emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] MML/EPG: Add support for GnuPG's --sender option

From: Teemu Likonen
Subject: [PATCH] MML/EPG: Add support for GnuPG's --sender option
Date: Fri, 12 Jul 2019 15:21:58 +0300
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2.90 (gnu/linux) 
An already existing variable mml-secure-openpgp-sign-with-sender (if
non-nil) makes MML security to use message sender's email address to
find signer's key from GnuPG keyring.

This commit enhances the feature to also use sender's email address with
GnuPG's (gpg) --sender option to clarify which user id made the
signature. The option is useful for two reasons when verifying the
signature:

 1. GnuPG's TOFU statistics are updated for the specific user id (email)
    only

 2. GnuPG's --auto-key-retrieve functionality can use WKD (web key
    directory) method for finding the signer's key.

Quotes from gpg(1) manual page (version 2.2.17):

    --auto-key-retrieve
    --no-auto-key-retrieve
           These options enable or disable the automatic retrieving of
           keys from a keyserver when verifying signatures made by
           keys that are not on the local keyring.  The default is
           --no-auto-key-retrieve.

           The order of methods tried to lookup the key is:

    [...]

           2.  If the signature has the Signer's UID set (e.g. using
           --sender while creating the signature) a Web Key
           Directory (WKD) lookup is done.  This is the default
           configuration but can be disabled by removing WKD from the
           auto-key-locate list or by using the option
           --disable-signer-uid.

    [...]

    --sender mbox
           This option has two purposes.  mbox must either be a
           complete user id with a proper mail address or just a mail
           address.  When creating a signature this option tells gpg
           the user id of a key used to make a signature if the key
           was not directly specified by a user id.  When verifying a
           signature the mbox is used to restrict the information
           printed by the TOFU code to matching user ids.
---
 lisp/epg.el          | 8 ++++++++
 lisp/gnus/mml-sec.el | 9 +++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/lisp/epg.el b/lisp/epg.el
index 8029bf5a93..ce58c520f1 100644
--- a/lisp/epg.el
+++ b/lisp/epg.el
@@ -208,6 +208,7 @@ 'epg-error
   progress-callback
   edit-callback
   signers
+  sender
   sig-notations
   process
   output-file
@@ -1616,6 +1617,9 @@ epg-start-sign
                                     (epg-sub-key-id
                                      (car (epg-key-sub-key-list signer)))))
                             (epg-context-signers context)))
+                     (let ((sender (epg-context-sender context)))
+                       (when (stringp sender)
+                         (list "--sender" sender)))
                     (epg--args-from-sig-notations
                      (epg-context-sig-notations context))
                     (if (epg-data-file plain)
@@ -1711,6 +1715,10 @@ epg-start-encrypt
                                                signer)))))
                                 (epg-context-signers context))))
                     (if sign
+                         (let ((sender (epg-context-sender context)))
+                           (when (stringp sender)
+                             (list "--sender" sender))))
+                     (if sign
                         (epg--args-from-sig-notations
                          (epg-context-sig-notations context)))
                     (apply #'nconc
diff --git a/lisp/gnus/mml-sec.el b/lisp/gnus/mml-sec.el
index 02a27b367c..07d2028534 100644
--- a/lisp/gnus/mml-sec.el
+++ b/lisp/gnus/mml-sec.el
@@ -497,7 +497,8 @@ mml-secure-smime-encrypt-to-self
   'mml2015-sign-with-sender 'mml-secure-openpgp-sign-with-sender "25.1")
 ;mml1991-sign-with-sender did never exist.
 (defcustom mml-secure-openpgp-sign-with-sender nil
-  "If t, use message sender to find an OpenPGP key to sign with."
+  "If t, use message sender to find an OpenPGP key to sign with.
+Also use message's sender with GnuPG's --sender option."
   :group 'mime-security
   :type 'boolean)
 
@@ -913,7 +914,9 @@ mml-secure-epg-encrypt
         cipher signers)
     (when sign
       (setq signers (mml-secure-signers context signer-names))
-      (setf (epg-context-signers context) signers))
+      (setf (epg-context-signers context) signers)
+      (when mml-secure-openpgp-sign-with-sender
+        (setf (epg-context-sender context) sender)))
     (when (eq 'OpenPGP protocol)
       (setf (epg-context-armor context) t)
       (setf (epg-context-textmode context) t))
@@ -944,6 +947,8 @@ mml-secure-epg-sign
       (setf (epg-context-armor context) t)
       (setf (epg-context-textmode context) t))
     (setf (epg-context-signers context) signers)
+    (when mml-secure-openpgp-sign-with-sender
+      (setf (epg-context-sender context) sender))
     (when (mml-secure-cache-passphrase-p protocol)
       (epg-context-set-passphrase-callback
        context
-- 
2.20.1



-- 
///  OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
//  https://keys.openpgp.org/search?q=address@hidden
/  https://keybase.io/tlikonen  https://github.com/tlikonen

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]