Commit graph

31 commits

Author SHA1 Message Date
Daniel Kahn Gillmor
4cb789aa09 cli/show: emit new whole-message crypto status output
This allows MUAs that don't want to think about per-mime-part
cryptographic status to have a simple high-level overview of the
message's cryptographic state.

Sensibly structured encrypted and/or signed messages will work fine
with this.  The only requirement for the simplest encryption + signing
is that the message have all of its encryption and signing protection
(the "cryptographic envelope") in a contiguous set of MIME layers at
the very outside of the message itself.

This is because messages with some subparts signed or encrypted, but
with other subparts with no cryptographic protection is very difficult
to reason about, and even harder for the user to make sense of or work
with.

For further characterization of the Cryptographic Envelope and some of
the usability tradeoffs, see here:

   https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#cryptographic-envelope
2019-05-26 08:20:23 -03:00
Daniel Kahn Gillmor
7d48604157 test/crypto: add_gnupg_home should have ultimate trust on "its own" key
The typical use case for gpg is that if you control a secret key, you
mark it with "ultimate" ownertrust.

The opaque --import-ownertrust mechanism is GnuPG's standard mechanism
to set up ultimate ownertrust (the ":6:" means "ultimate", for
whatever reason).

We adjust the test suite to match this change, inverting the sense of
one test: since the default is now that the user ID of the suite's own
key is valid, we change the test to make sure that the user ID is not
emitted when it is *not* valid.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-07 06:42:21 -03:00
Daniel Kahn Gillmor
93e699e5c8 test: simplify user ID handling
The user ID on the self-test is a little bit clunky-looking.  It also
may end up showing up elsewhere in the test suite.  Centralizing the
user ID in one place should make it easier to handle if it ever
changes, and should make tests easier to read.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-07 06:42:11 -03:00
Daniel Kahn Gillmor
9f05ceb994 test/crypto: clarify the difference between ownertrust and validity
This is a subtle difference, but the output of notmuch shouldn't ever
change based on ownertrust itself -- notmuch is intended to show valid
User IDs, and to avoid showing invalid User IDs.

It so happens that setting ownertrust of a key to ultimate sets all
associated user IDs to "full" validity, so the test is correct, but
just misnamed.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-07 06:42:01 -03:00
Daniel Kahn Gillmor
652baa6fe6 gmime-cleanup: tests should only care about gmime 3
note that "notmuch-show for message with invalid From" is still broken
in T310-emacs.sh.  It would be good to debug what's going on there and
try to get it fixed!

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:55:44 -03:00
Daniel Kahn Gillmor
afb0b11dcd crypto: Avoid pretending to verify signatures on unsigned encrypted mail
Unsigned encrypted mail shows up with a weird empty signature list.
If we successfully decrypted and there was no signature in it, we
should just not show a sigstatus at all.

The documentation for g_mime_decrypt_result_get_signatures says:

    a GMimeSignatureList or NULL if the stream was not signed.
2019-04-26 08:03:15 -03:00
Daniel Kahn Gillmor
22ec4a36e6 tests: move FINGERPRINT definition to add_gnupg_home
If a test has added a GnuPG homedir, it may well want to know the
fingerprint.  This saves us from having to redefine this magic string
in multiple places when more tests eventually use the GnuPG homedir.
2019-04-24 07:16:46 -03:00
David Edmondson
576cff7654 reply: Include sender as recipient if they were the original recipient
When generating a reply message, if the user was the originator and
only recipient of the original message, include the user as a
recipient of the reply.
2018-12-07 08:03:50 -04:00
Daniel Kahn Gillmor
af8255fb71 cli/reply: make --decrypt take a keyword
This brings the --decrypt argument to "notmuch reply" into line with
the other --decrypt arguments (in "show", "new", "insert", and
"reindex").  This patch is really just about bringing consistency to
the user interface.

We also use the recommended form in the emacs MUA when replying, and
update test T350 to match.
2017-12-29 16:45:55 -04:00
Daniel Kahn Gillmor
8ea4a99d74 cli/show: make --decrypt take a keyword.
We also expand tab completion for it, update the emacs bindings, and
update T350, T357, and T450 to match.

Make use of the bool-to-keyword backward-compatibility feature.
2017-12-29 16:45:46 -04:00
Jani Nikula
a863de1e43 test: use $(dirname "$0") for sourcing test-lib.sh
Don't assume the tests are always run from within the source tree.
2017-10-20 19:52:49 -03:00
Daniel Kahn Gillmor
ee5df7d7db tests: prepare for more crypto tests (using add_gnupg_home)
Move add_gnupg_home to test-lib.sh to prepare it for reuse.
2017-10-14 10:53:42 -03:00
Daniel Kahn Gillmor
f4ac5ecd5c lib: index the content-type of the parts of encrypted messages
This is a logical followup to "lib: index the content type of
signature parts", which will make it easier to record the message
structure of all messages.
2017-09-17 20:01:19 -03:00
Jani Nikula
55c047ee0b lib: index the content type of signature parts
It's useful (*) to be able to easily find messages with certain types
of signatures. Having the mimetype: prefix searches fail for some
content types is also genuinely surprising (*). Index the content type
of signature parts.

While at it, switch to the gmime convenience constants for content and
signature part indexes.

*) At least for developers of email software!
2017-09-17 20:01:00 -03:00
Jani Nikula
30c2761465 test: signed and encrypted part content type indexing
Add known broken subtests for searching signed and encrypted messages
using mimetype: prefix search for the content-types of signed and
encrypted parts.
2017-09-17 20:00:43 -03:00
David Bremner
ec37900c5f test/crypto: remove headers more robustly
In [1], Vladimir Panteleev observed that the In-Reply-To and
References headers could be wrapped in the 'default' output format of
notmuch-reply, depending on the version of Emacs creating the
message. In my own experiments notmuch-reply sometimes wraps headers
with only one message-id if that message-id is long enough. However it
happens, this causes the previous approach using grep to fail.

Since I found the proposed unwrapping shell fragment in [1] a bit hard
to follow, I decided to write a little python script instead. Then
Tomi suggested a slight generalization of my script, and here we are.

[1] id:20170817175145.3204-7-notmuch@thecybershadow.net
2017-09-03 08:06:15 -03:00
David Bremner
a58c75fdf6 test/crypto: mark extra space in userid as a bug in gmime-2.6
I can't see the space in the output of gpg -K --with-colons
2017-07-14 17:58:09 -03:00
David Bremner
87ca29b7a7 test/crypto: add test for corrupted signatures
Have an empty list of signatures is not the nicest mechanism to signal
complete failure to verify, but it's the one we currently have.
2017-07-05 07:36:20 -03:00
David Bremner
4f48ae4a5f test: add test for modified pgp/mime signed message
This is a good thing to test in any case, but particularly as we hit
the dark corners of the gmime crypto API.
2017-07-05 07:36:20 -03:00
David Bremner
e1b7d32db0 cli: implement structured output version 4
Since the error field is unused by the emacs front end, no changes are
needed other than bumping the format version number.

As it is, this is a bit overengineered, but it will reduce duplication
when we support gmime 3.0
2017-07-04 08:32:44 -03:00
Tomi Ollila
5f71a4d3e1 exit lingering gpg agents at the end of relevant tests
Since gnupg 2.1.20, gpg-agent no longer shut itself down when
$GNUPGHOME directory is removed.

Add exit hooks to the test modules which execute `gpgconf --kill all`

Add exit hooks to execute `gpgconf --kill all` in the modules that
create $GNUPGHOME for gpg to work with.
2017-05-26 07:26:06 -03:00
David Bremner
ec3937b5cd test: standardize argument order to test_expect_equal_file
It is annoying to debug failing tests when the interpretation of the
diffs is reversed for some tests.
2017-04-06 14:37:02 -03:00
Jani Nikula
d0cd253b37 test: require test_begin_subtest before test_expect_success
Unify the subtests by requiring test_begin_subtest before
test_expect_success. (Similar change for test_expect_code will
follow.)

This increases clarity in the test scripts by having a separate line
for the start of the subtest with the heading, and makes it possible
to simplify the test infrastructure by making all subtests similar.
2017-03-09 09:01:21 -04:00
Jani Nikula
ea20a932f1 cli/show: add content-disposition to structured output message parts
Help the clients decide how to display parts.

Test updates by Mark Walters <markwalters1009@gmail.com>.
One more test fix by db
2017-02-28 08:03:00 -04:00
Jani Nikula
14c60cf168 cli/show: list all filenames of a message in the formatted output
Instead of just having the first filename for the message, list all
duplicate filenames of the message as a list in the formatted
outputs. This bumps the format version to 3.
2017-02-26 07:41:33 -04:00
Daniel Kahn Gillmor
d31161c212 tests: account for varying-size cryptographic signatures
GnuPG 2.1.16 is now injecting the full issuer fingerprint in its
signatures, which makes them about 32 octets larger when
ascii-armored.

This change in size means that the size of the MIME parts will vary
depending on the version of gpg that the user has installed.  at any
rate, the signature part should be non-zero (this is true for
basically any MIME part), so we just test for that instead of an exact
size.
2016-11-24 20:22:12 -04:00
Mark Walters
a448879e49 emacs: reply: remove wrong sig/enc status buttons
This stops the (usually incorrect) sigstatus and encstatus buttons
appearing when replying in emacs, and updates the test suite to match.

Overriding the status button functions is a little unusual but much
less intrusive than passing an argument all the way down the call
chain. It also makes it clear exactly what it does.

We also hide the application/pgp-encrypted part as it can only contain
"Version: 1". We do this in notmuch show, which means it also happens
when replying.
2016-09-18 10:57:27 -03:00
David Bremner
653c5ee221 test/crypto: test reply to encrypted message in emacs
This test considers the extra output about encryption/signature status
as a bug, to be fixed in the next commit
2016-09-18 10:56:54 -03:00
David Bremner
7edded2740 test/crypto: hard code fingerprint
Originally the intent was to make the test more robust against changing
test keys. It turns out that (unscientifically) gpg --with-colons output
changes more often than our test key. Rather than making the script more
complex, just hard code the fingerprint.

This fixes Debian bug ; I expect similar test failures as other
distros adopt gnupg 2.1.15
2016-09-08 09:08:09 -03:00
Tomi Ollila
02a2eeb427 test: make script exit (1) if it "fails" to source (.) a file
The files (test) scripts source (with builtin command `.`) provides
information which the scripts depend, and without the `source` to
succeed allowing script to continue may lead to dangerous situations
(e.g. rm -rf "${undefined_variable}"/*).

At the end of all source (.) lines construct ' || exit 1' was added;
In our case the script script will exit if it cannot find (or read) the
file to be sourced. Additionally script would also exits if the last
command of the sourced file exited nonzero.
2015-08-07 21:56:39 +02:00
Tomi Ollila
a755c9d6a9 test: renamed test scripts to format T\d\d\d-name.sh
All test scripts to be executed are now named as T\d\d\d-name.sh,
numers in increments of 10.

This eases adding new tests and developers to see which are test scripts
that are executed by test suite and in which order.
2014-01-13 14:16:46 -04:00
Renamed from test/crypto (Browse further)