there) so
some reasoning needs to be done there.  symbols would make that a more
sensible approach.

         --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH] emacs: use new show --decrypt=stash feature in emacs UI

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 1200 bytes --]

On Wed, Jun 13 2018, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> On Wed 2018-06-13 13:25:54 -0300, David Bremner wrote:
>> What about using symbols and some kind of case? less efficient but
>> better error checking
>
> symbols would also make for a more brittle interaction between future
> versions of the notmuch cli and notmuch-emacs, but i agree that the
> error checking would probably be worth it (it's not hard to update the
> list of symbols if a new option gets added to "show --decrypt".
>
> also, it looks like notmuch-mua-reply reasons about
> notmuch-show-process-crypto to create the --decrypt= arg for "notmuch
> reply".  "notmuch reply" doesn't have --decrypt=stash (and i don't think
> there's any sensible workflow that would warrant puting it there) so
> some reasoning needs to be done there.  symbols would make that a more
> sensible approach.

I'm not sure exactly what you mean by "symbols", but I'm working on
something that will turn notmuch-crypto-process-mime into a choice
custom with constant values.  A separate derived value will be used to
provide the correct bool to notmuch-show-process-crypto.

I'll provide another iteration that we can discuss.

jamie.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

Introduce notmuch-crypto-store-session-keys customization variable to
control stashing of session keys.  If non-nil any session keys
recovered during decryption will be stored in the database.

This is just a switch to have --decrypt= use "stash" instead of
"true".
---
This seems like the simplest approach, to just add a new variable to
control session key stashing.  Much simpler that reworking the meaning
of notmuch-crypto-process-mime.

 emacs/notmuch-crypto.el | 10 ++++++++++
 emacs/notmuch-query.el  |  4 +++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/emacs/notmuch-crypto.el b/emacs/notmuch-crypto.el
index fc2b5301..e1943f53 100644
--- a/emacs/notmuch-crypto.el
+++ b/emacs/notmuch-crypto.el
@@ -43,6 +43,16 @@ mode."
   :package-version '(notmuch . "0.25")
   :group 'notmuch-crypto)
 
+(defcustom notmuch-crypto-store-session-keys nil
+  "Should session keys from decrypted messages be stored in database?
+
+If this variable is non-nil session keys recovered from decrypted
+messages will be stored in the database.  See notmuch-show(1) for
+more information."
+  :type 'boolean
+  :package-version '(notmuch . "0.28")
+  :group 'notmuch-crypto)
+
 (defface notmuch-crypto-part-header
   '((((class color)
       (background dark))
diff --git a/emacs/notmuch-query.el b/emacs/notmuch-query.el
index 563e4acf..3e6bc8b1 100644
--- a/emacs/notmuch-query.el
+++ b/emacs/notmuch-query.el
@@ -32,7 +32,9 @@ is a possibly empty forest of replies.
 "
   (let ((args '("show" "--format=sexp" "--format-version=4")))
     (if notmuch-show-process-crypto
-	(setq args (append args '("--decrypt=true"))))
+        (if notmuch-crypto-store-session-keys
+            (setq args (append args '("--decrypt=stash")))
+          (setq args (append args '("--decrypt=true")))))
     (setq args (append args search-terms))
     (apply #'notmuch-call-notmuch-sexp args)))
 
-- 
2.17.1

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 1182 bytes --]

thanks for working on this, Jamie!

On Sun 2018-06-17 17:31:38 -0700, Jameson Graef Rollins wrote:
> Introduce notmuch-crypto-store-session-keys customization variable to
> control stashing of session keys.  If non-nil any session keys
> recovered during decryption will be stored in the database.
>
> This is just a switch to have --decrypt= use "stash" instead of
> "true".
> ---
> This seems like the simplest approach, to just add a new variable to
> control session key stashing.  Much simpler that reworking the meaning
> of notmuch-crypto-process-mime.

This looks like it would work, but calling it
notmuch-crypto-store-session-keys is a bit confusing, because based on
the name it looks like it would apply to many places (e.g. during
message sending, should a session key be stored when the outbound
message is fcc'ed?), but based on the implementation it only matters
during "show".

Should its name be notmuch-show-store-session-keys instead?

also, i think the description of the variable setting should be clearer
about its scope, and about the implications of setting it to non-nil
(e.g. needing read/write access to the notmuch db to view all messages)

      --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 899 bytes --]

On Mon, Jun 18 2018, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> This looks like it would work, but calling it
> notmuch-crypto-store-session-keys is a bit confusing, because based on
> the name it looks like it would apply to many places (e.g. during
> message sending, should a session key be stored when the outbound
> message is fcc'ed?), but based on the implementation it only matters
> during "show".
>
> Should its name be notmuch-show-store-session-keys instead?

I feel like it should be under the notmuch-crypto customization group,
not notmuch-show.  notmuch-crypto-show-store-session-keys ?

> also, i think the description of the variable setting should be clearer
> about its scope, and about the implications of setting it to non-nil
> (e.g. needing read/write access to the notmuch db to view all messages)

I will clarify the docs once we decide on variable name.

jamie.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Daniel Kahn Gillmor]

On Mon 2018-06-18 15:49:45 -0700, Jameson Graef Rollins wrote:
> On Mon, Jun 18 2018, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>
>> Should its name be notmuch-show-store-session-keys instead?
>
> I feel like it should be under the notmuch-crypto customization group,
> not notmuch-show.  notmuch-crypto-show-store-session-keys ?

how about:

    notmuch-crypto-store-session-keys-on-show

?

        --dkg

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

On Mon, Jun 18 2018, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> how about:
>
>     notmuch-crypto-store-session-keys-on-show

Works for me.

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[David Bremner]

Jameson Graef Rollins <jrollins@finestructure.net> writes:

> On Mon, Jun 18 2018, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>> This looks like it would work, but calling it
>> notmuch-crypto-store-session-keys is a bit confusing, because based on
>> the name it looks like it would apply to many places (e.g. during
>> message sending, should a session key be stored when the outbound
>> message is fcc'ed?), but based on the implementation it only matters
>> during "show".
>>
>> Should its name be notmuch-show-store-session-keys instead?
>
> I feel like it should be under the notmuch-crypto customization group,
> not notmuch-show.  notmuch-crypto-show-store-session-keys ?
>

I'm fine with whatever you and dkg decide for a name, but note that the
customization group is independent from the name; you just choose
whatever group you want in the defcustom.

d

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 366 bytes --]

On Tue, Jun 19 2018, David Bremner <david@tethera.net> wrote:
> I'm fine with whatever you and dkg decide for a name, but note that the
> customization group is independent from the name; you just choose
> whatever group you want in the defcustom.

Oh, I didn't realize that.  I thought they were linked.  In that case
I'll go with:

notmuch-show-store-session-keys

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

Introduce notmuch-crypto-store-session-keys customization variable to
control stashing of session keys.  If non-nil any session keys
recovered during decryption will be stored in the database.

This is just a switch to have --decrypt= use "stash" instead of
"true".
---
 emacs/notmuch-crypto.el | 15 +++++++++++++++
 emacs/notmuch-query.el  |  4 +++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/emacs/notmuch-crypto.el b/emacs/notmuch-crypto.el
index fc2b5301..26ce19b4 100644
--- a/emacs/notmuch-crypto.el
+++ b/emacs/notmuch-crypto.el
@@ -43,6 +43,21 @@ mode."
   :package-version '(notmuch . "0.25")
   :group 'notmuch-crypto)
 
+(defcustom notmuch-show-stash-session-keys nil
+  "Should session keys be stashed when decrypting messages for display?
+
+If this variable is non-nil session keys recovered while
+decrypting messages for display will be stored in the database.
+See description of --decrypt option in notmuch-show(1) for more
+information.
+
+NOTE: Stashing encryption session keys requires opening the
+notmuch database in read/write mode, which is not normally done
+when retrieving messages for display."
+  :type 'boolean
+  :package-version '(notmuch . "0.28")
+  :group 'notmuch-crypto)
+
 (defface notmuch-crypto-part-header
   '((((class color)
       (background dark))
diff --git a/emacs/notmuch-query.el b/emacs/notmuch-query.el
index 563e4acf..e53c9489 100644
--- a/emacs/notmuch-query.el
+++ b/emacs/notmuch-query.el
@@ -32,7 +32,9 @@ is a possibly empty forest of replies.
 "
   (let ((args '("show" "--format=sexp" "--format-version=4")))
     (if notmuch-show-process-crypto
-	(setq args (append args '("--decrypt=true"))))
+        (if notmuch-show-stash-session-keys
+            (setq args (append args '("--decrypt=stash")))
+          (setq args (append args '("--decrypt=true")))))
     (setq args (append args search-terms))
     (apply #'notmuch-call-notmuch-sexp args)))
 
-- 
2.17.1

[PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

Introduce notmuch-show-store-session-keys customization variable to
control stashing of session keys.  If non-nil any session keys
recovered during decryption will be stored in the database.

This is just a switch to have --decrypt= use "stash" instead of
"true".
---
Gah forgot to update the commit message.  Sorry.

 emacs/notmuch-crypto.el | 15 +++++++++++++++
 emacs/notmuch-query.el  |  4 +++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/emacs/notmuch-crypto.el b/emacs/notmuch-crypto.el
index fc2b5301..26ce19b4 100644
--- a/emacs/notmuch-crypto.el
+++ b/emacs/notmuch-crypto.el
@@ -43,6 +43,21 @@ mode."
   :package-version '(notmuch . "0.25")
   :group 'notmuch-crypto)
 
+(defcustom notmuch-show-stash-session-keys nil
+  "Should session keys be stashed when decrypting messages for display?
+
+If this variable is non-nil session keys recovered while
+decrypting messages for display will be stored in the database.
+See description of --decrypt option in notmuch-show(1) for more
+information.
+
+NOTE: Stashing encryption session keys requires opening the
+notmuch database in read/write mode, which is not normally done
+when retrieving messages for display."
+  :type 'boolean
+  :package-version '(notmuch . "0.28")
+  :group 'notmuch-crypto)
+
 (defface notmuch-crypto-part-header
   '((((class color)
       (background dark))
diff --git a/emacs/notmuch-query.el b/emacs/notmuch-query.el
index 563e4acf..e53c9489 100644
--- a/emacs/notmuch-query.el
+++ b/emacs/notmuch-query.el
@@ -32,7 +32,9 @@ is a possibly empty forest of replies.
 "
   (let ((args '("show" "--format=sexp" "--format-version=4")))
     (if notmuch-show-process-crypto
-	(setq args (append args '("--decrypt=true"))))
+        (if notmuch-show-stash-session-keys
+            (setq args (append args '("--decrypt=stash")))
+          (setq args (append args '("--decrypt=true")))))
     (setq args (append args search-terms))
     (apply #'notmuch-call-notmuch-sexp args)))
 
-- 
2.17.1

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 1332 bytes --]

This is looking good to me, thanks!

two more bits of nit-pickery below:

On Tue 2018-06-19 08:20:12 -0700, Jameson Graef Rollins wrote:
> +(defcustom notmuch-show-stash-session-keys nil
> +  "Should session keys be stashed when decrypting messages for display?
> +
> +If this variable is non-nil session keys recovered while
> +decrypting messages for display will be stored in the database.
> +See description of --decrypt option in notmuch-show(1) for more
> +information.

do we want to include a warning here about the security of the index?
setting this value to true not only stashes the session keys, but it
also indexes the cleartext.  at the moment we're not directing people to
the same kind of warnings ("Be aware that the index… DO NOT USE …
without considering the security of your index.") that are present
already in notmuch-reindex(1) and notmuch-new(1) and notmuch-insert(1).
Perhaps notmuch-show(1) needs the same boilerplate warning, and we could
replicate some short version of it here too?

> +NOTE: Stashing encryption session keys requires opening the
> +notmuch database in read/write mode, which is not normally done

i'd say "not otherwise done" instead of "not normally done", since we
don't want to claim that people who use this feature aren't "normal" :)

      --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

On Tue, Jun 19 2018, Jameson Graef Rollins <jrollins@finestructure.net> wrote:
> Introduce notmuch-show-store-session-keys customization variable to
> control stashing of session keys.  If non-nil any session keys
> recovered during decryption will be stored in the database.
>
> This is just a switch to have --decrypt= use "stash" instead of
> "true".
> ---
> Gah forgot to update the commit message.  Sorry.

Sorry, this is the one to use, since I messed up the commit message on
the first.  So sorry for all the screw ups.

jamie.

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 2036 bytes --]

On Tue, Jun 19 2018, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> This is looking good to me, thanks!
>
> two more bits of nit-pickery below:
>
> On Tue 2018-06-19 08:20:12 -0700, Jameson Graef Rollins wrote:
>> +(defcustom notmuch-show-stash-session-keys nil
>> +  "Should session keys be stashed when decrypting messages for display?
>> +
>> +If this variable is non-nil session keys recovered while
>> +decrypting messages for display will be stored in the database.
>> +See description of --decrypt option in notmuch-show(1) for more
>> +information.
>
> do we want to include a warning here about the security of the index?
> setting this value to true not only stashes the session keys, but it
> also indexes the cleartext.  at the moment we're not directing people to
> the same kind of warnings ("Be aware that the index… DO NOT USE …
> without considering the security of your index.") that are present
> already in notmuch-reindex(1) and notmuch-new(1) and notmuch-insert(1).
> Perhaps notmuch-show(1) needs the same boilerplate warning, and we could
> replicate some short version of it here too?

I was wondering if it would make sense to have a separate man page for
describing all the intricacies of notmuch's crypto functionality,
i.e. notmuch-crypto(7).  There's going to be a lot of
redundancy/boilerplate in all the different man pages, and it seems like
it would be useful to put it all in one place and just reference it from
all the others.

This could also be a good place to describe how protected headers are
handled, and autocrypt once we finally get around to implementing it.

>> +NOTE: Stashing encryption session keys requires opening the
>> +notmuch database in read/write mode, which is not normally done
>
> i'd say "not otherwise done" instead of "not normally done", since we
> don't want to claim that people who use this feature aren't "normal" :)

But the claim wouldn't not be true!

I'll push another (five copies of a new) version.

jamie.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]