encrypting replies to encrypted mail

encrypting replies to encrypted mail

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 1454 bytes --]

Hi, folks.  I've been worried for a while about the fact that my notmuch
mua (notmuch-emacs) does not automatically encrypt replies to encrypted
messages.  Recently my fears came true when I accidentally sent in the
clear a reply to an encrypted message that include a full quote of the
original encrypted text.  This is obviously not ok, to the extent that I
would like to now consider this a UI bug in notmuch-emacs.

The question is how do we solve this problem.  The tricky bit is that
notmuch-emacs uses message-mode to compose and send messages, and mml to
handle signing and encrypting, but uses the binary "reply" command to
generate reply bodies.  message-mode therefore does not know if the
original message was encrypted or not.

One proposal would be to add a switch to the reply command that would
insert the mml "signencrypt" header [0] to the top of reply bodies if
the message being replied to was encrypted.  Something like
"--mml-encrypt" or something like that.  It's a fix targeted to a
particular work flow/setup, but it might cover enough use cases to make
it still be worthwhile.

What do people think?  Any other ideas for solving this issue?  I note
that there are other emacs tricks for dealing with encrypting messages
[1], but none that I have found would solve this particular situation.

jamie.

[0] https://www.gnu.org/software/emacs/manual/html_node/mh-e/Sending-PGP.html
[1] http://www.emacswiki.org/emacs/DefaultEncrypt

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

Re: encrypting replies to encrypted mail

[Nicolás Reynolds]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

Jameson Graef Rollins <jrollins@finestructure.net> writes:

> Hi, folks.  I've been worried for a while about the fact that my notmuch
> mua (notmuch-emacs) does not automatically encrypt replies to encrypted
> messages.  Recently my fears came true when I accidentally sent in the
> clear a reply to an encrypted message that include a full quote of the
> original encrypted text.  This is obviously not ok, to the extent that I
> would like to now consider this a UI bug in notmuch-emacs.

i solved this by using jl-encrypt.el that asks me if i want to encrypt
an email if the identities i'm writing to are on my keyring :)

-- 
:{

[-- Attachment #2: Type: application/pgp-signature, Size: 489 bytes --]

Re: encrypting replies to encrypted mail

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 994 bytes --]

On Sun, Jan 12 2014, Nicolás Reynolds <fauno@kiwwwi.com.ar> wrote:
> Jameson Graef Rollins <jrollins@finestructure.net> writes:
>
>> Hi, folks.  I've been worried for a while about the fact that my notmuch
>> mua (notmuch-emacs) does not automatically encrypt replies to encrypted
>> messages.  Recently my fears came true when I accidentally sent in the
>> clear a reply to an encrypted message that include a full quote of the
>> original encrypted text.  This is obviously not ok, to the extent that I
>> would like to now consider this a UI bug in notmuch-emacs.
>
> i solved this by using jl-encrypt.el that asks me if i want to encrypt
> an email if the identities i'm writing to are on my keyring :)

This is certainly a reasonable approach, and is in fact what is outlined
in the "Default Encrypt" link I provided.  However, I still feel it
would be good to automatically encrypt replies to encrypted messages by
default, without needing to prompt the user.

jamie.

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

Re: encrypting replies to encrypted mail

[Jani Nikula]

On Sun, 12 Jan 2014, Jameson Graef Rollins <jrollins@finestructure.net> wrote:
> The question is how do we solve this problem.  The tricky bit is that
> notmuch-emacs uses message-mode to compose and send messages, and mml to
> handle signing and encrypting, but uses the binary "reply" command to
> generate reply bodies.  message-mode therefore does not know if the
> original message was encrypted or not.

The notmuch reply command structured output formats contain the original
message, with all the information needed to determine whether the
message was signed and/or encrypted. Someone(tm) just needs to write the
code to check that in emacs (probably fits in the quoting loop), and
insert the appropriate mml tag (or whatever it's called) to tell message
mode to encrypt.

BR,
Jani.

[PATCH] emacs: sign/encrypt replies to signed/encrypted messages

[Jani Nikula]

This is a simple approach to improving security when replying to
signed or encrypted messages. If the message being replied to was
signed, add mml tag to sign the reply. If the message being replied to
was encrypted, add mml tag to sign and encrypt the reply.

This may need configuration; I for one might want to encrypt replies
to encrypted messages, but not always sign replies to signed messages.

This still includes a slight bug: if any mml tags are added, they are
included in the region containing the quoted parts. Killing the region
will kill the mml tags too.
---
 emacs/notmuch-mua.el | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index ba3ef275ec5e..9fb84b57b030 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -115,6 +115,15 @@ list."
 	    (push header message-hidden-headers)))
 	notmuch-mua-hidden-headers))
 
+(defun notmuch-mua-reply-crypto (parts)
+  (loop for part in parts
+	if (notmuch-match-content-type (plist-get part :content-type) "multipart/signed")
+	  do (mml-secure-message-sign)
+	else if (notmuch-match-content-type (plist-get part :content-type) "multipart/encrypted")
+	  do (mml-secure-message-sign-encrypt)
+	else if (notmuch-match-content-type (plist-get part :content-type) "multipart/*")
+	  do (notmuch-mua-reply-crypto (plist-get part :content))))
+
 (defun notmuch-mua-get-quotable-parts (parts)
   (loop for part in parts
 	if (notmuch-match-content-type (plist-get part :content-type) "multipart/alternative")
@@ -224,7 +233,10 @@ list."
 	(set-mark (point))
 	(goto-char start)
 	;; Quote the original message according to the user's configured style.
-	(message-cite-original))))
+	(message-cite-original)))
+
+    ;; Sign and/or encrypt replies to signed and/or encrypted messages.
+    (notmuch-mua-reply-crypto (plist-get original :body)))
 
   ;; Push mark right before signature, if any.
   (message-goto-signature)
-- 
1.9.1

Re: [PATCH] emacs: sign/encrypt replies to signed/encrypted messages

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 2373 bytes --]

On Sat, Apr 05 2014, Jani Nikula <jani@nikula.org> wrote:
> This is a simple approach to improving security when replying to
> signed or encrypted messages. If the message being replied to was
> signed, add mml tag to sign the reply. If the message being replied to
> was encrypted, add mml tag to sign and encrypt the reply.

Jani, thank you so much for this patch!  This is really great, and I
very much appreciate your work on it.

I've tested it and so far it does exactly as advertised: replys to
encrypted messages automatically get the correct mml tags to encrypt the
reply.  I sign all messages by default, and it doesn't seem to interact
adversely with that configuration afaict.

> This may need configuration; I for one might want to encrypt replies
> to encrypted messages, but not always sign replies to signed messages.
>
> This still includes a slight bug: if any mml tags are added, they are
> included in the region containing the quoted parts. Killing the region
> will kill the mml tags too.

Both of these issues seem pretty minor to me.  It certainly gets my vote
to push without these additional features (especially considering the
security benefits).

I just have one comment below:

> diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> index ba3ef275ec5e..9fb84b57b030 100644
> --- a/emacs/notmuch-mua.el
> +++ b/emacs/notmuch-mua.el
> @@ -224,7 +233,10 @@ list."
>  	(set-mark (point))
>  	(goto-char start)
>  	;; Quote the original message according to the user's configured style.
> -	(message-cite-original))))
> +	(message-cite-original)))
> +
> +    ;; Sign and/or encrypt replies to signed and/or encrypted messages.
> +    (notmuch-mua-reply-crypto (plist-get original :body)))

Maybe we should check to see if crypto processing is activated before
adding this additional crypto handling.  I would have guessed we might
want something like this instead:

    (when notmuch-show-process-crypto
      (notmuch-mua-reply-crypto (plist-get original :body))))

However, for some reason I can't get this to work.  It looks like
notmuch-show-process-crypto keeps evaluating to false in this context,
regardless of whether crypto processing has been engaged.  I'm unclear
why.  Anyone know see how notmuch-show-process-crypto would evaluate to
false here, even when it evaluates to true earlier in the same
notmuch-mua-reply call?

jamie.

[-- Attachment #2: Type: application/pgp-signature, Size: 818 bytes --]

[PATCH] emacs: process crypto for reply only when specified

[Jameson Graef Rollins]

This is a tweak to patch "emacs: sign/encrypt replies to
signed/encrypted messages" to only add mml crypto flags for replys
when crypto processing has been activated.

---

Thanks to mjw1009 for implementation suggestions.

Jani, you might consider squashing this with your original for a v2.
Pushing them separately seems fine to me as well.

jamie.

---
 emacs/notmuch-mua.el | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 9fb84b5..bf6253f 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -160,9 +160,10 @@ list."
 
 (defun notmuch-mua-reply (query-string &optional sender reply-all)
   (let ((args '("reply" "--format=sexp" "--format-version=1"))
+	(process-crypto notmuch-show-process-crypto)
 	reply
 	original)
-    (when notmuch-show-process-crypto
+    (when process-crypto
       (setq args (append args '("--decrypt"))))
 
     (if reply-all
@@ -236,7 +237,8 @@ list."
 	(message-cite-original)))
 
     ;; Sign and/or encrypt replies to signed and/or encrypted messages.
-    (notmuch-mua-reply-crypto (plist-get original :body)))
+    (when process-crypto
+      (notmuch-mua-reply-crypto (plist-get original :body))))
 
   ;; Push mark right before signature, if any.
   (message-goto-signature)
-- 
1.9.1

Re: [PATCH] emacs: process crypto for reply only when specified

[David Bremner]

Jameson Graef Rollins <jrollins@finestructure.net> writes:

> This is a tweak to patch "emacs: sign/encrypt replies to
> signed/encrypted messages" to only add mml crypto flags for replys
> when crypto processing has been activated.
>

The (merged) patch seems straightforward and seems to work. I'll
probably push it tomorrow if nobody complains.

d

Re: [PATCH] emacs: process crypto for reply only when specified

[Tomi Ollila]

On Sun, Apr 13 2014, David Bremner <david@tethera.net> wrote:

> Jameson Graef Rollins <jrollins@finestructure.net> writes:
>
>> This is a tweak to patch "emacs: sign/encrypt replies to
>> signed/encrypted messages" to only add mml crypto flags for replys
>> when crypto processing has been activated.
>>
>
> The (merged) patch seems straightforward and seems to work. I'll
> probably push it tomorrow if nobody complains.

Code looks OK. +1. I'm interested to see whether replies to signed emails
work on this system where sign/(de|en)cryption just doesn't work (out of
the box) :D

> d

Tomi

Re: [PATCH] emacs: process crypto for reply only when specified

[David Bremner]

Tomi Ollila <tomi.ollila@iki.fi> writes:

>
> Code looks OK. +1. I'm interested to see whether replies to signed emails
> work on this system where sign/(de|en)cryption just doesn't work (out of
> the box) :D
>

It's a good point. I need to insert my smartcard to sign things, which
I'm sometimes too lazy to do. In my case, maybe I should stop being so
lazy; I suspect my particular case is a but unusual.

Perhaps people with no ability to sign are less likely to have
"notmuch-crypto-process-mime" set?  Or we can add another configuration
variable initialized from notmuch-crypto-process-mime, but allowing
people to shut this off.

Re: [PATCH] emacs: process crypto for reply only when specified

[Tomi Ollila]

On Sun, Apr 13 2014, David Bremner wrote:

> Tomi Ollila <tomi.ollila@iki.fi> writes:
>
>>
>> Code looks OK. +1. I'm interested to see whether replies to signed emails
>> work on this system where sign/(de|en)cryption just doesn't work (out of
>> the box) :D
>>
>
> It's a good point. I need to insert my smartcard to sign things, which
> I'm sometimes too lazy to do. In my case, maybe I should stop being so
> lazy; I suspect my particular case is a but unusual.

Below is what happened to me when I failed to remove the 
"<#secure method=pgpmime mode=sign>" part from the beginning of the message
It is very easy to detect and there is nothing much one can use if they
have configured notmuch-crypto-process-mime to be t (like I seem to have ;)

--8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<--
notmuch-crypto-process-mime is a variable defined in `one-notmuch.el'.
Its value is t
Original value was nil
--8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<--

Emacs stopped responding my keypresses after C-c C-c; C-g brought control
back to me -- and then I tried again...

ps output

19028 ?     SLs  0:00 /usr/bin/gpg --no-tty --status-fd 1 --yes --command-f
19029 ?     SL   0:00 gpg-agent --server
19030 ?     RL   0:50 /usr/bin/pinentry-curses
19034 ?     SLs  0:00 /usr/bin/gpg --no-tty --status-fd 1 --yes --command-f
19035 ?     SL   0:00 gpg-agent --server
19036 ?     RL   0:04 /usr/bin/pinentry-curses
19037 pts/6 R+   0:00 ps x

The 'pinentry-curses' and this emacs doesn't play along well (I've seen
this happening before when I tried to encrypt some messages). I had
to pkill gpg and pinentry-curses to get rid of the above processes.

> Perhaps people with no ability to sign are less likely to have
> "notmuch-crypto-process-mime" set?  Or we can add another configuration
> variable initialized from notmuch-crypto-process-mime, but allowing
> people to shut this off.

Well, I set notmuch-crypto-process-mime to nil -- it still wants to
sign the message and runs gpg...

... my case may be unique enough no-one else has the same problem; anyway
ideas how to automatically kill the gpg process(es) when one aborts send
attempt? 

Tomi

Re: [PATCH] emacs: process crypto for reply only when specified

[David Bremner]

Tomi Ollila <tomi.ollila@iki.fi> writes:

>
> Well, I set notmuch-crypto-process-mime to nil -- it still wants to
> sign the message and runs gpg...
>

Was it nil when you replied, i.e. when the mml tags were created?

d

Re: [PATCH] emacs: process crypto for reply only when specified

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 1045 bytes --]

On Sun, Apr 13 2014, Tomi Ollila <tomi.ollila@iki.fi> wrote:
>> Perhaps people with no ability to sign are less likely to have
>> "notmuch-crypto-process-mime" set?  Or we can add another configuration
>> variable initialized from notmuch-crypto-process-mime, but allowing
>> people to shut this off.
>
> Well, I set notmuch-crypto-process-mime to nil -- it still wants to
> sign the message and runs gpg...

Was my followup patch applied?  My patch controls the insertion of the
mml tag depending on whether or not notmuch-crypto-process-mime is t or
not.  If notmuch-crypto-process-mime is nil the tag won't be added.
Presumably you either did not have that patch applied, or had manually
set it to t?

In any event, if the mml tag is present, it's no longer in notmuch's
hands; emacs's mail processing is handling things and calling gpg-agent
to sign/encrypt the message.

Can you clarify what exactly your situation was?

Presumably people who have not set up any crypto processing should not
have notmuch-crypto-process-mime set t.

jamie.

[-- Attachment #2: Type: application/pgp-signature, Size: 818 bytes --]

Re: [PATCH] emacs: process crypto for reply only when specified

[Tomi Ollila]

On Mon, Apr 14 2014, Jameson Graef Rollins <jrollins@finestructure.net> wrote:

> On Sun, Apr 13 2014, Tomi Ollila <tomi.ollila@iki.fi> wrote:
>>> Perhaps people with no ability to sign are less likely to have
>>> "notmuch-crypto-process-mime" set?  Or we can add another configuration
>>> variable initialized from notmuch-crypto-process-mime, but allowing
>>> people to shut this off.
>>
>> Well, I set notmuch-crypto-process-mime to nil -- it still wants to
>> sign the message and runs gpg...
>
> Was my followup patch applied?  My patch controls the insertion of the
> mml tag depending on whether or not notmuch-crypto-process-mime is t or
> not.  If notmuch-crypto-process-mime is nil the tag won't be added.
> Presumably you either did not have that patch applied, or had manually
> set it to t?

For those who don't follow IRC your patch was applied.
>
> In any event, if the mml tag is present, it's no longer in notmuch's
> hands; emacs's mail processing is handling things and calling gpg-agent
> to sign/encrypt the message.
>
> Can you clarify what exactly your situation was?

Exactly that -- the mml tag was present -- so case closed on that issue :D

I did some experiments changing the value of notmuch-crypto-process-mime
before pressing 'r' button: I had to quit from show mode to search mode and
choose the thread and then message to have the change to take effect.

I will keep my notmuch-crypto-process-mime set t (and I keep removing
the mml tags in this system -- and if I forget killing those processes),
as I want to see [ Good signature by key: 0x... ] -messages. Maybe
I^HSomebody, Someday provides a patch that provides separate value to
do just signature checking...


> Presumably people who have not set up any crypto processing should not
> have notmuch-crypto-process-mime set t.
>
> jamie.

Thanks,

Tomi

PS: pkill '(pinentry-curses|gpg)' ++ ;/ -- one step closer to implement that...

Re: [PATCH] emacs: process crypto for reply only when specified

[Tomi Ollila]

On Mon, Apr 14 2014, Tomi Ollila <tomi.ollila@iki.fi> wrote:

> On Mon, Apr 14 2014, Jameson Graef Rollins <jrollins@finestructure.net> wrote:
>
>>
>> In any event, if the mml tag is present, it's no longer in notmuch's
>> hands; emacs's mail processing is handling things and calling gpg-agent
>> to sign/encrypt the message.
>>
>> Can you clarify what exactly your situation was?
>
> Exactly that -- the mml tag was present -- so case closed on that issue :D
>
> I did some experiments changing the value of notmuch-crypto-process-mime
> before pressing 'r' button: I had to quit from show mode to search mode and
> choose the thread and then message to have the change to take effect.
>
> I will keep my notmuch-crypto-process-mime set t (and I keep removing
> the mml tags in this system -- and if I forget killing those processes),
> as I want to see [ Good signature by key: 0x... ] -messages. Maybe
> I^HSomebody, Someday provides a patch that provides separate value to
> do just signature checking...

As a current (temporary!;) solution I Added

(defun mml-pgpmime-sign-buffer (cont)
  (error "Signing messages disabled"))

to the end of ~/.emacs.d/notmuch-config.el on this one system only...

I am still vulnerable to DOS attack is someone sends me email encrypted
with my public key... Have to investigate and test this before too long...

Tomi


>
>
>> Presumably people who have not set up any crypto processing should not
>> have notmuch-crypto-process-mime set t.
>>
>> jamie.
>
> Thanks,
>
> Tomi
>
> PS: pkill '(pinentry-curses|gpg)' ++ ;/ -- one step closer to implement that...

Re: [PATCH] emacs: sign/encrypt replies to signed/encrypted messages

[David Bremner]

Jani Nikula <jani@nikula.org> writes:
> +(defun notmuch-mua-reply-crypto (parts)
> +  (loop for part in parts
> +	if (notmuch-match-content-type (plist-get part :content-type) "multipart/signed")
> +	  do (mml-secure-message-sign)

How do people feel about disabling/removing the previous two lines?

It's less obvious to me that you always want to sign in reply to a
signed message (probably you want to unconditionally always sign in that
case).  As written this causes some inconvenience  for users that have
notmuch-crypto-process-mime=t to verify inbound signatures, but don't
necessarily have the ability to sign outbound mail. 


> +	else if (notmuch-match-content-type (plist-get part :content-type) "multipart/encrypted")
> +	  do (mml-secure-message-sign-encrypt)
> +	else if (notmuch-match-content-type (plist-get part :content-type) "multipart/*")
> +	  do (notmuch-mua-reply-crypto (plist-get part :content))))
> +

Re: [PATCH] emacs: sign/encrypt replies to signed/encrypted messages

[Jani Nikula]

[-- Attachment #1: Type: text/plain, Size: 1115 bytes --]

On Apr 14, 2014 10:17 AM, "David Bremner" <david@tethera.net> wrote:
>
> Jani Nikula <jani@nikula.org> writes:
> > +(defun notmuch-mua-reply-crypto (parts)
> > +  (loop for part in parts
> > +     if (notmuch-match-content-type (plist-get part :content-type)
"multipart/signed")
> > +       do (mml-secure-message-sign)
>
> How do people feel about disabling/removing the previous two lines?
>

I'd be fine with that (see the commit message).

Jani.

> It's less obvious to me that you always want to sign in reply to a
> signed message (probably you want to unconditionally always sign in that
> case).  As written this causes some inconvenience  for users that have
> notmuch-crypto-process-mime=t to verify inbound signatures, but don't
> necessarily have the ability to sign outbound mail.
>
>
> > +     else if (notmuch-match-content-type (plist-get part
:content-type) "multipart/encrypted")
> > +       do (mml-secure-message-sign-encrypt)
> > +     else if (notmuch-match-content-type (plist-get part
:content-type) "multipart/*")
> > +       do (notmuch-mua-reply-crypto (plist-get part :content))))
> > +

[-- Attachment #2: Type: text/html, Size: 1548 bytes --]

Re: [PATCH] emacs: sign/encrypt replies to signed/encrypted messages

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]

On Mon, Apr 14 2014, Jani Nikula <jani@nikula.org> wrote:
> On Apr 14, 2014 10:17 AM, "David Bremner" <david@tethera.net> wrote:
>>
>> Jani Nikula <jani@nikula.org> writes:
>> > +(defun notmuch-mua-reply-crypto (parts)
>> > +  (loop for part in parts
>> > +     if (notmuch-match-content-type (plist-get part :content-type)
> "multipart/signed")
>> > +       do (mml-secure-message-sign)
>>
>> How do people feel about disabling/removing the previous two lines?
>>
>
> I'd be fine with that (see the commit message).

I'd be fine with that as well.  I auto-sign all outgoing mail regardless
of the signature status of what I'm replying to, so that's fine.
Auto-encrypting replies to encrypted mail is actually a security issue,
whereas auto-signing is not, so as long as we have the auto-encrypting
always enabled that should ok.

David, did you want to handle the patch?  If not let me know and I'll do
it.

jamie.

[-- Attachment #2: Type: application/pgp-signature, Size: 818 bytes --]

Re: [PATCH] emacs: sign/encrypt replies to signed/encrypted messages

[David Bremner]

Jameson Graef Rollins <jrollins@finestructure.net> writes:
>
> I'd be fine with that as well.  I auto-sign all outgoing mail regardless
> of the signature status of what I'm replying to, so that's fine.
> Auto-encrypting replies to encrypted mail is actually a security issue,
> whereas auto-signing is not, so as long as we have the auto-encrypting
> always enabled that should ok.
>
> David, did you want to handle the patch?  If not let me know and I'll do
> it.
>
> jamie.

Go for it, I'm pretty busy for the next couple of days.

Thanks!

d

[PATCH] emacs: remove auto-signing of replies to signed messages

[Jameson Graef Rollins]

It was decided that auto-signing is potentially too troublesome for the
apparently common case of users who enable crypto processing for the
purpose of checking signature validity but who are not in a position to
sign out-going messages.  Users can still manually invoke signing as needed.

Encrypting replies to encrypted messages is more of a security issue
so we leave it in place.
---
 emacs/notmuch-mua.el | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index bf6253f..95e4a4d 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -116,10 +116,9 @@ list."
 	notmuch-mua-hidden-headers))
 
 (defun notmuch-mua-reply-crypto (parts)
+  "Add mml sign-encrypt flag if any part of original message is encrypted."
   (loop for part in parts
-	if (notmuch-match-content-type (plist-get part :content-type) "multipart/signed")
-	  do (mml-secure-message-sign)
-	else if (notmuch-match-content-type (plist-get part :content-type) "multipart/encrypted")
+	if (notmuch-match-content-type (plist-get part :content-type) "multipart/encrypted")
 	  do (mml-secure-message-sign-encrypt)
 	else if (notmuch-match-content-type (plist-get part :content-type) "multipart/*")
 	  do (notmuch-mua-reply-crypto (plist-get part :content))))
@@ -236,7 +235,7 @@ list."
 	;; Quote the original message according to the user's configured style.
 	(message-cite-original)))
 
-    ;; Sign and/or encrypt replies to signed and/or encrypted messages.
+    ;; Crypto processing based crypto content of the original message
     (when process-crypto
       (notmuch-mua-reply-crypto (plist-get original :body))))
 
-- 
1.9.1

Re: [PATCH] emacs: remove auto-signing of replies to signed messages

[Tomi Ollila]

On Mon, Apr 14 2014, Jameson Graef Rollins <jrollins@finestructure.net> wrote:

> It was decided that auto-signing is potentially too troublesome for the
> apparently common case of users who enable crypto processing for the
> purpose of checking signature validity but who are not in a position to
> sign out-going messages.  Users can still manually invoke signing as needed.
>
> Encrypting replies to encrypted messages is more of a security issue
> so we leave it in place.
> ---

LGTM. Works for me. +1

Tomi


>  emacs/notmuch-mua.el | 7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> index bf6253f..95e4a4d 100644
> --- a/emacs/notmuch-mua.el
> +++ b/emacs/notmuch-mua.el
> @@ -116,10 +116,9 @@ list."
>  	notmuch-mua-hidden-headers))
>  
>  (defun notmuch-mua-reply-crypto (parts)
> +  "Add mml sign-encrypt flag if any part of original message is encrypted."
>    (loop for part in parts
> -	if (notmuch-match-content-type (plist-get part :content-type) "multipart/signed")
> -	  do (mml-secure-message-sign)
> -	else if (notmuch-match-content-type (plist-get part :content-type) "multipart/encrypted")
> +	if (notmuch-match-content-type (plist-get part :content-type) "multipart/encrypted")
>  	  do (mml-secure-message-sign-encrypt)
>  	else if (notmuch-match-content-type (plist-get part :content-type) "multipart/*")
>  	  do (notmuch-mua-reply-crypto (plist-get part :content))))
> @@ -236,7 +235,7 @@ list."
>  	;; Quote the original message according to the user's configured style.
>  	(message-cite-original)))
>  
> -    ;; Sign and/or encrypt replies to signed and/or encrypted messages.
> +    ;; Crypto processing based crypto content of the original message
>      (when process-crypto
>        (notmuch-mua-reply-crypto (plist-get original :body))))
>  
> -- 
> 1.9.1
>
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> http://notmuchmail.org/mailman/listinfo/notmuch

Re: [PATCH] emacs: remove auto-signing of replies to signed messages

[David Bremner]

Jameson Graef Rollins <jrollins@finestructure.net> writes:

> It was decided that auto-signing is potentially too troublesome for the
> apparently common case of users who enable crypto processing for the
> purpose of checking signature validity but who are not in a position to
> sign out-going messages.  Users can still manually invoke signing as needed.

pushed

d

Re: [PATCH] emacs: remove auto-signing of replies to signed messages

[Jameson Graef Rollins]

[-- Attachment #1: Type: text/plain, Size: 505 bytes --]

On Tue, Apr 15 2014, David Bremner <david@tethera.net> wrote:
> Jameson Graef Rollins <jrollins@finestructure.net> writes:
>
>> It was decided that auto-signing is potentially too troublesome for the
>> apparently common case of users who enable crypto processing for the
>> purpose of checking signature validity but who are not in a position to
>> sign out-going messages.  Users can still manually invoke signing as needed.
>
> pushed

Awesome.  Thank you Jani and David for fixing this issue.

jamie.

[-- Attachment #2: Type: application/pgp-signature, Size: 818 bytes --]