Hi Daniel, First of all, sorry for the delay – I had locked myself out from everything digital to study for my exams.
On Thu, Sep 5, 2013 at 5:03 PM, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > I just tried to replicate this, and i do not see this misbehavior. I'm > using notmuch 0.16-1 on a debian testing/unstable system. I'm using notmuch 0.15.2 on Ubuntu 12.04. Maybe the bug got fixed somehow in the meantime? If you really can't reproduce the bug (see below) I will build the newest version from source (as well as send you the output of notmuch show --format=raw id:x...@example.com | devel/printmimestructure). > A) how does it know that there was a signature if the message was > encrypted? normal PGP/MIME messages contain a single OpenPGP chunk that > contains signatures wrapped inside the encryption, so that an observer > can't tell whether there is a signature or not (or who made the signature) That's a good question. I suppose that although GnuPG successfully decrypts the message, notmuch somehow discards the decrypted content because the signature verification failed. As I said: GnuPG is perfectly able to decrypt the message if I do it manually. > B) the date of the message is the unix epoch date (1970-01-01), and the > date of the signature appears to be the unix epoch date as well. this > seems suspicious and likely to be false. how are these messages being > generated? I'm sorry, that was just me being ultra paranoid. :) > C) you appear to be using gnupg 2.0.17. the latest version of the > 2.0.x line of gpg is 2.0.21. maybe you can upgrade your gpg > installation and try again? > D) you have the mingw32 version of gpg. Does this mean you're running > notmuch on windows? No, as far as I can see this was the sender's GPG version. I'm using GnuPG 1.4.11 on Ubuntu. > E) i'd be curious to see what printmimestructure looks like on the > message in question. if you've got a decent shell and the notmuch > source code, you should be able to do: > > […] > > if you can clarify any of the above, i'd appreciate it. > > Also, if you can, you're welcome to send a signed/encrypted message > using the same framework that generated the problematic message directly > to me (my OpenPGP fingerprint is > 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9), and i'd be happy to take a > look at it. Well, so far the problematic messages have always come from my contacts, i.e. I didn't generate them myself. But I just tried out the following in order to reproduce the bug: I created a fresh dummy key pair, sent a signed and encrypted email (via Emacs' mml-secure-message-sign-encrypt) in the dummy's name to my regular email address and checked whether I could open that email. Of course I could – because I had both, the recipient's private key (for decryption) and the sender's public key (for signature verification). Then I removed the dummy key pair from my key ring – and voilà: notmuch failed at decrypting the message (or at least told me there was a decryption error, as described in my previous mail). Now, in order for you to test that behavior I'm going to send you a signed and encrypted message because that should exactly reproduce the bug, as long as you don't import my key (id EBACABE5 / http://simonhirscher.de/public_key.asc) for signature verification. Best, Simon _______________________________________________ notmuch mailing list notmuch@notmuchmail.org http://notmuchmail.org/mailman/listinfo/notmuch