tests: disable CRL checks from gpgsm

GPGME has a strange failure mode when it is in offline mode, and/or
when certificates don't have any CRLs: in particular, it refuses to
accept the validity of any certificate other than a "root" cert.

This can be worked around by setting the `disable-crl-checks`
configuration variable for gpgsm.

I've reported this to the GPGME upstream at
https://dev.gnupg.org/T4883, but I have no idea how it will be
resolved.  In the meantime, we'll just work around it.

Note that this fixes the test for verification of
id:smime-multipart-signed@protected-headers.example, because
multipart/signed messages are already handled correctly (one-part
PKCS#7 messages will get fixed later).

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
This commit is contained in:
Daniel Kahn Gillmor 2020-03-19 00:15:08 -04:00 committed by David Bremner
parent b415ec06c3
commit 9055dfdae4
2 changed files with 2 additions and 2 deletions

View file

@ -157,7 +157,7 @@ test_expect_equal "$output" id:protected-with-legacy-display@crypto.notmuchmail.
for variant in multipart-signed onepart-signed; do for variant in multipart-signed onepart-signed; do
test_begin_subtest "verify signed PKCS#7 subject ($variant)" test_begin_subtest "verify signed PKCS#7 subject ($variant)"
test_subtest_known_broken [ "$variant" = multipart-signed ] || test_subtest_known_broken
output=$(notmuch show --verify --format=json "id:smime-${variant}@protected-headers.example") output=$(notmuch show --verify --format=json "id:smime-${variant}@protected-headers.example")
test_json_nodes <<<"$output" \ test_json_nodes <<<"$output" \
'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \ 'signed_subject:[0][0][0]["crypto"]["signed"]["headers"]=["Subject"]' \

View file

@ -144,7 +144,7 @@ add_gpgsm_home ()
echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt" echo "$fpr S relax" >> "$GNUPGHOME/trustlist.txt"
gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt gpgsm --quiet --batch --no-tty --no-common-certs-import --disable-dirmngr --import < $NOTMUCH_SRCDIR/test/smime/ca.crt
echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt" echo "4D:E0:FF:63:C0:E9:EC:01:29:11:C8:7A:EE:DA:3A:9A:7F:6E:C1:0D S" >> "$GNUPGHOME/trustlist.txt"
echo include-certs::1 | gpgconf --output /dev/null --change-options gpgsm printf '%s::1\n' include-certs disable-crl-checks | gpgconf --output /dev/null --change-options gpgsm
gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \ gpgsm --batch --no-tty --no-common-certs-import --pinentry-mode=loopback --passphrase-fd 3 \
--disable-dirmngr --import "$NOTMUCH_SRCDIR/test/smime/bob.p12" >>"$GNUPGHOME"/import.log 2>&1 3<<<'' --disable-dirmngr --import "$NOTMUCH_SRCDIR/test/smime/bob.p12" >>"$GNUPGHOME"/import.log 2>&1 3<<<''
test_debug "cat $GNUPGHOME/import.log" test_debug "cat $GNUPGHOME/import.log"