Re: SMIME signature verification patches, v4

Subject: Re: SMIME signature verification patches, v4

Date: Thu, 28 Jan 2016 01:56:05 -0500

To: David Bremner, notmuch@notmuchmail.org

Cc:

From: Daniel Kahn Gillmor


On Sun 2016-01-24 11:21:14 -0500, David Bremner wrote:
> This is a simple rebase of
>
>      id:1450100337-31655-1-git-send-email-david@tethera.net
>
> The first 3 patches of that series are now in master.

FWIW, i'm now running with this patch series, and i can verify S/MIME
signatures with it.

When verifying a correct signature, though, the only thing i seem to get
in notmuch-emacs (or in the notmuch show --verify output) is the view of
some kind of fingerprint of the key, with no human-readable name or
e-mail address associated with it.

for example:

                  "sigstatus" : [
                     {
                        "created" : 1453962340,
                        "status" : "good",
                        "fingerprint" : "3E65C58C306C1C42CA5056903B4E6C3C7DF15AD8",
                        "expires" : 1485215999
                     }
                  ],

whereas the OpenPGP PGP/MIME cleartext signature show:

                 "sigstatus" : [
                     {
                        "status" : "good",
                        "userid" : " Daniel Kahn Gillmor <dkg@fifthhorseman.net>",
                        "fingerprint" : "EDB2E74F56FCF2B67297B73524ECFF5AFF68370A",
                        "created" : 1453925746
                     }

This lack of userid be a function of my own S/MIME setup (i'm not sure
whether i've got the keys and certs set up exactly right), or of a
failure in gmime's pkcs7 signature handling code.  But this is an
improvement over the unpatched notmuch anyway.

Note that none of this deals with S/MIME-enveloped (encrypted) e-mails
yet either.

My e-mail certificates and things are now set up within emacs (i'm using
EPG instead of openssl) -- i should be able to sign this mail,
and anyone else running this series should be able to verify it.

I've rebased my own crypto series (indexing cleartext) on top of this
series, and it also works fine (though there were a few commits that
were tricky to rebase).  I'd like it if this S/MIME patch series would
get upstreamed!

    --dkg
smime.p7s (application/pkcs7-signature)

Thread: