Return-Path: X-Original-To: notmuch@notmuchmail.org Delivered-To: notmuch@notmuchmail.org Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 07B80431FD0 for ; Wed, 7 Dec 2011 19:13:13 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: -2.3 X-Spam-Level: X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sczW1sFKG7HF for ; Wed, 7 Dec 2011 19:13:11 -0800 (PST) X-Greylist: delayed 903 seconds by postgrey-1.32 at olra; Wed, 07 Dec 2011 19:13:10 PST Received: from jhuapl.edu (piper.jhuapl.edu [128.244.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by olra.theworths.org (Postfix) with ESMTPS id D9DFD431FB6 for ; Wed, 7 Dec 2011 19:13:10 -0800 (PST) Received: from ([128.244.135.127]) by piper.jhuapl.edu with ESMTP id 5Y8HCH1.125452514; Wed, 07 Dec 2011 21:58:03 -0500 From: Dan Bryant To: notmuch@notmuchmail.org Subject: S/MIME support in notmuch User-Agent: Notmuch/0.10.2+71~gbcf0b01 (http://notmuchmail.org) Emacs/24.0.50.1 (x86_64-unknown-linux-gnu) Date: Wed, 07 Dec 2011 21:58:03 -0500 Message-ID: <87iplrwz0k.fsf@bryandb1-ll1.dom1.jhuapl.edu> MIME-Version: 1.0 Content-Type: text/plain X-Mailman-Approved-At: Tue, 20 Dec 2011 14:06:06 -0800 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 03:13:13 -0000 I'd like to report some success on getting S/MIME signature verification working using notmuch and the recently-released GMime 2.6. I specifically tested with notmuch-0.10.2 and gmime-2.6.1. The following changes were required: 1) notmuch: Apply patch from Redhat packaging to handle API changes from gmime-2.4 to gmime-2.6 (see "compile error of current git on F15" thread from 25 November on the list) 2) notmuch: Create a S/MIME context instead of the GPG context in notmuch-show.c. g_mime_gpg_context_new() becomes g_mime_pkcs7_context_new(), and similarly for g_mime_gpg_context_set_always_trust(). 3) gmime: The pkcs7 context only works with signatures of "application/pkcs7-signature". Per RFC2311 section C, both "application/pkcs7-signature" and "application/x-pkcs7-signature" should be treated identically. I temporarily disabled this check in gmime/gmime-multipart-signed.c and then gmime accepted the signatures. Next, I was always seeing signature verification errors with completely unhelpful error messages. These turned out to be because the 'gpg-agent' program was not running. Once I started the agent, I got prompts on trusting root certs and was then able to see known-valid certificates verified in the emacs UI. NB: I started gpg-agent with the --allow-mark-trusted option so that it would graphically prompt me for which root certificates to trust. See http://lists.gnupg.org/pipermail/gnupg-users/2004-September/023247.html for more detail on some of the general setup choices for the GPG S/MIME stack. The most useful command for debugging the underlying S/MIME configuration was "gpgsm --list-chain --with-validation". I don't have submittable patches for #2/#3 yet, but I wanted to share what I found about the scope of what actually needs to be done, which is fairly small. (The biggest blocker is probably that Debian & other distros haven't packaged gmime-2.6.) Dan