Bug#755544: notmuch-emacs: doesn't check gpg/pgp signatures by default
David Bremner
david at tethera.net
Mon Jul 21 16:16:34 PDT 2014
Vagrant Cascadian <vagrant at debian.org> writes:
> Package: notmuch-emacs
> Version: 0.18.1-1
> Severity: important
>
> Thanks for notmuch-emacs, it's great!
>
> I did notice that it doesn't appear to check weather gpg/pgp signatures are
> valid by default.
>
> When I created a signed message to myself, made a copy of it, and then manually
> edited the text within without changing the signature...
>
> But notmuch-emacs doesn't distinguish between the valid signature
:
>
> Subject: valid gpg sig
> To: vagrant at localhost
> Date: Mon, 21 Jul 2014 15:03:45 -0700
>
> [ multipart/signed ]
> [ text/plain ]
> this should be a VALID gpg signature.
> [ signature.asc: application/pgp-signature ]
>
> And the edited text, with an invalid signature:
>
> Subject: invalid gpg sig
> To: vagrant at localhost
> Date: Mon, 21 Jul 2014 15:03:45 -0700
>
> [ multipart/signed ]
> [ text/plain ]
> this should be an INVALID gpg signature.
> [ signature.asc: application/pgp-signature ]
Hi Vagrant;
Thanks for the bug report. It seems that most of the developers
have customized the emacs variable
notmuch-crypto-process-mime to t
For the moment I suggest that as a workaround, and we'll see about
fixing the UI bug upstream.
notmuch folks: it seems that in vagrant's message, and several others I
checked, it notmuch-crypto-process-mime==nil, then no signature button
is created at all.
More information about the notmuch
mailing list