notmuch/test/T357-index-decryption.sh, branch 0.30

tests: mark sig verification known-broken with session keys on buggy gpgme

2020-07-03T00:23:28Z

We make use of the just-introduced configure test. Signed-off-by: Daniel Kahn Gillmor

test: signature verification during decryption (session keys)

2019-06-08T23:14:00Z

When the user knows the signer's key, we want "notmuch show" to be able to verify the signature of an encrypted and signed message regardless of whether we are using a stashed session key or not. I wrote this test because I was surprised to see signature verification failing when viewing some encrypted messages after upgrading to GPGME 1.13.0-1 in debian experimental. The added tests here all pass with GPGME 1.12.0, but the final test fails with 1.13.0, due to some buggy updates to GPGME upstream: see https://dev.gnupg.org/T3464 for more details. While the bug needs to be fixed in GPGME, notmuch's test suite needs to make sure that GMime is doing what we expect it to do; i was a bit surprised that it hadn't caught the problem, hence this patch. I've fixed this bug in debian experimental with gpgme 1.13.0-2, so the tests should pass on any debian system. I've also fixed it in the gpgme packages (1.13.0-2~ppa1) in the ubuntu xenial PPA (ppa:notmuch/notmuch) that notmuch uses for Travis CI. Signed-off-by: Daniel Kahn Gillmor

test: avoid unnecessary extraction of the test fingerprint

2019-05-10T09:56:34Z

FINGERPRINT is already exported by add_gnupg_home, so this is unnecessary. This change also happens to get rid of the superfluous check-trustdb spew from the test suite that looked like this: gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u Signed-off-by: Daniel Kahn Gillmor

emacs: test notmuch-show during message decryption

2019-05-10T09:54:50Z

We did not have a test showing what message decryption looks like within notmuch-emacs. This change gives us a baseline for future work on the notmuch-emacs interface. This differs from previous revisions of this patch in that it should be insensitive to the order in which the local filesystem readdir()s the underlying maildir. Signed-off-by: Daniel Kahn Gillmor

gmime-cleanup: always support session keys

2019-05-03T09:55:32Z

Our minimum version of GMime 3.0 always supports good session key handling. signed-off-by: Daniel Kahn Gillmor

cli/show: enable --decrypt=stash

2018-05-26T14:43:30Z

Add fancy new feature, which makes "notmuch show" capable of actually indexing messages that it just decrypted. This enables a workflow where messages can come in in the background and be indexed using "--decrypt=auto". But when showing an encrypted message for the first time, it gets automatically indexed. This is something of a departure for "notmuch show" -- in particular, because it requires read/write access to the database. However, this might be a common use case -- people get mail delivered and indexed in the background, but only want access to their secret key to happen when they're directly interacting with notmuch itself. In such a scenario, they couldn't search newly-delivered, encrypted messages, but they could search for them once they've read them. Documentation of this new feature also uses a table form, similar to that found in the description of index.decrypt in notmuch-config(1). A notmuch UI that wants to facilitate this workflow while also offering an interactive search interface might instead make use of these additional commands while the user is at the console: Count received encrypted messages (if > 0, there are some things we haven't yet tried to index, and therefore can't yet search): notmuch count tag:encrypted and \ not property:index.decryption=success and \ not property:index.decryption=failure Reindex those messages: notmuch reindex --try-decrypt=true tag:encrypted and \ not property:index.decryption=success and \ not property:index.decryption=failure

test-lib: add notmuch_show_part for "notmuch show --format=text"

2018-05-26T14:42:28Z

Thanks to David Bremner for this improved readability!

cli/show: make --decrypt take a keyword.

2017-12-29T20:45:46Z

We also expand tab completion for it, update the emacs bindings, and update T350, T357, and T450 to match. Make use of the bool-to-keyword backward-compatibility feature.

crypto: add --decrypt=nostash to avoid stashing session keys

2017-12-08T12:08:47Z

Here's the configuration choice for people who want a cleartext index, but don't want stashed session keys. Interestingly, this "nostash" decryption policy is actually the same policy that should be used by "notmuch show" and "notmuch reply", since they never modify the index or database when they are invoked with --decrypt. We take advantage of this parallel to tune the behavior of those programs so that we're not requesting session keys from GnuPG during "show" and "reply" that we would then otherwise just throw away.

crypto: actually stash session keys when decrypt=true

2017-12-08T12:08:47Z

If you're going to store the cleartext index of an encrypted message, in most situations you might just as well store the session key. Doing this storage has efficiency and recoverability advantages. Combined with a schedule of regular OpenPGP subkey rotation and destruction, this can also offer security benefits, like "deletable e-mail", which is the store-and-forward analog to "forward secrecy". But wait, i hear you saying, i have a special need to store cleartext indexes but it's really bad for me to store session keys! Maybe (let's imagine) i get lots of e-mails with incriminating photos attached, and i want to be able to search for them by the text in the e-mail, but i don't want someone with access to the index to be actually able to see the photos themselves. Fret not, the next patch in this series will support your wacky uncommon use case.