unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
* Emacs not finding keys to verify signatures
@ 2013-06-24 14:59 Daniel Patterson
  2013-06-28 11:18 ` David Bremner
  0 siblings, 1 reply; 8+ messages in thread
From: Daniel Patterson @ 2013-06-24 14:59 UTC (permalink / raw)
  To: notmuch

[-- Attachment #1: Type: text/plain, Size: 697 bytes --]


Apologies if this is addressed somewhere in the docs - I haven't found
it!

I am testing out signing of messages. I set
(add-hook 'message-setup-hook mml-secure-message-sign-pgpmime)
As per the docs, and I can send a message and it gets signed. When I
view the message (which was Bcc'd to me) and hit $, I see this message:

[ Unknown key ID 0x2747EC48A98D4AF0 or unsupported algorithm ]

I click on it, and it requests _my_ public key from the key server, and
of course nothing changes - because I already had the key.

Any ideas? Is this because of some missing package or misconfigured
setting? I'm using the latest released version of notmuch (0.15.2),
emacs 24.2.1, and gpg 1.4.11.

Thanks!

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Emacs not finding keys to verify signatures
  2013-06-24 14:59 Emacs not finding keys to verify signatures Daniel Patterson
@ 2013-06-28 11:18 ` David Bremner
  2013-06-28 13:11   ` Daniel Patterson
  0 siblings, 1 reply; 8+ messages in thread
From: David Bremner @ 2013-06-28 11:18 UTC (permalink / raw)
  To: Daniel Patterson, notmuch

Daniel Patterson <dbp@dbpmail.net> writes:
>
> I click on it, and it requests _my_ public key from the key server, and
> of course nothing changes - because I already had the key.

So after you click, the key downloads, and the button does not change
colour?

> Any ideas? Is this because of some missing package or misconfigured
> setting? I'm using the latest released version of notmuch (0.15.2),
> emacs 24.2.1, and gpg 1.4.11.

Does using easypg from within emacs work for you? You can try with 
"M-x epa-list-keys"

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Emacs not finding keys to verify signatures
  2013-06-28 11:18 ` David Bremner
@ 2013-06-28 13:11   ` Daniel Patterson
  2013-06-28 15:05     ` David Bremner
  0 siblings, 1 reply; 8+ messages in thread
From: Daniel Patterson @ 2013-06-28 13:11 UTC (permalink / raw)
  To: David Bremner, notmuch

[-- Attachment #1: Type: text/plain, Size: 1140 bytes --]


David Bremner <david@tethera.net> writes:
>> I click on it, and it requests _my_ public key from the key server, and
>> of course nothing changes - because I already had the key.
>
> So after you click, the key downloads, and the button does not change
> colour?

Yes. After it downloads, it still says "Unknown key KEYID or unsupported
algorithm". I would be confused by the unsupported algorithm - it is
just an RSA/RSA key, newly created. This has also happened for other
signed messages - it downloads the key, but still says it doesn't know
the key (and this persists across restarts of emacs).

>> Any ideas? Is this because of some missing package or misconfigured
>> setting? I'm using the latest released version of notmuch (0.15.2),
>> emacs 24.2.1, and gpg 1.4.11.
>
> Does using easypg from within emacs work for you? You can try with 
> "M-x epa-list-keys"

That works, and it shows the key there.

One thing I forgot to mention - I have notmuch running on a remote
server through ssh. I don't really imagine this would be an issue, but
maybe? (I also have the library installed locally, for emacs).

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Emacs not finding keys to verify signatures
  2013-06-28 13:11   ` Daniel Patterson
@ 2013-06-28 15:05     ` David Bremner
  2013-06-28 15:13       ` Daniel Kahn Gillmor
  0 siblings, 1 reply; 8+ messages in thread
From: David Bremner @ 2013-06-28 15:05 UTC (permalink / raw)
  To: Daniel Patterson, notmuch

Daniel Patterson <dbp@dbpmail.net> writes:

> One thing I forgot to mention - I have notmuch running on a remote
> server through ssh. I don't really imagine this would be an issue, but
> maybe? (I also have the library installed locally, for emacs).

The verification of the message happens in the notmuch CLI, so on the
the remote host. I guess the downloading is happening on the local host,
so that is quite possibly the problem.

d

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Emacs not finding keys to verify signatures
  2013-06-28 15:05     ` David Bremner
@ 2013-06-28 15:13       ` Daniel Kahn Gillmor
  2013-06-29 15:24         ` Daniel Patterson
  0 siblings, 1 reply; 8+ messages in thread
From: Daniel Kahn Gillmor @ 2013-06-28 15:13 UTC (permalink / raw)
  To: David Bremner; +Cc: notmuch

[-- Attachment #1: Type: text/plain, Size: 1570 bytes --]

On 06/28/2013 11:05 AM, David Bremner wrote:
> Daniel Patterson <dbp@dbpmail.net> writes:
> 
>> One thing I forgot to mention - I have notmuch running on a remote
>> server through ssh. I don't really imagine this would be an issue, but
>> maybe? (I also have the library installed locally, for emacs).
> 
> The verification of the message happens in the notmuch CLI, so on the
> the remote host. I guess the downloading is happening on the local host,
> so that is quite possibly the problem.

i'm quite sure this is the problem, that was a relevant bit of info to
include :)

Daniel: on your remote host, have you tried fetching the relevant keys
into your gpg keyring?  you don't need to create any secret key material
on the remote host, just fetch the keys as you normally would any other
user's public key material; then you'll want to mark your own key as
"ultimately" trusted on the remote host.

So, for example, on the remote host:

 gpg --keyserver ha.pool.sks-keyservers.net --recv
0x36EEAD9EA53D20B79C383EED2747EC48A98D4AF0

 gpg --edit-key 0x36EEAD9EA53D20B79C383EED2747EC48A98D4AF0 trust

you'll want to maintain this public keyring on that host to be able to
verify the messages, but you don't need to do anything else with it.

this makes me wonder if the actions that get triggered on those
"unverified" crypto buttons in the display interface need to be
customizable to send the commands to a remote gpg as well, instead of
assuming that they are local.

please report back with how that works for you!

	--dkg


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 1027 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Emacs not finding keys to verify signatures
  2013-06-28 15:13       ` Daniel Kahn Gillmor
@ 2013-06-29 15:24         ` Daniel Patterson
  2013-06-30 20:05           ` Daniel Kahn Gillmor
  0 siblings, 1 reply; 8+ messages in thread
From: Daniel Patterson @ 2013-06-29 15:24 UTC (permalink / raw)
  To: Daniel Kahn Gillmor, David Bremner; +Cc: notmuch

[-- Attachment #1: Type: text/plain, Size: 1289 bytes --]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> Daniel: on your remote host, have you tried fetching the relevant keys
> into your gpg keyring?  you don't need to create any secret key material
> on the remote host, just fetch the keys as you normally would any other
> user's public key material; then you'll want to mark your own key as
> "ultimately" trusted on the remote host.

This works. Thanks a lot!

> you'll want to maintain this public keyring on that host to be able to
> verify the messages, but you don't need to do anything else with it.
>
> this makes me wonder if the actions that get triggered on those
> "unverified" crypto buttons in the display interface need to be
> customizable to send the commands to a remote gpg as well, instead of
> assuming that they are local.

Yeah, it would be good if there were a hook to be able to send to remote
gpg... because everything else works so smoothly with simple
wrappers. Even if it were just a matter of setting a custom gpg command
(like gpg-notmuch, which would be a shell script that would send the
calls to the remote gpg).

With notmuch, I can just override the command itself, because there is
no local meaning... but I obviously don't want to override gpg globally
- only in the context of adding public keys.

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Emacs not finding keys to verify signatures
  2013-06-29 15:24         ` Daniel Patterson
@ 2013-06-30 20:05           ` Daniel Kahn Gillmor
  2013-06-30 20:13             ` Daniel Patterson
  0 siblings, 1 reply; 8+ messages in thread
From: Daniel Kahn Gillmor @ 2013-06-30 20:05 UTC (permalink / raw)
  To: Daniel Patterson; +Cc: notmuch

[-- Attachment #1: Type: text/plain, Size: 763 bytes --]

On 06/29/2013 11:24 AM, Daniel Patterson wrote:

> This works. Thanks a lot!

great!

> Yeah, it would be good if there were a hook to be able to send to remote
> gpg... because everything else works so smoothly with simple
> wrappers. Even if it were just a matter of setting a custom gpg command
> (like gpg-notmuch, which would be a shell script that would send the
> calls to the remote gpg).

i think the command would be "notmuch gpg", not "gpg-notmuch" -- in your
configuration, how does emacs know to invoke notmuch on the remote
server instead of locally?  is it possible that we could make this
change something that happens in exactly one place in the emacs
configuration, and have the wrapper scripts figure out the rest?

	--dkg


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 1027 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Emacs not finding keys to verify signatures
  2013-06-30 20:05           ` Daniel Kahn Gillmor
@ 2013-06-30 20:13             ` Daniel Patterson
  0 siblings, 0 replies; 8+ messages in thread
From: Daniel Patterson @ 2013-06-30 20:13 UTC (permalink / raw)
  To: Daniel Kahn Gillmor; +Cc: notmuch

[-- Attachment #1: Type: text/plain, Size: 1362 bytes --]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> i think the command would be "notmuch gpg", not "gpg-notmuch" -- in your
> configuration, how does emacs know to invoke notmuch on the remote
> server instead of locally?

notmuch on my local machine is a shell script that executes notmuch on
my server via ssh, as per http://notmuchmail.org/remoteusage/. The
reason why this works is that there is no meaning for it to ever execute
locally - there is no notmuch database locally. So from the perspective
of emacs, it might as well be running on the same computer as notmuch
is. Having notmuch-emacs execute shell commands is really nice for this
- because they can easily be replaced with versions that run commands on
other hosts. 

> is it possible that we could make this change something that happens
> in exactly one place in the emacs configuration, and have the wrapper
> scripts figure out the rest?

I think so - signing/encrypting is done via message-mode, so it could be
configured separately (as this should probably always happen locally,
and certainly shouldn't be forced to happen in the same place as the
email store). So if there were a setting like:

(setq notmuch-gpg-command "/path/to/gpg-or-wrapper")

That was what notmuch-emacs used to fetch keys (and anything else it
needed to do), I think it would work.

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2013-06-30 20:14 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-24 14:59 Emacs not finding keys to verify signatures Daniel Patterson
2013-06-28 11:18 ` David Bremner
2013-06-28 13:11   ` Daniel Patterson
2013-06-28 15:05     ` David Bremner
2013-06-28 15:13       ` Daniel Kahn Gillmor
2013-06-29 15:24         ` Daniel Patterson
2013-06-30 20:05           ` Daniel Kahn Gillmor
2013-06-30 20:13             ` Daniel Patterson

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).