Ensure PGP Inline Signatures stay intact when decrypting permanently combined mails
Closed, ResolvedPublic

Description

When decrypting a PGP/Inline Mail permanently gnupg should be called with the --nowrap option to leave signature information intact. Of course only if GnuPG supports this.

I think this might be a small patch that will be easily accepted upstream. Kai can you add this?

kai added a comment.Aug 9 2017, 2:54 PM

You sure about that? The --nowrap doesn't seem to exist. The manpage doesn't mention it and running gpg2 with it outputs gpg: invalid option "--nowrap".

Indeed it's unwrap and not nowrap. Sorry.

kai added a comment.Aug 9 2017, 4:14 PM

OK, thanks. I just tied it on the console and adding --unwrap causes gpg to output the PGP packet that was encrypted. I guess this is intended but from my perspective this isn't a small change. Before a user could read his permanently decrypted mail w/o any tools, now he needs gpg the parse and display the literal data packet.

kai added a comment.Aug 9 2017, 5:47 PM

So, I had a look at the code in decrypt-data.c and proc_packets. I understand that getting gpg output the resulting in human readable way isn't possible w/o changing a lot of code.

@aheinecke: I don't think this change will be accepted by upstream. Maybe we can make it configurable?

Ok. Lets put this problem back until we have a possibility to encrypt through filters so that can maybe enable this just for some kind of reenecrypt workflow.

kai added a comment.Sep 1 2017, 3:33 PM

Ok, I implemented this for Inline messages. The resulting armored literal data packet is encrypted as PGP/MIME message. I'm not sure this is what we want.

aheinecke closed this task as Resolved.Apr 19 2018, 7:32 AM