S/MIME support in notmuch

Dan Bryant dan.bryant at jhuapl.edu
Wed Dec 7 18:58:03 PST 2011


I'd like to report some success on getting S/MIME signature verification
working using notmuch and the recently-released GMime 2.6. I specifically
tested with notmuch-0.10.2 and gmime-2.6.1.

The following changes were required:

1) notmuch: Apply patch from Redhat packaging to handle API changes from
    gmime-2.4 to gmime-2.6 (see "compile error of current git on F15"
    thread from 25 November on the list)

2) notmuch: Create a S/MIME context instead of the GPG context in 
    notmuch-show.c. g_mime_gpg_context_new() becomes
    g_mime_pkcs7_context_new(), and similarly for 
    g_mime_gpg_context_set_always_trust().

3) gmime:   The pkcs7 context only works with signatures of
    "application/pkcs7-signature". Per RFC2311 section C, both
    "application/pkcs7-signature" and "application/x-pkcs7-signature"
    should be treated identically. I temporarily disabled this check in
    gmime/gmime-multipart-signed.c and then gmime accepted the
    signatures. 

Next, I was always seeing signature verification errors with completely
unhelpful error messages. These turned out to be because the 'gpg-agent'
program was not running. Once I started the agent, I got prompts 
on trusting root certs and was then able to see known-valid certificates
verified in the emacs UI.

NB: I started gpg-agent with the --allow-mark-trusted option so that it
would graphically prompt me for which root certificates to trust. See
http://lists.gnupg.org/pipermail/gnupg-users/2004-September/023247.html
for more detail on some of the general setup choices for the GPG
S/MIME stack. The most useful command for debugging the underlying
S/MIME configuration was "gpgsm --list-chain --with-validation". 

I don't have submittable patches for #2/#3 yet, but I wanted to share
what I found about the scope of what actually needs to be done, which is
fairly small. (The biggest blocker is probably that Debian & other
distros haven't packaged gmime-2.6.)


Dan




More information about the notmuch mailing list