Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

classic Classic list List threaded Threaded
7 messages Options
David Bremner-2 David Bremner-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

Vagrant Cascadian <[hidden email]> writes:

> Package: notmuch-emacs
> Version: 0.18.1-1
> Severity: important
>
> Thanks for notmuch-emacs, it's great!
>
> I did notice that it doesn't appear to check weather gpg/pgp signatures are
> valid by default.
>
> When I created a signed message to myself, made a copy of it, and then manually
> edited the text within without changing the signature...
>
> But notmuch-emacs doesn't distinguish between the valid signature
:

>
>   Subject: valid gpg sig
>   To: vagrant@localhost
>   Date: Mon, 21 Jul 2014 15:03:45 -0700
>  
>   [ multipart/signed ]
>   [ text/plain ]
>   this should be a VALID gpg signature.
>   [ signature.asc: application/pgp-signature ]
>
> And the edited text, with an invalid signature:
>
>   Subject: invalid gpg sig
>   To: vagrant@localhost
>   Date: Mon, 21 Jul 2014 15:03:45 -0700
>  
>   [ multipart/signed ]
>   [ text/plain ]
>   this should be an INVALID gpg signature.
>   [ signature.asc: application/pgp-signature ]

Hi Vagrant;

Thanks for the bug report.  It seems that most of the developers
have customized the emacs variable

notmuch-crypto-process-mime to t

For the moment I suggest that as a workaround, and we'll see about
fixing the UI bug upstream.

notmuch folks: it seems that in vagrant's message, and several others I
checked, it notmuch-crypto-process-mime==nil, then no signature button
is created at all.
_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch
Jameson Graef Rollins Jameson Graef Rollins
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

On Mon, Jul 21 2014, David Bremner <[hidden email]> wrote:
> notmuch folks: it seems that in vagrant's message, and several others I
> checked, it notmuch-crypto-process-mime==nil, then no signature button
> is created at all.

Yes, this is true.  The signature button is pretty meaningless if we're
not processing the signature.

Maybe instead by default we could have a signature button that opens up
a notmuch-crypto-process-mime customization buffer?

jamie.

_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch

attachment0 (834 bytes) Download Attachment
Daniel Kahn Gillmor Daniel Kahn Gillmor
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

On 07/21/2014 09:03 PM, Jameson Graef Rollins wrote:

> On Mon, Jul 21 2014, David Bremner <[hidden email]> wrote:
>> notmuch folks: it seems that in vagrant's message, and several others I
>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>> is created at all.
>
> Yes, this is true.  The signature button is pretty meaningless if we're
> not processing the signature.
>
> Maybe instead by default we could have a signature button that opens up
> a notmuch-crypto-process-mime customization buffer?
Or the button could just re-load the current view while processing the
signature, and send "you can customize notmuch-crypt-process-mime to do
this automatically in the future" to *Messages*.

        --dkg


_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch

signature.asc (968 bytes) Download Attachment
Daniel Kahn Gillmor Daniel Kahn Gillmor
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

On 07/22/2014 12:30 AM, Daniel Kahn Gillmor wrote:

> On 07/21/2014 09:03 PM, Jameson Graef Rollins wrote:
>> On Mon, Jul 21 2014, David Bremner <[hidden email]> wrote:
>>> notmuch folks: it seems that in vagrant's message, and several others I
>>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>>> is created at all.
>>
>> Yes, this is true.  The signature button is pretty meaningless if we're
>> not processing the signature.
>>
>> Maybe instead by default we could have a signature button that opens up
>> a notmuch-crypto-process-mime customization buffer?
>
> Or the button could just re-load the current view while processing the
> signature, and send "you can customize notmuch-crypt-process-mime to do
> this automatically in the future" to *Messages*.
Oh, and it seems like in the case where no verification or PGP/MIME
procesing was done, we need to make it a *lot* clearer to the user that
no signature verification was done.

        --dkg


_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch

signature.asc (968 bytes) Download Attachment
David Bremner-2 David Bremner-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

In reply to this post by Jameson Graef Rollins
Jameson Graef Rollins <[hidden email]> writes:

> On Mon, Jul 21 2014, David Bremner <[hidden email]> wrote:
>> notmuch folks: it seems that in vagrant's message, and several others I
>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>> is created at all.
>
> Yes, this is true.  The signature button is pretty meaningless if we're
> not processing the signature.
>
> Maybe instead by default we could have a signature button that opens up
> a notmuch-crypto-process-mime customization buffer?
>
> jamie.

looking at the source, there is supposed to be some button:

,----
| (defun notmuch-show-insert-part-multipart/signed (msg part content-type nth depth button)
|   (button-put button 'face 'notmuch-crypto-part-header)
|   ;; add signature status button if sigstatus provided
|   (if (plist-member part :sigstatus)
|       (let* ((from (notmuch-show-get-header :From msg))
|     (sigstatus (car (plist-get part :sigstatus))))
| (notmuch-crypto-insert-sigstatus-button sigstatus from))
|     ;; if we're not adding sigstatus, tell the user how they can get it
|     (button-put button 'help-echo "Set notmuch-crypto-process-mime to process cryptographic MIME parts."))
`----
_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch
David Edmondson David Edmondson
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

On Tue, Jul 22 2014, David Bremner wrote:

> Jameson Graef Rollins <[hidden email]> writes:
>
>> On Mon, Jul 21 2014, David Bremner <[hidden email]> wrote:
>>> notmuch folks: it seems that in vagrant's message, and several others I
>>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>>> is created at all.
>>
>> Yes, this is true.  The signature button is pretty meaningless if we're
>> not processing the signature.
>>
>> Maybe instead by default we could have a signature button that opens up
>> a notmuch-crypto-process-mime customization buffer?
>>
>> jamie.
>
> looking at the source, there is supposed to be some button:

There is a button for the part (the one that says "[multipart/signed]")
and the help text is associated with that. There is no button
specifically for the signature (because no processing of the signature
took place).

It wouldn't be complicated to add a button in the case where no checking
was done. Pressing the button could (as suggested) offer up
customisation of the variable (or just open the help).

I wonder if I could make the button be "[Danger Will Robinson!!!]" in
flashing red and yellow text...

> ,----
> | (defun notmuch-show-insert-part-multipart/signed (msg part content-type nth depth button)
> |   (button-put button 'face 'notmuch-crypto-part-header)
> |   ;; add signature status button if sigstatus provided
> |   (if (plist-member part :sigstatus)
> |       (let* ((from (notmuch-show-get-header :From msg))
> |     (sigstatus (car (plist-get part :sigstatus))))
> | (notmuch-crypto-insert-sigstatus-button sigstatus from))
> |     ;; if we're not adding sigstatus, tell the user how they can get it
> |     (button-put button 'help-echo "Set notmuch-crypto-process-mime to process cryptographic MIME parts."))
> `----
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
David Bremner-2 David Bremner-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

In reply to this post by David Bremner-2
David Bremner <[hidden email]> writes:

> Vagrant Cascadian <[hidden email]> writes:
>
>> Package: notmuch-emacs
>> Version: 0.18.1-1
>> Severity: important
>>
>> Thanks for notmuch-emacs, it's great!

this bug is fixed in master / release
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
Loading...