Vagrant Cascadian <vagrant@debian.org> writes: > Package: notmuch-emacs > Version: 0.18.1-1 > Severity: important > > Thanks for notmuch-emacs, it's great! > > I did notice that it doesn't appear to check weather gpg/pgp signatures are > valid by default. > > When I created a signed message to myself, made a copy of it, and then manually > edited the text within without changing the signature... > > But notmuch-emacs doesn't distinguish between the valid signature : > > Subject: valid gpg sig > To: vagrant@localhost > Date: Mon, 21 Jul 2014 15:03:45 -0700 > > [ multipart/signed ] > [ text/plain ] > this should be a VALID gpg signature. > [ signature.asc: application/pgp-signature ] > > And the edited text, with an invalid signature: > > Subject: invalid gpg sig > To: vagrant@localhost > Date: Mon, 21 Jul 2014 15:03:45 -0700 > > [ multipart/signed ] > [ text/plain ] > this should be an INVALID gpg signature. > [ signature.asc: application/pgp-signature ] Hi Vagrant; Thanks for the bug report. It seems that most of the developers have customized the emacs variable notmuch-crypto-process-mime to t For the moment I suggest that as a workaround, and we'll see about fixing the UI bug upstream. notmuch folks: it seems that in vagrant's message, and several others I checked, it notmuch-crypto-process-mime==nil, then no signature button is created at all.