Return-Path: X-Original-To: notmuch@notmuchmail.org Delivered-To: notmuch@notmuchmail.org Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 6F740431FBF for ; Mon, 21 Jul 2014 16:16:55 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2HpEF1NTCvU for ; Mon, 21 Jul 2014 16:16:50 -0700 (PDT) Received: from yantan.tethera.net (yantan.tethera.net [199.188.72.155]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by olra.theworths.org (Postfix) with ESMTPS id B40F1431FAE for ; Mon, 21 Jul 2014 16:16:50 -0700 (PDT) Received: from remotemail by yantan.tethera.net with local (Exim 4.80) (envelope-from ) id 1X9Mp0-0001hP-LT; Mon, 21 Jul 2014 20:16:42 -0300 Received: (nullmailer pid 12758 invoked by uid 1000); Mon, 21 Jul 2014 23:16:34 -0000 From: David Bremner To: Vagrant Cascadian , 755544@bugs.debian.org Subject: Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default In-Reply-To: <20140721223426.GA5250@siren> References: <20140721223426.GA5250@siren> User-Agent: Notmuch/0.18.1+45~gf47eeac (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu) Date: Mon, 21 Jul 2014 20:16:34 -0300 Message-ID: <87silucnfx.fsf@maritornes.cs.unb.ca> MIME-Version: 1.0 Content-Type: text/plain Cc: notmuch@notmuchmail.org X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2014 23:16:55 -0000 Vagrant Cascadian writes: > Package: notmuch-emacs > Version: 0.18.1-1 > Severity: important > > Thanks for notmuch-emacs, it's great! > > I did notice that it doesn't appear to check weather gpg/pgp signatures are > valid by default. > > When I created a signed message to myself, made a copy of it, and then manually > edited the text within without changing the signature... > > But notmuch-emacs doesn't distinguish between the valid signature : > > Subject: valid gpg sig > To: vagrant@localhost > Date: Mon, 21 Jul 2014 15:03:45 -0700 > > [ multipart/signed ] > [ text/plain ] > this should be a VALID gpg signature. > [ signature.asc: application/pgp-signature ] > > And the edited text, with an invalid signature: > > Subject: invalid gpg sig > To: vagrant@localhost > Date: Mon, 21 Jul 2014 15:03:45 -0700 > > [ multipart/signed ] > [ text/plain ] > this should be an INVALID gpg signature. > [ signature.asc: application/pgp-signature ] Hi Vagrant; Thanks for the bug report. It seems that most of the developers have customized the emacs variable notmuch-crypto-process-mime to t For the moment I suggest that as a workaround, and we'll see about fixing the UI bug upstream. notmuch folks: it seems that in vagrant's message, and several others I checked, it notmuch-crypto-process-mime==nil, then no signature button is created at all.