1 Return-Path: <dan.bryant@jhuapl.edu>
\r
2 X-Original-To: notmuch@notmuchmail.org
\r
3 Delivered-To: notmuch@notmuchmail.org
\r
4 Received: from localhost (localhost [127.0.0.1])
\r
5 by olra.theworths.org (Postfix) with ESMTP id 07B80431FD0
\r
6 for <notmuch@notmuchmail.org>; Wed, 7 Dec 2011 19:13:13 -0800 (PST)
\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
\r
11 X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5
\r
12 tests=[RCVD_IN_DNSWL_MED=-2.3] autolearn=disabled
\r
13 Received: from olra.theworths.org ([127.0.0.1])
\r
14 by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
\r
15 with ESMTP id sczW1sFKG7HF for <notmuch@notmuchmail.org>;
\r
16 Wed, 7 Dec 2011 19:13:11 -0800 (PST)
\r
17 X-Greylist: delayed 903 seconds by postgrey-1.32 at olra;
\r
18 Wed, 07 Dec 2011 19:13:10 PST
\r
19 Received: from jhuapl.edu (piper.jhuapl.edu [128.244.251.37])
\r
20 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
\r
21 (No client certificate requested)
\r
22 by olra.theworths.org (Postfix) with ESMTPS id D9DFD431FB6
\r
23 for <notmuch@notmuchmail.org>; Wed, 7 Dec 2011 19:13:10 -0800 (PST)
\r
24 Received: from ([128.244.135.127])
\r
25 by piper.jhuapl.edu with ESMTP id 5Y8HCH1.125452514;
\r
26 Wed, 07 Dec 2011 21:58:03 -0500
\r
27 From: Dan Bryant <dan.bryant@jhuapl.edu>
\r
28 To: notmuch@notmuchmail.org
\r
29 Subject: S/MIME support in notmuch
\r
30 User-Agent: Notmuch/0.10.2+71~gbcf0b01 (http://notmuchmail.org)
\r
31 Emacs/24.0.50.1 (x86_64-unknown-linux-gnu)
\r
32 Date: Wed, 07 Dec 2011 21:58:03 -0500
\r
33 Message-ID: <87iplrwz0k.fsf@bryandb1-ll1.dom1.jhuapl.edu>
\r
35 Content-Type: text/plain
\r
36 X-Mailman-Approved-At: Tue, 20 Dec 2011 14:06:06 -0800
\r
37 X-BeenThere: notmuch@notmuchmail.org
\r
38 X-Mailman-Version: 2.1.13
\r
40 List-Id: "Use and development of the notmuch mail system."
\r
41 <notmuch.notmuchmail.org>
\r
42 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
\r
43 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
\r
44 List-Archive: <http://notmuchmail.org/pipermail/notmuch>
\r
45 List-Post: <mailto:notmuch@notmuchmail.org>
\r
46 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
\r
47 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
\r
48 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
\r
49 X-List-Received-Date: Thu, 08 Dec 2011 03:13:13 -0000
\r
52 I'd like to report some success on getting S/MIME signature verification
\r
53 working using notmuch and the recently-released GMime 2.6. I specifically
\r
54 tested with notmuch-0.10.2 and gmime-2.6.1.
\r
56 The following changes were required:
\r
58 1) notmuch: Apply patch from Redhat packaging to handle API changes from
\r
59 gmime-2.4 to gmime-2.6 (see "compile error of current git on F15"
\r
60 thread from 25 November on the list)
\r
62 2) notmuch: Create a S/MIME context instead of the GPG context in
\r
63 notmuch-show.c. g_mime_gpg_context_new() becomes
\r
64 g_mime_pkcs7_context_new(), and similarly for
\r
65 g_mime_gpg_context_set_always_trust().
\r
67 3) gmime: The pkcs7 context only works with signatures of
\r
68 "application/pkcs7-signature". Per RFC2311 section C, both
\r
69 "application/pkcs7-signature" and "application/x-pkcs7-signature"
\r
70 should be treated identically. I temporarily disabled this check in
\r
71 gmime/gmime-multipart-signed.c and then gmime accepted the
\r
74 Next, I was always seeing signature verification errors with completely
\r
75 unhelpful error messages. These turned out to be because the 'gpg-agent'
\r
76 program was not running. Once I started the agent, I got prompts
\r
77 on trusting root certs and was then able to see known-valid certificates
\r
78 verified in the emacs UI.
\r
80 NB: I started gpg-agent with the --allow-mark-trusted option so that it
\r
81 would graphically prompt me for which root certificates to trust. See
\r
82 http://lists.gnupg.org/pipermail/gnupg-users/2004-September/023247.html
\r
83 for more detail on some of the general setup choices for the GPG
\r
84 S/MIME stack. The most useful command for debugging the underlying
\r
85 S/MIME configuration was "gpgsm --list-chain --with-validation".
\r
87 I don't have submittable patches for #2/#3 yet, but I wanted to share
\r
88 what I found about the scope of what actually needs to be done, which is
\r
89 fairly small. (The biggest blocker is probably that Debian & other
\r
90 distros haven't packaged gmime-2.6.)
\r