PGP/MIME signature verification

Subject: PGP/MIME signature verification

Date: Sat, 27 Nov 2010 14:35:03 -0500

To: notmuch

Cc:

From: Daniel Kahn Gillmor


hey folks--

the signature-verification branch on my git repo [0] contains functional
PGP/MIME signature verification if you supply the --verify argument to

 notmuch show --format=json

It relies on gpg being in the path, and on the user having the signer's
key in their gnupg keyring.

The patchset depends on the MIME reorganization produced initially by
dme (and rebased against 0.5 in my mp3-on-0.5 branch).

the emacs frontend doesn't yet know how to deal with the resultant data,
so the signature verification doesn't reach the user yet.

The JSON this change produces is similar (but not identical) to my
earlier proposal on this list.

In particular, the parent MIME part (content-type: multipart/signed) is
what gets the sigstatus object, which is itself a list of signature
objects, like this:

"sigstatus": [
 {
  "created": 1290557507,
  "fingerprint": "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9",
  "status": "good"
 },
 {
  "keyid": "DEADBEEFDECAFBAD",
  "status": "bad"
 }
]

(this example shows a mime part signed by two keys, the signature from
one checking out properly, and the signature from the other failing --
most multipart/signed MIME parts will only be signed by one party)

I'd appreciate any feedback people have on the change, and any
suggestions on how to integrate its results into the emacs interface.

Also, i'm curious what i can do to make these changes more acceptable
for the mainline.  should i rebase them against mainline master?  or
demonstrate a functional merge?  i'm new to how this community likes to
use git, so pointers to suggested approaches would be welcome.

I should also note that in the course of pursuing this, i found that
GMime's upstream author is very receptive to suggestions and feedback
about crypto.  If anyone else in the notmuch community wants to make
suggestions about what we might need for future extensions in this
direction, he's probably a good resource to help us get there.

Regards,

	--dkg

[0] git://lair.fifthhorseman.net/~dkg/notmuch

signature.asc (application/pgp-signature)

Thread: