Thanks David! I updated the Wiki accordingly. This issue can be closed from my point of view.
Best,
Rainer
David Bremner <david@tethera.net> writes:
> Rainer Gemulla <rgemulla@gmx.de> writes:
>
>> Hi all,
>>
>> when a message contains an text/plain part that is signed via inline pgp and shown in notmuch-show-mode, verification of that part's signature via epa-mail-verify or epa-verify-region fails.
>>
>> The reason is that the hooks in notmuch-show-insert-text/plain-hook modify the text (and thus the signature becomes invalid). Calling notmuch-show-pipe-part with "gpg --verify" works as expected and verifies the correctness of the signature.
>>
>> Not sure what to do about this, but I find the current behavior confusing. The notmuch emacstips documentation also (implicitly) states that verification of inline pgp can be done via the epa-* functions.
>>
>
> That documentation is wiki. That means both that you should take it with
> a grain of salt, and that we welcome updates to it
>
> https://notmuchmail.org/wikiwriteaccess/
>
>> One option may be to document this behavior. Another one to add a
>> function like notmuch-crypto-verify-part (which is what I currently
>> do).
>
> I suppose that you could also customize notmuch-show-insert-text/plain-hook
>
>> And/or one may be verify each inline pgp signature part by
>> default (when crypto processing is enabled) and add a "crypto button".
>
> As far as documentation in the wiki there is a FAQ about (non) support
> for inline PGP. I think dkg (in copy) was working on decryption of
> inline PGP, but explicitely not on verifying signatures. You can read a
> summary of his issues with inline PGP signatures at
>
> https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/