If https://dev.gnupg.org/T3464 is unresolved in the version of gpgme we are testing against, then we should know about it, because it affects the behavior of notmuch. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- configure | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 2e01034b..2caa08c8 100755 --- a/configure +++ b/configure @@ -620,6 +620,78 @@ EOF if [ -n "$TEMP_GPG" -a -d "$TEMP_GPG" ]; then rm -rf "$TEMP_GPG" fi + + # see https://dev.gnupg.org/T3464 + # there are problems verifying signatures when decrypting with session keys with GPGME 1.13.0 and 1.13.1 + printf "Checking signature verification when decrypting using session keys... " + + cat > _verify_sig_with_session_key.c <<EOF +#include <stdio.h> +#include <gmime/gmime.h> + +int main () { + GError *error = NULL; + GMimeParser *parser = NULL; + GMimeMultipartEncrypted *body = NULL; + GMimeDecryptResult *result = NULL; + GMimeSignatureList *sig_list = NULL; + GMimeSignature *sig = NULL; + GMimeObject *output = NULL; + GMimeSignatureStatus status; + int len; + + g_mime_init (); + parser = g_mime_parser_new (); + g_mime_parser_init_with_stream (parser, g_mime_stream_file_open("$srcdir/test/corpora/crypto/encrypted-signed.eml", "r", &error)); + if (error) return !! fprintf (stderr, "failed to instantiate parser with test/corpora/pkcs7/smime-onepart-signed.eml\n"); + + body = GMIME_MULTIPART_ENCRYPTED(g_mime_message_get_mime_part (g_mime_parser_construct_message (parser, NULL))); + if (body == NULL) return !! fprintf (stderr, "did not find a multipart/encrypted message\n"); + + output = g_mime_multipart_encrypted_decrypt (body, GMIME_DECRYPT_NONE, "9:13607E4217515A70EC8DF9DBC16C5327B94577561D98AD1246FA8756659C7899", &result, &error); + if (error || output == NULL) return !! fprintf (stderr, "decrypt failed\n"); + + sig_list = g_mime_decrypt_result_get_signatures (result); + if (sig_list == NULL) return !! fprintf (stderr, "sig_list is NULL\n"); + + if (sig_list == NULL) return !! fprintf (stderr, "no GMimeSignatureList found\n"); + len = g_mime_signature_list_length (sig_list); + if (len != 1) return !! fprintf (stderr, "expected 1 signature, got %d\n", len); + sig = g_mime_signature_list_get_signature (sig_list, 0); + if (sig == NULL) return !! fprintf (stderr, "no GMimeSignature found at position 0\n"); + status = g_mime_signature_get_status (sig); + if (status & GMIME_SIGNATURE_STATUS_KEY_MISSING) return !! fprintf (stderr, "signature status contains KEY_MISSING (see https://dev.gnupg.org/T3464)\n"); + + return 0; +} +EOF + if ! TEMP_GPG=$(mktemp -d "${TMPDIR:-/tmp}/notmuch.XXXXXX"); then + printf 'No.\nCould not make tempdir for testing signature verification when decrypting with session keys.\n' + errors=$((errors + 1)) + elif ${CC} ${CFLAGS} ${gmime_cflags} _verify_sig_with_session_key.c ${gmime_ldflags} -o _verify_sig_with_session_key \ + && GNUPGHOME=${TEMP_GPG} gpg --batch --quiet --import < "$srcdir"/test/gnupg-secret-key.asc \ + && rm -f ${TEMP_GPG}/private-keys-v1.d/*.key + then + if GNUPGHOME=${TEMP_GPG} ./_verify_sig_with_session_key; then + gmime_verify_with_session_key=1 + printf "Yes.\n" + else + gmime_verify_with_session_key=0 + printf "No.\n" + cat <<EOF +*** Error: GMime fails to verify signatures when decrypting with a session key. + +This is most likely due to a buggy version of GPGME, which should be fixed in 1.13.2 or later. +See https://dev.gnupg.org/T3464 for more details. +EOF + fi + else + printf 'No.\nFailed to set up gpg for testing signature verification while decrypting with a session key.\n' + errors=$((errors + 1)) + fi + if [ -n "$TEMP_GPG" -a -d "$TEMP_GPG" ]; then + rm -rf "$TEMP_GPG" + fi else have_gmime=0 printf "No.\n" @@ -1144,7 +1216,8 @@ for flag in -Wmissing-declarations; do done printf "\n\t%s\n" "${WARN_CFLAGS}" -rm -f minimal minimal.c _time_t.c _libversion.c _libversion _libversion.sh _check_session_keys.c _check_session_keys _check_x509_validity.c _check_x509_validity +rm -f minimal minimal.c _time_t.c _libversion.c _libversion _libversion.sh _check_session_keys.c _check_session_keys _check_x509_validity.c _check_x509_validity \ + _verify_sig_with_session_key.c _verify_sig_with_session_key # construct the Makefile.config cat > Makefile.config <<EOF @@ -1438,6 +1511,9 @@ NOTMUCH_DEFAULT_XAPIAN_BACKEND=${default_xapian_backend} # Whether GMime can verify X.509 certificate validity NOTMUCH_GMIME_X509_CERT_VALIDITY=${gmime_x509_cert_validity} +# Whether GMime can verify signatures when decrypting with a session key: +NOTMUCH_GMIME_VERIFY_WITH_SESSION_KEY=${gmime_verify_with_session_key} + # do we have man pages? NOTMUCH_HAVE_MAN=$((have_sphinx)) -- 2.27.0 _______________________________________________ notmuch mailing list -- notmuch@notmuchmail.org To unsubscribe send an email to notmuch-leave@notmuchmail.org