On Friday, August 1, 2003, at 06:10, you wrote:
> It would be nice if there were an option in TMDA to allow messages signed by
> an S/MIME digital signature to pass through without requiring
> challenge/response.
This is relatively easy to do with the pipe option and some python
code like (code untested, unsafe and written from memory):
--------------
import sys
import os
import getopt
import errno
import mimetypes
import email
import commands
import re
msg = email.message_from_file(sys.stdin)
if (msg.is_multipart() and msg.get_content_subtype()=="signed"):
if msg.get_payload(1).get_content_type()=="application/pgp-signature":
# should use temp files here, but I cant remember the syntax
fn = "/users/marcus/.tmda/temp/p1"
sn = "/users/marcus/.tmda/temp/p2"
f = open(fn, "w")
s = open(sn, "w")
f.write(msg.get_payload(0).as_string())
s.write(msg.get_payload(1).as_string())
f.close()
s.close()
(status, output) = commands.getstatusoutput("gpg --batch --verify --status-fd 1
%s %s 2>/dev/null" % (sn,fn))
# these regexs only test for the presence of one
# good/bad/err/expired sig - a message could be signed by more than
# one person?
goodsig = re.compile("^[[]GNUPG:[]] GOODSIG.*", re.M).search(output,1)
badsig = re.compile("^[[]GNUPG:[]] BADSIG.*", re.M).search(output,1)
errsig = re.compile("^[[]GNUPG:[]] ERRSIG.*", re.M).search(output,1)
expsig = re.compile("^[[]GNUPG:[]] SIGEXPIRED.*", re.M).search(output,1)
os.remove(fn)
os.remove(sn)
# goodsig now contains a match object if the signature is valid and
# known or None if not. badsig will contain a match if the sig
# could not be verified as will errsig but this usually means the
# encryption alg didnt work. sigexp means the signiture has
# expired. You probably want to check combinations of the above.
# Check out DETAILS.gz in the gnupg distribution for more info.
# You could easily add extra args to allow for specific sig/owner
# checks
if goodsig:
sys.exit(1)
sys.exit(0)
--------------
You can then use something like (I cant remember the syntax here and
my return statuses may be the wrong way around above):
pipe "/path/to/python /path/to/verify.py" ok
if your default is to confirm.
Note this only works for RFC compliant mime-encoded pgp messages. You
can do something similar for non-compliant messages with a different
gpg command line.
I've got a working version of this code on my machine at home, but I
cant get to it for a week or so (builders are in). I can post it to
the list later.
Marcus
--
Marcus Williams -- http://www.quintic.co.uk
Quintic Ltd, 39 Newnham Road, Cambridge, UK
_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users
