4 # - decryption/verification with signer key not available
5 # - verification of signatures from expired/revoked keys
7 test_description='PGP/MIME signature verification and decryption'
8 . ./test-lib.sh || exit 1
13 [ -d ${GNUPGHOME} ] && return
14 _gnupg_exit () { gpgconf --kill all 2>/dev/null || true; }
15 at_exit_function _gnupg_exit
16 mkdir -m 0700 "$GNUPGHOME"
17 gpg --no-tty --import <$TEST_DIRECTORY/gnupg-secret-key.asc >"$GNUPGHOME"/import.log 2>&1
18 test_debug "cat $GNUPGHOME/import.log"
19 if (gpg --quick-random --version >/dev/null 2>&1) ; then
20 echo quick-random >> "$GNUPGHOME"/gpg.conf
21 elif (gpg --debug-quick-random --version >/dev/null 2>&1) ; then
22 echo debug-quick-random >> "$GNUPGHOME"/gpg.conf
24 echo no-emit-version >> "$GNUPGHOME"/gpg.conf
27 ##################################################
30 # Change this if we ship a new test key
31 FINGERPRINT="5AEAB11F5E33DCE875DDB75B6D92612D94E46381"
33 test_begin_subtest "emacs delivery of signed message"
36 "test signed message 001" \
37 "This is a test signed message." \
38 "(mml-secure-message-sign)"'
40 test_begin_subtest "signed part content-type indexing"
41 test_subtest_known_broken
42 output=$(notmuch search mimetype:multipart/signed and mimetype:application/pgp-signature | notmuch_search_sanitize)
43 test_expect_equal "$output" "thread:XXX 2000-01-01 [1/1] Notmuch Test Suite; test signed message 001 (inbox signed)"
45 test_begin_subtest "signature verification"
46 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
47 | notmuch_json_show_sanitize \
48 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
49 expected='[[[{"id": "XXXXX",
52 "filename": ["YYYYY"],
53 "timestamp": 946728000,
54 "date_relative": "2000-01-01",
55 "tags": ["inbox","signed"],
56 "headers": {"Subject": "test signed message 001",
57 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
58 "To": "test_suite@notmuchmail.org",
59 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
61 "sigstatus": [{"status": "good",
62 "fingerprint": "'$FINGERPRINT'",
63 "created": 946728000}],
64 "content-type": "multipart/signed",
66 "content-type": "text/plain",
67 "content": "This is a test signed message.\n"},
69 "content-type": "application/pgp-signature",
70 "content-length": "NONZERO"}]}]},
72 test_expect_equal_json \
76 test_begin_subtest "detection of modified signed contents"
78 "bad signed message 001" \
79 "Incriminating stuff. This is a test signed message." \
80 "(mml-secure-message-sign)"
82 file=$(notmuch search --output=files subject:"bad signed message 001")
84 sed -i 's/Incriminating stuff. //' ${file}
86 output=$(notmuch show --format=json --verify subject:"bad signed message 001" \
87 | notmuch_json_show_sanitize \
88 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
89 expected='[[[{"id": "XXXXX",
92 "filename": ["YYYYY"],
93 "timestamp": 946728000,
94 "date_relative": "2000-01-01",
95 "tags": ["inbox","signed"],
96 "headers": {"Subject": "bad signed message 001",
97 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
98 "To": "test_suite@notmuchmail.org",
99 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
101 "sigstatus": [{"status": "bad",
102 "keyid": "'$(echo $FINGERPRINT | cut -c 25-)'"}],
103 "content-type": "multipart/signed",
104 "content": [{"id": 2,
105 "content-type": "text/plain",
106 "content": "This is a test signed message.\n"},
108 "content-type": "application/pgp-signature",
109 "content-length": "NONZERO"}]}]},
111 test_expect_equal_json \
115 test_begin_subtest "corrupted pgp/mime signature"
117 "bad signed message 002" \
118 "Incriminating stuff. This is a test signed message." \
119 "(mml-secure-message-sign)"
121 file=$(notmuch search --output=files subject:"bad signed message 002")
123 awk '/-----BEGIN PGP SIGNATURE-----/{flag=1;print;next} \
124 /-----END PGP SIGNATURE-----/{flag=0;print;next} \
125 flag{gsub(/[A-Za-z]/,"0");print}!flag{print}' $file > $file.new
130 output=$(notmuch show --format=json --verify subject:"bad signed message 002" \
131 | notmuch_json_show_sanitize \
132 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
133 expected='[[[{"id": "XXXXX",
136 "filename": ["YYYYY"],
137 "timestamp": 946728000,
138 "date_relative": "2000-01-01",
139 "tags": ["inbox","signed"],
140 "headers": {"Subject": "bad signed message 002",
141 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
142 "To": "test_suite@notmuchmail.org",
143 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
146 "content-type": "multipart/signed",
147 "content": [{"id": 2,
148 "content-type": "text/plain",
149 "content": "Incriminating stuff. This is a test signed message.\n"},
151 "content-type": "application/pgp-signature",
152 "content-length": "NONZERO"}]}]},
154 test_expect_equal_json \
158 test_begin_subtest "signature verification with full owner trust"
159 test_subtest_broken_gmime_2
160 # give the key full owner trust
161 echo "${FINGERPRINT}:6:" | gpg --no-tty --import-ownertrust >>"$GNUPGHOME"/trust.log 2>&1
162 gpg --no-tty --check-trustdb >>"$GNUPGHOME"/trust.log 2>&1
163 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
164 | notmuch_json_show_sanitize \
165 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
166 expected='[[[{"id": "XXXXX",
169 "filename": ["YYYYY"],
170 "timestamp": 946728000,
171 "date_relative": "2000-01-01",
172 "tags": ["inbox","signed"],
173 "headers": {"Subject": "test signed message 001",
174 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
175 "To": "test_suite@notmuchmail.org",
176 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
178 "sigstatus": [{"status": "good",
179 "fingerprint": "'$FINGERPRINT'",
180 "created": 946728000,
181 "userid": "Notmuch Test Suite <test_suite@notmuchmail.org> (INSECURE!)"}],
182 "content-type": "multipart/signed",
183 "content": [{"id": 2,
184 "content-type": "text/plain",
185 "content": "This is a test signed message.\n"},
187 "content-type": "application/pgp-signature",
188 "content-length": "NONZERO"}]}]},
190 test_expect_equal_json \
194 test_begin_subtest "signature verification with signer key unavailable"
195 # move the gnupghome temporarily out of the way
196 mv "${GNUPGHOME}"{,.bak}
197 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
198 | notmuch_json_show_sanitize \
199 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
200 expected='[[[{"id": "XXXXX",
203 "filename": ["YYYYY"],
204 "timestamp": 946728000,
205 "date_relative": "2000-01-01",
206 "tags": ["inbox","signed"],
207 "headers": {"Subject": "test signed message 001",
208 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
209 "To": "test_suite@notmuchmail.org",
210 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
212 "sigstatus": [{"status": "error",
213 "keyid": "'$(echo $FINGERPRINT | cut -c 25-)'",
214 "errors": {"key-missing": true}}],
215 "content-type": "multipart/signed",
216 "content": [{"id": 2,
217 "content-type": "text/plain",
218 "content": "This is a test signed message.\n"},
220 "content-type": "application/pgp-signature",
221 "content-length": "NONZERO"}]}]},
223 test_expect_equal_json \
226 mv "${GNUPGHOME}"{.bak,}
228 test_begin_subtest "emacs delivery of encrypted message with attachment"
229 # create a test encrypted message with attachment
230 cat <<EOF >TESTATTACHMENT
233 test_expect_success \
235 "test encrypted message 001" \
236 "This is a test encrypted message.\n" \
237 "(mml-attach-file \"TESTATTACHMENT\") (mml-secure-message-encrypt)"'
239 test_begin_subtest "encrypted part content-type indexing"
240 test_subtest_known_broken
241 output=$(notmuch search mimetype:multipart/encrypted and mimetype:application/pgp-encrypted and mimetype:application/octet-stream | notmuch_search_sanitize)
242 test_expect_equal "$output" "thread:XXX 2000-01-01 [1/1] Notmuch Test Suite; test encrypted message 001 (encrypted inbox)"
244 test_begin_subtest "decryption, --format=text"
245 output=$(notmuch show --format=text --decrypt subject:"test encrypted message 001" \
246 | notmuch_show_sanitize_all \
247 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
248 expected='
\fmessage{ id:XXXXX depth:0 match:1 excluded:0 filename:XXXXX
250 Notmuch Test Suite <test_suite@notmuchmail.org> (2000-01-01) (encrypted inbox)
251 Subject: test encrypted message 001
252 From: Notmuch Test Suite <test_suite@notmuchmail.org>
253 To: test_suite@notmuchmail.org
254 Date: Sat, 01 Jan 2000 12:00:00 +0000
257 \fpart{ ID: 1, Content-type: multipart/encrypted
258 \fpart{ ID: 2, Content-type: application/pgp-encrypted
259 Non-text part: application/pgp-encrypted
261 \fpart{ ID: 3, Content-type: multipart/mixed
262 \fpart{ ID: 4, Content-type: text/plain
263 This is a test encrypted message.
265 \fattachment{ ID: 5, Filename: TESTATTACHMENT, Content-type: application/octet-stream
266 Non-text part: application/octet-stream
276 test_begin_subtest "decryption, --format=json"
277 output=$(notmuch show --format=json --decrypt subject:"test encrypted message 001" \
278 | notmuch_json_show_sanitize \
279 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
280 expected='[[[{"id": "XXXXX",
283 "filename": ["YYYYY"],
284 "timestamp": 946728000,
285 "date_relative": "2000-01-01",
286 "tags": ["encrypted","inbox"],
287 "headers": {"Subject": "test encrypted message 001",
288 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
289 "To": "test_suite@notmuchmail.org",
290 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
292 "encstatus": [{"status": "good"}],
294 "content-type": "multipart/encrypted",
295 "content": [{"id": 2,
296 "content-type": "application/pgp-encrypted",
297 "content-length": "NONZERO"},
299 "content-type": "multipart/mixed",
300 "content": [{"id": 4,
301 "content-type": "text/plain",
302 "content": "This is a test encrypted message.\n"},
304 "content-type": "application/octet-stream",
305 "content-disposition": "attachment",
306 "content-length": "NONZERO",
307 "content-transfer-encoding": "base64",
308 "filename": "TESTATTACHMENT"}]}]}]},
310 test_expect_equal_json \
314 test_begin_subtest "decryption, --format=json, --part=4"
315 output=$(notmuch show --format=json --part=4 --decrypt subject:"test encrypted message 001" \
316 | notmuch_json_show_sanitize \
317 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
319 "content-type": "text/plain",
320 "content": "This is a test encrypted message.\n"}'
321 test_expect_equal_json \
325 test_begin_subtest "decrypt attachment (--part=5 --format=raw)"
330 subject:"test encrypted message 001" >OUTPUT
331 test_expect_equal_file TESTATTACHMENT OUTPUT
333 test_begin_subtest "decryption failure with missing key"
334 mv "${GNUPGHOME}"{,.bak}
335 output=$(notmuch show --format=json --decrypt subject:"test encrypted message 001" \
336 | notmuch_json_show_sanitize \
337 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
338 expected='[[[{"id": "XXXXX",
341 "filename": ["YYYYY"],
342 "timestamp": 946728000,
343 "date_relative": "2000-01-01",
344 "tags": ["encrypted","inbox"],
345 "headers": {"Subject": "test encrypted message 001",
346 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
347 "To": "test_suite@notmuchmail.org",
348 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
350 "encstatus": [{"status": "bad"}],
351 "content-type": "multipart/encrypted",
352 "content": [{"id": 2,
353 "content-type": "application/pgp-encrypted",
354 "content-length": "NONZERO"},
356 "content-type": "application/octet-stream",
357 "content-length": "NONZERO"}]}]},
359 test_expect_equal_json \
362 mv "${GNUPGHOME}"{.bak,}
364 test_begin_subtest "emacs delivery of encrypted + signed message"
365 test_expect_success \
367 "test encrypted message 002" \
368 "This is another test encrypted message.\n" \
369 "(mml-secure-message-sign-encrypt)"'
371 test_begin_subtest "decryption + signature verification"
372 test_subtest_broken_gmime_2
373 output=$(notmuch show --format=json --decrypt subject:"test encrypted message 002" \
374 | notmuch_json_show_sanitize \
375 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
376 expected='[[[{"id": "XXXXX",
379 "filename": ["YYYYY"],
380 "timestamp": 946728000,
381 "date_relative": "2000-01-01",
382 "tags": ["encrypted","inbox"],
383 "headers": {"Subject": "test encrypted message 002",
384 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
385 "To": "test_suite@notmuchmail.org",
386 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
388 "encstatus": [{"status": "good"}],
389 "sigstatus": [{"status": "good",
390 "fingerprint": "'$FINGERPRINT'",
391 "created": 946728000,
392 "userid": "Notmuch Test Suite <test_suite@notmuchmail.org> (INSECURE!)"}],
393 "content-type": "multipart/encrypted",
394 "content": [{"id": 2,
395 "content-type": "application/pgp-encrypted",
396 "content-length": "NONZERO"},
398 "content-type": "text/plain",
399 "content": "This is another test encrypted message.\n"}]}]},
401 test_expect_equal_json \
405 test_begin_subtest "reply to encrypted message"
406 output=$(notmuch reply --decrypt subject:"test encrypted message 002" \
407 | notmuch_drop_mail_headers In-Reply-To References)
408 expected='From: Notmuch Test Suite <test_suite@notmuchmail.org>
409 Subject: Re: test encrypted message 002
411 On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
412 > This is another test encrypted message.'
417 test_begin_subtest "Reply within emacs to an encrypted message"
418 test_emacs "(let ((message-hidden-headers '())
419 (notmuch-crypto-process-mime 't))
420 (notmuch-show \"subject:test.encrypted.message.002\")
423 # the empty To: is probably a bug, but it's not to do with encryption
424 grep -v -e '^In-Reply-To:' -e '^References:' -e '^Fcc:' -e 'To:' < OUTPUT > OUTPUT.clean
426 From: Notmuch Test Suite <test_suite@notmuchmail.org>
427 Subject: Re: test encrypted message 002
428 --text follows this line--
429 <#secure method=pgpmime mode=signencrypt>
430 Notmuch Test Suite <test_suite@notmuchmail.org> writes:
432 > This is another test encrypted message.
434 test_expect_equal_file EXPECTED OUTPUT.clean
436 test_begin_subtest "signature verification with revoked key"
437 # generate revocation certificate and load it to revoke key
440 Notmuch Test Suite key revocation (automated) $(date '+%F_%T%z')
445 | gpg --no-tty --quiet --command-fd 0 --armor --gen-revoke "0x${FINGERPRINT}!" 2>/dev/null \
446 | gpg --no-tty --quiet --import
447 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
448 | notmuch_json_show_sanitize \
449 | sed -e 's|"created": [1234567890]*|"created": 946728000|')
450 expected='[[[{"id": "XXXXX",
453 "filename": ["YYYYY"],
454 "timestamp": 946728000,
455 "date_relative": "2000-01-01",
456 "tags": ["inbox","signed"],
457 "headers": {"Subject": "test signed message 001",
458 "From": "Notmuch Test Suite <test_suite@notmuchmail.org>",
459 "To": "test_suite@notmuchmail.org",
460 "Date": "Sat, 01 Jan 2000 12:00:00 +0000"},
462 "sigstatus": [{"status": "error",
463 "keyid": "6D92612D94E46381",
464 "errors": {"key-revoked": true}}],
465 "content-type": "multipart/signed",
466 "content": [{"id": 2,
467 "content-type": "text/plain",
468 "content": "This is a test signed message.\n"},
470 "content-type": "application/pgp-signature",
471 "content-length": "NONZERO"}]}]},
473 test_expect_equal_json \