Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[David Bremner]

David Bremner  writes:

> Vagrant Cascadian  writes:
>
>> Package: notmuch-emacs
>> Version: 0.18.1-1
>> Severity: important
>>
>> Thanks for notmuch-emacs, it's great!

this bug is fixed in master / release 
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[David Edmondson]

On Tue, Jul 22 2014, David Bremner wrote:
> Jameson Graef Rollins  writes:
>
>> On Mon, Jul 21 2014, David Bremner  wrote:
>>> notmuch folks: it seems that in vagrant's message, and several others I
>>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>>> is created at all.
>>
>> Yes, this is true.  The signature button is pretty meaningless if we're
>> not processing the signature.
>>
>> Maybe instead by default we could have a signature button that opens up
>> a notmuch-crypto-process-mime customization buffer?
>>
>> jamie.
>
> looking at the source, there is supposed to be some button:

There is a button for the part (the one that says "[multipart/signed]")
and the help text is associated with that. There is no button
specifically for the signature (because no processing of the signature
took place).

It wouldn't be complicated to add a button in the case where no checking
was done. Pressing the button could (as suggested) offer up
customisation of the variable (or just open the help).

I wonder if I could make the button be "[Danger Will Robinson!!!]" in
flashing red and yellow text...

> ,
> | (defun notmuch-show-insert-part-multipart/signed (msg part content-type nth 
> depth button)
> |   (button-put button 'face 'notmuch-crypto-part-header)
> |   ;; add signature status button if sigstatus provided
> |   (if (plist-member part :sigstatus)
> |   (let* ((from (notmuch-show-get-header :From msg))
> |  (sigstatus (car (plist-get part :sigstatus
> | (notmuch-crypto-insert-sigstatus-button sigstatus from))
> | ;; if we're not adding sigstatus, tell the user how they can get it
> | (button-put button 'help-echo "Set notmuch-crypto-process-mime to 
> process cryptographic MIME parts."))
> `
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[David Bremner]

Jameson Graef Rollins  writes:

> On Mon, Jul 21 2014, David Bremner  wrote:
>> notmuch folks: it seems that in vagrant's message, and several others I
>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>> is created at all.
>
> Yes, this is true.  The signature button is pretty meaningless if we're
> not processing the signature.
>
> Maybe instead by default we could have a signature button that opens up
> a notmuch-crypto-process-mime customization buffer?
>
> jamie.

looking at the source, there is supposed to be some button:

,
| (defun notmuch-show-insert-part-multipart/signed (msg part content-type nth 
depth button)
|   (button-put button 'face 'notmuch-crypto-part-header)
|   ;; add signature status button if sigstatus provided
|   (if (plist-member part :sigstatus)
|   (let* ((from (notmuch-show-get-header :From msg))
|(sigstatus (car (plist-get part :sigstatus
|   (notmuch-crypto-insert-sigstatus-button sigstatus from))
| ;; if we're not adding sigstatus, tell the user how they can get it
| (button-put button 'help-echo "Set notmuch-crypto-process-mime to process 
cryptographic MIME parts."))
`

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[David Bremner]

Jameson Graef Rollins  writes:

> On Mon, Jul 21 2014, David Bremner  wrote:
>> notmuch folks: it seems that in vagrant's message, and several others I
>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>> is created at all.
>
> Yes, this is true.  The signature button is pretty meaningless if we're
> not processing the signature.
>
> Maybe instead by default we could have a signature button that opens up
> a notmuch-crypto-process-mime customization buffer?
>
> jamie.

looking at the source, there is supposed to be some button:

,
| (defun notmuch-show-insert-part-multipart/signed (msg part content-type nth 
depth button)
|   (button-put button 'face 'notmuch-crypto-part-header)
|   ;; add signature status button if sigstatus provided
|   (if (plist-member part :sigstatus)
|   (let* ((from (notmuch-show-get-header :From msg))
|(sigstatus (car (plist-get part :sigstatus
|   (notmuch-crypto-insert-sigstatus-button sigstatus from))
| ;; if we're not adding sigstatus, tell the user how they can get it
| (button-put button 'help-echo "Set notmuch-crypto-process-mime to process 
cryptographic MIME parts."))
`
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch

Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[Daniel Kahn Gillmor]

On 07/22/2014 12:30 AM, Daniel Kahn Gillmor wrote:
> On 07/21/2014 09:03 PM, Jameson Graef Rollins wrote:
>> On Mon, Jul 21 2014, David Bremner  wrote:
>>> notmuch folks: it seems that in vagrant's message, and several others I
>>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>>> is created at all.
>>
>> Yes, this is true.  The signature button is pretty meaningless if we're
>> not processing the signature.
>>
>> Maybe instead by default we could have a signature button that opens up
>> a notmuch-crypto-process-mime customization buffer?
> 
> Or the button could just re-load the current view while processing the
> signature, and send "you can customize notmuch-crypt-process-mime to do
> this automatically in the future" to *Messages*.

Oh, and it seems like in the case where no verification or PGP/MIME
procesing was done, we need to make it a *lot* clearer to the user that
no signature verification was done.

--dkg

-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: 

Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[Daniel Kahn Gillmor]

On 07/21/2014 09:03 PM, Jameson Graef Rollins wrote:
> On Mon, Jul 21 2014, David Bremner  wrote:
>> notmuch folks: it seems that in vagrant's message, and several others I
>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>> is created at all.
> 
> Yes, this is true.  The signature button is pretty meaningless if we're
> not processing the signature.
> 
> Maybe instead by default we could have a signature button that opens up
> a notmuch-crypto-process-mime customization buffer?

Or the button could just re-load the current view while processing the
signature, and send "you can customize notmuch-crypt-process-mime to do
this automatically in the future" to *Messages*.

--dkg

-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: 

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[Daniel Kahn Gillmor]

On 07/22/2014 12:30 AM, Daniel Kahn Gillmor wrote:
> On 07/21/2014 09:03 PM, Jameson Graef Rollins wrote:
>> On Mon, Jul 21 2014, David Bremner  wrote:
>>> notmuch folks: it seems that in vagrant's message, and several others I
>>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>>> is created at all.
>>
>> Yes, this is true.  The signature button is pretty meaningless if we're
>> not processing the signature.
>>
>> Maybe instead by default we could have a signature button that opens up
>> a notmuch-crypto-process-mime customization buffer?
> 
> Or the button could just re-load the current view while processing the
> signature, and send "you can customize notmuch-crypt-process-mime to do
> this automatically in the future" to *Messages*.

Oh, and it seems like in the case where no verification or PGP/MIME
procesing was done, we need to make it a *lot* clearer to the user that
no signature verification was done.

--dkg



signature.asc
Description: OpenPGP digital signature
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[Daniel Kahn Gillmor]

On 07/21/2014 09:03 PM, Jameson Graef Rollins wrote:
> On Mon, Jul 21 2014, David Bremner  wrote:
>> notmuch folks: it seems that in vagrant's message, and several others I
>> checked, it notmuch-crypto-process-mime==nil, then no signature button
>> is created at all.
> 
> Yes, this is true.  The signature button is pretty meaningless if we're
> not processing the signature.
> 
> Maybe instead by default we could have a signature button that opens up
> a notmuch-crypto-process-mime customization buffer?

Or the button could just re-load the current view while processing the
signature, and send "you can customize notmuch-crypt-process-mime to do
this automatically in the future" to *Messages*.

--dkg



signature.asc
Description: OpenPGP digital signature
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch

Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[David Bremner]

Vagrant Cascadian  writes:

> Package: notmuch-emacs
> Version: 0.18.1-1
> Severity: important
>
> Thanks for notmuch-emacs, it's great!
>
> I did notice that it doesn't appear to check weather gpg/pgp signatures are
> valid by default.
>
> When I created a signed message to myself, made a copy of it, and then 
> manually
> edited the text within without changing the signature...
>
> But notmuch-emacs doesn't distinguish between the valid signature
:
>
>   Subject: valid gpg sig
>   To: vagrant at localhost
>   Date: Mon, 21 Jul 2014 15:03:45 -0700
>   
>   [ multipart/signed ]
>   [ text/plain ]
>   this should be a VALID gpg signature.
>   [ signature.asc: application/pgp-signature ]
>
> And the edited text, with an invalid signature:
>
>   Subject: invalid gpg sig
>   To: vagrant at localhost
>   Date: Mon, 21 Jul 2014 15:03:45 -0700
>   
>   [ multipart/signed ]
>   [ text/plain ]
>   this should be an INVALID gpg signature.
>   [ signature.asc: application/pgp-signature ]

Hi Vagrant;

Thanks for the bug report.  It seems that most of the developers
have customized the emacs variable

notmuch-crypto-process-mime to t

For the moment I suggest that as a workaround, and we'll see about
fixing the UI bug upstream.

notmuch folks: it seems that in vagrant's message, and several others I
checked, it notmuch-crypto-process-mime==nil, then no signature button
is created at all.

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[Jameson Graef Rollins]

On Mon, Jul 21 2014, David Bremner  wrote:
> notmuch folks: it seems that in vagrant's message, and several others I
> checked, it notmuch-crypto-process-mime==nil, then no signature button
> is created at all.

Yes, this is true.  The signature button is pretty meaningless if we're
not processing the signature.

Maybe instead by default we could have a signature button that opens up
a notmuch-crypto-process-mime customization buffer?

jamie.


pgpp50bMyggRM.pgp
Description: PGP signature
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch

Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[Jameson Graef Rollins]

On Mon, Jul 21 2014, David Bremner  wrote:
> notmuch folks: it seems that in vagrant's message, and several others I
> checked, it notmuch-crypto-process-mime==nil, then no signature button
> is created at all.

Yes, this is true.  The signature button is pretty meaningless if we're
not processing the signature.

Maybe instead by default we could have a signature button that opens up
a notmuch-crypto-process-mime customization buffer?

jamie.
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: 

Re: Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default

[David Bremner]

Vagrant Cascadian  writes:

> Package: notmuch-emacs
> Version: 0.18.1-1
> Severity: important
>
> Thanks for notmuch-emacs, it's great!
>
> I did notice that it doesn't appear to check weather gpg/pgp signatures are
> valid by default.
>
> When I created a signed message to myself, made a copy of it, and then 
> manually
> edited the text within without changing the signature...
>
> But notmuch-emacs doesn't distinguish between the valid signature
:
>
>   Subject: valid gpg sig
>   To: vagrant@localhost
>   Date: Mon, 21 Jul 2014 15:03:45 -0700
>   
>   [ multipart/signed ]
>   [ text/plain ]
>   this should be a VALID gpg signature.
>   [ signature.asc: application/pgp-signature ]
>
> And the edited text, with an invalid signature:
>
>   Subject: invalid gpg sig
>   To: vagrant@localhost
>   Date: Mon, 21 Jul 2014 15:03:45 -0700
>   
>   [ multipart/signed ]
>   [ text/plain ]
>   this should be an INVALID gpg signature.
>   [ signature.asc: application/pgp-signature ]

Hi Vagrant;

Thanks for the bug report.  It seems that most of the developers
have customized the emacs variable

notmuch-crypto-process-mime to t

For the moment I suggest that as a workaround, and we'll see about
fixing the UI bug upstream.

notmuch folks: it seems that in vagrant's message, and several others I
checked, it notmuch-crypto-process-mime==nil, then no signature button
is created at all.
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch