~rjarry/aerc-discuss

1

fails to decrypt message when signer public key is not available

Details
Message ID
<kg5a7r27sb5zqggdbqvnkt63vp5qy45lg5tgrpefcv6kjpww6s@oh4mftaee6bf>
DKIM signature
pass
Download raw message
HI,

aerc fails to decrypt a message when the signer's public key is unknown.

    $ aerc -v
    aerc 0.15.2 +notmuch (go1.21.1 amd64 linux)

    pgp-provider=gpg

Example: sr.ht PGP test email. I don't have sr.ht public key imported to
my keychain.

ERROR 2024/03/15 17:38:23.919299 status.go:130: gpgmail: failed to read PGP message:
gpg: encrypted with rsa4096 key, ID 58CD9DD385D89011, created 2020-06-07, "shrik3 <shrik3@riseup.net>",
gpg: Signature made Fri 15 Mar 2024 04:50:22 PM CET,
gpg:                using RSA key 447B69E4B34BE90BC829A0E9659704D1A38A93AE,
gpg: Can't check signature: No public key, 


I think in this case the message should be decrypted, with a e.g. "not verified"
icon. For example neomutt decrypts the message and shows "problem signature"

I'm not familar with golang, but it seems that lib/crypto/gpg/reader.go:95 simply
catches and returns all errors.
Details
Message ID
<6bd4enxmysj4lgfy6jiu3m7iffewgqlgxqrjksygjzn22mqxx4@cly3k6ojcc6k>
In-Reply-To
<kg5a7r27sb5zqggdbqvnkt63vp5qy45lg5tgrpefcv6kjpww6s@oh4mftaee6bf> (view parent)
DKIM signature
pass
Download raw message
Patch: +4 -0
On 24/03/15 05:50PM, shrik3 wrote:
> aerc fails to decrypt a message when the signer's public key is unknown.


it seems that the problem is with gpg: upon missing pubkey gpg outputs
    [GNUPG:] FAILURE gpg-exit 33554433

example:
    GPG RET: Drew DeVault
    GPG RET: sourcehut
    GPG RET: [GNUPG:] NEWSIG
    GPG RET: [GNUPG:] ERRSIG 659704D1A38A93AE 1 8 01 1710517822 9 447B69E4B34BE90BC829A0E9659704D1A38A93AE
    GPG RET: [GNUPG:] NO_PUBKEY 659704D1A38A93AE
    GPG RET: [GNUPG:] DECRYPTION_OKAY
    GPG RET: [GNUPG:] GOODMDC
    GPG RET: [GNUPG:] END_DECRYPTION
    GPG RET: [GNUPG:] FAILURE gpg-exit 33554433


This causes parse() to catch the "FAULURE" and return an error.

Below is a possible workaround, but it doesn't look like the correct way to fix
it, and I don't know if gpg-exit 335554433 only covers the NO_PUBKEY situation.
So I'm not sending to the dev mailing list.

(Perhaps we could check the DECRYPTION_OKAY, and when it's present, ignore any
following FAILURE?)

BR,
wth.

---
 lib/crypto/gpg/gpgbin/gpgbin.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/crypto/gpg/gpgbin/gpgbin.go b/lib/crypto/gpg/gpgbin/gpgbin.go
index 69f290fd..0fe7fc3f 100644
--- a/lib/crypto/gpg/gpgbin/gpgbin.go
+++ b/lib/crypto/gpg/gpgbin/gpgbin.go
@@ -223,6 +223,10 @@ func parse(r io.Reader, md *models.MessageDetails) error {
		case "NODATA":
			md.SignatureError = "gpg: no signature packet found"
		case "FAILURE":
			if line == "[GNUPG:] FAILURE gpg-exit 33554433" {
				log.Errorf("skipping gpg failure: gpg-exit 33554433")
				break
			}
			return fmt.Errorf(strings.TrimPrefix(line, "[GNUPG:] "))
		}
	}
-- 
2.44.0
Reply to thread Export thread (mbox)