[notmuch] Handling encrypted email
micah at riseup.net
Mon Feb 15 09:55:29 PST 2010
It took me a while before I figured out how to read OpenPGP encrypted
email with the emacs interface to notmuch. I thought it would be useful
to the list the steps that I go through to read encrypted email, both
for people who are wondering the same thing, but also hopefully to spur
a discussion about how to improve the process, as it is clearly
problematic and annoying.
At the moment, if you simply hit 'v' on a message that contains a
PGP/MIME encoded email part, the notmuch attachment viewer seems to do
the right thing and ask you about decrypting the message, but then it
puts the result in some mysterious place, or closes that window
However, there is a set of steps that let you work around this. Its a
pain to do, and I'm not skilled enough in elisp to know how to pull all
of that together into something that fixes the problem.
These are the steps I can go through to read encrypted email:
1. Determine if there is a PGP/MIME part, or if the message is in-line
PGP/MIME messages typically have no interesting body, although they
could, but they do have:
Attachment: (null) (application/pgp-encrypted)
Non-text part: application/octet-stream
If you look closer at the mime parts, you see that the above is
represented as follows:
Content-Type: application/octet-stream; charset=3DUTF-8
Content-Disposition: inline; filename=3Dmessage.asc
in-line PGP messages have the encrypted chunk in the body of the message
itself, which can be seen when you view the message. It always starts
with this header:
----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.6 (GNU/Linux)
and ends with this one:
----END PGP MESSAGE-----
(Obviously the Version line is going to be different, depending on the
implementation, but I believe it is always there with an ascii armored
2. If it is a PGP/MIME message, then you have to hit 'V' to view the
raw message, otherwise if it is in-line PGP you would skip this step
and go to 3.
3. using emacs selection, select the region that is bounded by the
header and footer of the PGP ASCII armored blob, as described above.
4. M-x epa-decrypt-region (i think this only will work in emacs23)
5. You are asked, "Replace the original text? (y/n)", I think it is
not worth doing so, but see what you think.
6. Now the window is split in three: the original raw message from
notmuch; the result of the pgp verification of the data ("Good
signature from...") appears in a small window (this is good
information!); and then the decrypted text.
7. after reading the message, you have to kill a bunch of buffers, and
if you want to reply to the message, you have to do some annoying
return to the original message, after copying the text you wish to
So what is the desired behavior? I think that the emacs mode should
detect pgp messages, in-line or PGP/MIME and when they are viewed
(notmuch show) they should be decrypted and verified. The decrypted
text should just replace the encrypted text, and the signature
verification should also be represented in a useful way (it is very
important to know if a signed/encrypted message has a bad signature,
or doesn't verify!), and it should clean-up nicely so you don't have
to kill a bunch of windows.
mutt deals with inline pgp by just looking in each message, as it is
displayed (with a display hook) for the following in the body:
"^-----BEGIN\ PGP\ (SIGNED\ )?MESSAGE"'
for pgp/MIME, mutt enables you to set various pgp customizable commands
to make things work, however these pieces may be taken care of with
Hopefully someone can take this and run with it, improving the emacs UI
so that it is able to handle this automatically!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 835 bytes
Desc: not available
More information about the notmuch