RE: S/MIME support

Subject: RE: S/MIME support

Date: Mon, 9 Jul 2012 14:33:17 -0400

To: 'Jameson Graef Rollins', Notmuch Mail


From: Bryant, Daniel B.


I was able to get signature verification working with your patchset (with a caveat) but not decryption.

Signature Verification

The caveat is that GMime is still borked with handling signatures with content type application/x-pkcs7-signature (vs. application/pkcs7-signature, which works fine). This is upstream GNOME bug #674032 that was supposed to have been fixed in GMime 2.6.9, but that original fix is also broken.

One possible workaround is to twiddle the content-type of the signature part (and the corresponding protocol in the multipart/signed part). I implemented this by looping over each message part in mime_node_open() and modifying as necessary using the following logic:

    GMimeContentType *content_type = g_mime_object_get_content_type (part);

    const char *subtype = g_mime_content_type_get_media_subtype (content_type);
    const char *protocol = g_mime_content_type_get_parameter (content_type, "protocol");

    if (!strcmp(subtype, "x-pkcs7-signature")) {
        g_mime_content_type_set_media_subtype (content_type, "pkcs7-signature");

    if (protocol && !strcmp(protocol, "application/x-pkcs7-signature")) {
        g_mime_content_type_set_parameter (content_type, "protocol","application/pkcs7-signature");


All of my S/MIME encrypted mail consists of single part messages with content-type "application/x-pkcs7-mime". These conform to RFC3851, section 3.3/3.4. (sample messages are included in the RFC as well). This fails to be decrypted by notmuch because the mime node traversal code assumes that every encrypted message is multipart/encrypted, which appears to only be true for PGP/MIME.


-----Original Message-----
From: [] On Behalf Of Jameson Graef Rollins
Sent: Friday, June 29, 2012 2:38 PM
To: Notmuch Mail
Subject: S/MIME support

Hey, folks.  This patch adds S/MIME support to notmuch-show.  It's
pretty simple, now that the crypto rework [0] is complete.

I was going to wait to submit this patch until we had a test suite
(ehem, dkg!), but seeing as there has been some other interest
expressed in seeing this feature I'm going to go ahead and send it to
the list in the hopes that it might spur development of the needed


[0] id:""

notmuch mailing list