[PATCH 15/20] cli/reply: ensure encrypted Subject: line does not leak in the clear

Now that we can decrypt headers, we want to make sure that clients using "notmuch reply" to prepare a reply don't leak cleartext in their subject lines. In particular, the ["reply-headers"]["Subject"] should by default show the external Subject. --- test/T356-protected-headers.sh | 7 +++ 1

[PATCH 17/20] cli/reply: add --protected-subject boolean flag

This flag indicates the intent of the client to protect the subject line, which allows "notmuch reply" to safely emit the earlier message's encrypted subject without risking leaking it in the clear in the reply. Obviously, it should only be used by a client that *will* protect the subject line.

[PATCH 08/20] cli/show: emit headers after emitting body

This paves the way for emitting protected headers after verification and decryption, because it means that the headers will only be emitted after the body has been parsed. --- notmuch-show.c| 6 +++--- test/T170-sexp.sh | 8 2 files changed, 7 insertions(+), 7 deletions(-) diff

[PATCH 06/20] mime-node: track whole-message crypto state while walking the tree

Deliberately populate the message's cryptographic status while walking the MIME tree from the CLI. --- mime-node.c | 27 --- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/mime-node.c b/mime-node.c index cbff95d1..6ecd121d 100644 --- a/mime-node.c +++

[PATCH 07/20] cli/show: emit new whole-message crypto status output

This allows MUAs that don't want to think about per-mime-part cryptographic status to have a simple high-level overview of the message's cryptographic state. Sensibly structured encrypted and/or signed messages will work fine with this. The only requirement for the simplest encryption + signing

[PATCH 01/20] test: new test framework to compare json parts

From: Jameson Graef Rollins This makes it easier to write fairly compact, readable tests of json output, without needing to sanitize away parts that we don't care about. Signed-off-by: Daniel Kahn Gillmor --- test/json_check_nodes.py | 112

[PATCH 18/20] indexing: record protected subject when indexing cleartext

When indexing the cleartext of an encrypted message, record any protected subject in the database, which should make it findable and visible in search. --- lib/index.cc | 42 ++ lib/message.cc | 8 +++ lib/notmuch-private.h

[PATCH 14/20] test: show cryptographic envelope information for signed mails

Make sure that we emit the correct cryptographic envelope status for cleartext signed messages. --- test/T356-protected-headers.sh| 11 ++- .../signed-protected-header.eml | 29 +++ .../protected-headers/simple-signed-mail.eml | 28

[PATCH 19/20] test: protected headers should work when both encrypted and signed.

Up to this point, we've tested protected headers on messages that have either been encrypted or signed, but not both. This adds a couple tests of signed+encrypted messages, one where the subject line is masked (outside subject line is "encrypted message") and another where it is not (outside

[PATCH 04/20] util/crypto: _notmuch_message_crypto: tracks message-wide crypto state

E-mail encryption and signatures reported by notmuch are at the MIME part level. This makes sense in the dirty details, but for users we need to have a per-message conception of the cryptographic state of the e-mail. (see https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html for more

[PATCH 13/20] test: add test for missing external subject

Adding another test to ensure that we handle it gracefully when no external subject is present. --- test/T356-protected-headers.sh| 6 .../subjectless-protected-header.eml | 29 +++ 2 files changed, 35 insertions(+) create mode 100644

[PATCH 02/20] crypto: Avoid pretending to verify signatures on unsigned encrypted mail

Unsigned encrypted mail shows up with a weird empty signature list. If we successfully decrypted and there was no signature in it, we should just not show a sigstatus at all. The documentation for g_mime_decrypt_result_get_signatures says: a GMimeSignatureList or NULL if the stream was not

[PATCH 11/20] cli/show: emit payload subject instead of outside subject

Correctly fix the two outstanding tests so that the protected (hidden) subject is properly reported. --- notmuch-client.h | 2 +- notmuch-reply.c| 4 +++- notmuch-show.c | 11 +++ test/T356-protected-headers.sh | 3 --- 4 files changed, 11

[PATCH 10/20] cli/show: add tests for viewing protected headers

Here we add several variant e-mail messages, some of which have correctly-structured protected headers, and some of which do not. The goal of the tests is to ensure that the right protected subjects get reported. --- test/T356-protected-headers.sh| 69 +++

[PATCH 20/20] test: after reindexing, only legitimate protected subjects are searchable

This test scans for all the possible protected headers (including bogus/broken ones) that are present in the protected-headers corpus, trying to make sure that only the ones that are not broken or malformed show up in a search after re-indexing. --- test/T356-protected-headers.sh | 9 + 1

[PATCH 03/20] cli/show: pass the siglist directly to the sigstatus sprinter

This makes it easier to reuse format_part_sigstatus_sprinter() when we have other places that we want to display a signature status. --- notmuch-show.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/notmuch-show.c b/notmuch-show.c index 9871159d..f0be8060 100644 ---

[PATCH 05/20] cli: expose message-wide crypto status from mime-node

The mime node context (a per-message context) gains a cryptographic status object, and the mime_node_t object itself can return a view on that status to an interested party. The status is not yet populated, and for now we can keep that view read-only, so that it can only be populated/modified

[PATCH 09/20] util/crypto: add information about the payload part

When walking the MIME tree, if we discover that we are at the cryptographic payload, then we would like to record at least the Subject header. In the future, we might want to record many other headers as well, but for now we will stick with just the Subject. See

Protected headers in notmuch

Traditionally, encrypted and signed e-mail covers only the body of the message. New standards are emerging that are capable of protecting the headers as well. In particular, Enigmail and an upcoming version of K-9 mail both use the "Memory Hole" approach to encrypt the Subject: header when

Re: [PATCH] build: Allow user to specify ruby executable

Thomas Schneider writes: > This way, one can build for a different Ruby than $PATH/ruby > (e. g. different versions, or Ruby in other paths). > > Signed-off-by: Thomas Schneider pushed to master. d ___ notmuch

Re: [PATCH] build: Allow user to specify ruby executable

On Wed, May 09 2018, Thomas Schneider wrote: > This way, one can build for a different Ruby than $PATH/ruby > (e. g. different versions, or Ruby in other paths). LGTM. Tomi > > Signed-off-by: Thomas Schneider > --- > bindings/Makefile.local | 2 +- > configure

Re: emacs: Split wide window vertically for tree mode message pane

Tomi Ollila writes: > On Wed, May 09 2018, David Bremner wrote: > >> Prof Jayanth R Varma writes: >> >>> This patch modifies the function notmuch-tree-show-message-in in >>> notmuch-tree.el to split the window vertically while creating a >>> message pane

Re: emacs: Split wide window vertically for tree mode message pane

On Wed, May 09 2018, David Bremner wrote: > Prof Jayanth R Varma writes: > >> This patch modifies the function notmuch-tree-show-message-in in >> notmuch-tree.el to split the window vertically while creating a >> message pane in tree-mode if the window is wider than 160 (so

Re: cope with inline PGP encrypted messages

Daniel Kahn Gillmor writes: > Not sure how to best > represent that in nmbug -- but for now i've removed > notmuch::needs-review and added notmuch::wip. bremner, let me know if > you think i should have done something different. I also marked the other two patches in