pgp: check for signing key before signing time

Check that the signing key exists when the user issues the :sign
command. The signing key ID will be displayed in the security status
also, allowing the user to see what key will be used to sign the
message.

Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: Jens Grassel <jens@wegtam.com>

5 files changed, 59 insertions, 0 deletions

diff --git a/lib/crypto/crypto.go b/lib/crypto/crypto.go
index 47eca99d..cab93462 100644
--- a/lib/crypto/crypto.go
+++ b/lib/crypto/crypto.go
@@ -19,6 +19,7 @@ type Provider interface {
 	ImportKeys(io.Reader) error
 	Init(*log.Logger) error
 	Close()
+	GetSignerKeyId(string) (string, error)
 }
 
 func New(s string) Provider {
diff --git a/lib/crypto/gpg/gpg.go b/lib/crypto/gpg/gpg.go
index 66cd3725..457788dc 100644
--- a/lib/crypto/gpg/gpg.go
+++ b/lib/crypto/gpg/gpg.go
@@ -51,6 +51,10 @@ func (m *Mail) Sign(buf *bytes.Buffer, signer string, decryptKeys openpgp.Prompt
 
 func (m *Mail) Close() {}
 
+func (m *Mail) GetSignerKeyId(s string) (string, error) {
+	return gpgbin.GetPrivateKeyId(s)
+}
+
 func handleSignatureError(e string) models.SignatureValidity {
 	if e == "gpg: missing public key" {
 		return models.UnknownEntity
diff --git a/lib/crypto/gpg/gpgbin/gpgbin.go b/lib/crypto/gpg/gpgbin/gpgbin.go
index da046f46..3ee81399 100644
--- a/lib/crypto/gpg/gpgbin/gpgbin.go
+++ b/lib/crypto/gpg/gpgbin/gpgbin.go
@@ -77,6 +77,29 @@ func getIdentity(key uint64) string {
 	return ""
 }
 
+// getKeyId returns the 16 digit key id, if key exists
+func getKeyId(s string, private bool) string {
+	cmd := exec.Command("gpg", "--with-colons", "--batch")
+	listArg := "--list-keys"
+	if private {
+		listArg = "--list-secret-keys"
+	}
+	cmd.Args = append(cmd.Args, listArg, s)
+
+	var outbuf strings.Builder
+	cmd.Stdout = &outbuf
+	cmd.Run()
+	out := strings.Split(outbuf.String(), "\n")
+	for _, line := range out {
+		if strings.HasPrefix(line, "fpr") {
+			flds := strings.Split(line, ":")
+			id := flds[9]
+			return id[len(id)-16:]
+		}
+	}
+	return ""
+}
+
 // longKeyToUint64 returns a uint64 version of the given key
 func longKeyToUint64(key string) (uint64, error) {
 	fpr := string(key[len(key)-16:])
diff --git a/lib/crypto/gpg/gpgbin/keys.go b/lib/crypto/gpg/gpgbin/keys.go
new file mode 100644
index 00000000..660ce821
--- /dev/null
+++ b/lib/crypto/gpg/gpgbin/keys.go
@@ -0,0 +1,13 @@
+package gpgbin
+
+import "fmt"
+
+// GetPrivateKeyId runs gpg --list-secret-keys s
+func GetPrivateKeyId(s string) (string, error) {
+	private := true
+	id := getKeyId(s, private)
+	if id == "" {
+		return "", fmt.Errorf("no private key found")
+	}
+	return id, nil
+}
diff --git a/lib/crypto/pgp/pgp.go b/lib/crypto/pgp/pgp.go
index 92a15ee6..e0c5671b 100644
--- a/lib/crypto/pgp/pgp.go
+++ b/lib/crypto/pgp/pgp.go
@@ -245,6 +245,24 @@ func (m *Mail) getSigner(signer string, decryptKeys openpgp.PromptFunction) (sig
 	return signerEntity, nil
 }
 
+func (m *Mail) GetSignerKeyId(s string) (string, error) {
+	var err error
+	var signerEntity *openpgp.Entity
+	switch strings.Contains(s, "@") {
+	case true:
+		signerEntity, err = m.getSignerEntityByEmail(s)
+		if err != nil {
+			return "", err
+		}
+	case false:
+		signerEntity, err = m.getSignerEntityByKeyId(s)
+		if err != nil {
+			return "", err
+		}
+	}
+	return signerEntity.PrimaryKey.KeyIdString(), nil
+}
+
 func handleSignatureError(e string) models.SignatureValidity {
 	if e == "openpgp: signature made by unknown entity" {
 		return models.UnknownEntity