git.notmuchmail.org Git - notmuch/commit

author	Daniel Kahn Gillmor <dkg@fifthhorseman.net>
	Tue, 28 Apr 2020 18:57:13 +0000 (14:57 -0400)
committer	David Bremner <david@tethera.net>
	Thu, 30 Apr 2020 20:54:37 +0000 (17:54 -0300)
commit	2e351d10c2aba786656715e8334fc2296e22527d
tree	6df59cca24a640df41bd8f6b96e9fc48b2af15a1	tree \| snapshot
parent	f7921e6e1cdbfc1d16488f5b08cf3c9e2bd36b1d	commit \| diff

tests/smime: Use gpgsm instead of openssl for mml creation of S/MIME msgs

The documentation for message mode clearly states that EasyPG (which
uses GnuPG) is the default and recommended way to use S/MIME with
mml-secure:

[0] https://www.gnu.org/software/emacs/manual/html_node/message/Using-S_002fMIME.html

To ensure that this mode works, we just need to import the secret key
in question into gpgsm in addition to the public key.  gpgsm should be
able pick the right keys+certificates to use based on To/From headers,
so we don't have to specify anything manually in the #secure mml tag.

The import process from the OpenSSL-preferred form (cert+secretkey) is
rather ugly, because gpgsm wants to see a PKCS#12 object when
importing secret keys.

Note that EasyPG generates the more modern Content-Type:
application/pkcs7-signature instead of application/x-pkcs7-signature
for the detached signature.

We are also obliged to manually set gpgsm's include-certs setting to 1
because gpgsm defaults to send "everything but the root cert".  In our
weird test case, the certificate we're using is self-signed, so it
*is* the root cert, which means that gpgsm doesn't include it by
default.  Setting it to 1 forces inclusion of the signer's cert, which
satisfies openssl's smime subcommand. See https://dev.gnupg.org/T4878
for more details.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

test/T355-smime.sh		diff \| blob \| history
test/test-lib.el		diff \| blob \| history
test/test-lib.sh		diff \| blob \| history