| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
During encryption gpg was ignoring trust model of the user in favor of
always using the insecure "always". This change removes this override
and adds a helpful message if a user tries to encrypt a message with an
untrusted key. To revert to the previous behavior users can add
"trust-model always" to their gpg.conf file (default ~/.gnupg/gpg.conf).
Signed-off-by: Marcin Serwin <marcin@serwin.dev>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
|
|
|
|
|
|
|
|
|
| |
Add pinentry support to GPG for signing, enrypting and decrypting
messages.
Signed-off-by: Koni Marti <koni.marti@gmail.com>
Acked-by: Robin Jarry <robin@jarry.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
golangci-lint 1.56 does not work with go 1.23. It causes obscure errors:
[linters_context/goanalysis] buildir: panic during analysis:
Cannot range over: func(yield func(K, V) bool), goroutine 4743 [running]: runtime/debug.Stack()
/usr/lib/go/src/runtime/debug/stack.go:26 +0x5e
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyzeSafe.func1()
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_action.go:104 +0x5a
panic({0x164b260?, 0xc00669b4a0?})
/usr/lib/go/src/runtime/panic.go:785 +0x132
honnef.co/go/tools/go/ir.(*builder).rangeStmt(0xc000051910, 0xc00a29cf00, 0xc009bf55c0, 0x0, {0x1af1960, 0xc009bf55c0})
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2214 +0x894
honnef.co/go/tools/go/ir.(*builder).stmt(0xc000051910, 0xc00a29cf00, {0x1af6970?, 0xc009bf55c0?})
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2427 +0x20a
honnef.co/go/tools/go/ir.(*builder).stmtList(...)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:847
honnef.co/go/tools/go/ir.(*builder).stmt(0xc000051910, 0xc00a29cf00, {0x1af6880?, 0xc004f52ed0?})
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2385 +0x1415
honnef.co/go/tools/go/ir.(*builder).buildFunction(0xc000051910, 0xc00a29cf00)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2497 +0x417
honnef.co/go/tools/go/ir.(*builder).buildFuncDecl(0xc000051910, 0xc00622eea0, 0xc004f52f00)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2534 +0x189
honnef.co/go/tools/go/ir.(*Package).build(0xc00622eea0)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2638 +0xb46
sync.(*Once).doSlow(0xc009b81260?, 0xc009bf5bc0?)
/usr/lib/go/src/sync/once.go:76 +0xb4
sync.(*Once).Do(...)
/usr/lib/go/src/sync/once.go:67
honnef.co/go/tools/go/ir.(*Package).Build(...)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2556
honnef.co/go/tools/internal/passes/buildir.run(0xc000cf61a0)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/internal/passes/buildir/buildir.go:86 +0x18b
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyze(0xc002d77d70)
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_action.go:190 +0x9cd
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyzeSafe.func2()
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_action.go:112 +0x17
github.com/golangci/golangci-lint/pkg/timeutils.(*Stopwatch).TrackStage(0xc0007a5c70, {0x1859190, 0x7}, 0xc001c28f48)
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/timeutils/stopwatch.go:111 +0x44
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyzeSafe(0xc00212f680?)
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_action.go:111 +0x6e
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*loadingPackage).analyze.func2(0xc002d77d70)
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_loadingpackage.go:80 +0xa5
created by github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*loadingPackage).analyze in goroutine 3468
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_loadingpackage.go:75 +0x1e9
Update golangci-lint to 1.61.0 that works with go 1.23. It has new
checkers that report errors that we need to fix:
lib/crypto/gpg/gpgbin/gpgbin.go:226:22: printf: non-constant format string in call to fmt.Errorf (govet)
return fmt.Errorf(strings.TrimPrefix(line, "[GNUPG:] "))
^
worker/imap/observer.go:142:21: printf: non-constant format string in call to fmt.Errorf (govet)
Error: fmt.Errorf(errMsg),
^
app/dirlist.go:409:5: S1009: should omit nil check; len() for []string is defined as zero (gosimple)
if dirlist.dirs == nil || len(dirlist.dirs) == 0 {
^
app/dirtree.go:181:5: S1009: should omit nil check; len() for []*git.sr.ht/~rjarry/aerc/worker/types.Thread is defined as zero (gosimple)
if dt.list == nil || len(dt.list) == 0 || dt.countVisible(dt.list) < y+dt.Scroll() {
^
app/authinfo.go:30:34: printf: non-constant format string in call to (*git.sr.ht/~rjarry/aerc/lib/ui.Context).Printf (govet)
ctx.Printf(0, 0, defaultStyle, text)
^
app/authinfo.go:34:27: printf: non-constant format string in call to (*git.sr.ht/~rjarry/aerc/lib/ui.Context).Printf (govet)
ctx.Printf(0, 0, style, text)
^
app/authinfo.go:62:34: printf: non-constant format string in call to (*git.sr.ht/~rjarry/aerc/lib/ui.Context).Printf (govet)
x += ctx.Printf(x, 0, style, text)
^
Pretty much all of these errors are us passing non-const format strings
to various methods. In C land, this is a large security issue. I would
assume the same stands in Go. Thank you golangci-lint!
Link: https://builds.sr.ht/~rjarry/job/1332376#task-validate-500
Signed-off-by: Tristan Partin <tristan@partin.io>
Acked-by: Robin Jarry <robin@jarry.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the content encoding for GPG-signed messages.
To remove the Mime-Version header field for the signed message part, the
raw message is parsed with go-message. go-message.Read(), however,
decodes the message body as well (i.e. from quoted-printable to UTF8
depending on the Content-Transfer-Encoding header). This means that the
msg.Body field now contains the decoded message (it is no longer encoded
as quoted-printable). We never encode the message back to the proper
Content-Transfer-Encoding.
To fix this, use net/mail.ReadMessage() to parse the headers and to not
decode the message body.
To verify the issue, send a signed message with the following text:
"19+1=20!"
The message will be properly signed, but the text is wrong; it shows
"19+1 !"; instead it should read "19+1=3D20!".
Fixes: 5e443bce ("gpg: fix mime-version header position")
References: https://todo.sr.ht/~rjarry/aerc/79
Signed-off-by: Koni Marti <koni.marti@gmail.com>
Tested-by: Jens Grassel <jens@wegtam.com>
Acked-by: Robin Jarry <robin@jarry.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on how many signatures the public key has, it may be very
large. The key signatures are not required to verify the authenticity of
an email.
Link: https://lists.sr.ht/~rjarry/aerc-devel/%3CCZKDO3ETIOAI.1DDOYI8Z8LY5O%40cepl.eu%3E
Reported-by: Matěj Cepl <mcepl@cepl.eu>
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Matěj Cepl <mcepl@cepl.eu>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some MTAs try to normalize the case of all headers (including signed
text parts headers). Unfortunately, Mime-Version can be normalized to
different casing depending on the implementation (MIME- vs Mime-).
Since the signature is computed on the whole part, including its header,
changing the case can cause the signature to become invalid.
Due to how multipart/signed messages are constructed, we need to hack
around go-message writers to intercept the writing of a text part,
compute its signature and write the actual message with the proper
headers.
Unfortunately, go-message does not allow creating a message writer that
does not insert a Mime-Version header. This causes the Mime-Version
header to be inserted in the wrong place: it is put inside the signed
text part header instead on the top level header. Thus, included in the
signed content.
Make sure to remove any Mime-Version header from the signed part header.
Finally, ensure that Mime-Version is set on the top-level header so that
messages are compliant with RFC 2045.
Fixes: https://todo.sr.ht/~rjarry/aerc/143
Link: https://github.com/emersion/go-message/issues/165
Link: https://github.com/emersion/go-pgpmail/pull/15
Link: https://lists.sr.ht/~rjarry/aerc-devel/%3CCQRPF5EA0TF8.PEJ4AKCEGMFM%40fembook%3E
Changelog-fixed: `Mime-Version` is no longer inserted in signed
text parts headers. MTAs normalizing header case will not corrupt
signatures anymore.
Reported-by: Coco Liliace <chloe@liliace.dev>
Reported-by: Kirill Chibisov <contact@kchibisov.com>
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Tim Culverhouse <tim@timculverhouse.com>
|
|
|
|
|
|
|
| |
This has nothing to do at the root of the source tree.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Bence Ferdinandy <bence@ferdinandy.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A lot of libraries are starting to use generics (introduced in go 1.18).
Restricting aerc on 1.17 prevents us from updating our dependencies.
Since 1.18 is a major milestone, it has a chance to remain supported for
a while.
Update the minimum go version to 1.18. Run go mod tidy -compat=1.18.
Update our CI to run on 1.18.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Bence Ferdinandy <bence@ferdinandy.com>
|
|
|
|
|
|
|
|
|
|
| |
Use the same name than the builtin "log" package. That way, we do not
risk logging in the wrong place.
Suggested-by: Tim Culverhouse <tim@timculverhouse.com>
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Bence Ferdinandy <bence@ferdinandy.com>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The main goal is to ensure that by default, the log file (if configured)
does not grow out of proportions. Most of the logging messages in aerc
are actually for debugging and/or trace purposes.
Define clear rules for logging levels. Enforce these rules everywhere.
After this patch, here is what the log file looks like after starting up
with a single account:
INFO 2022/11/24 20:26:16.147164 aerc.go:176: Starting up version 0.13.0-100-g683981479c60 (go1.18.7 amd64 linux)
INFO 2022/11/24 20:26:17.546448 account.go:254: [work] connected.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Bence Ferdinandy <bence@ferdinandy.com>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
|
|
|
|
|
|
|
|
|
|
| |
Since the minimum required version of Go has been bumped to 1.16, the
deprecation of io/ioutil can now be acted upon. This Commit removes the
remaining dependencies on ioutil and replaces them with their io or os
counterparts.
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Acked-by: Robin Jarry <robin@jarry.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the following test failures:
FAIL: TestMessageInfoHandledError (0.00s)
parse_test.go:53: could not parse envelope: date parsing failed:
unrecognized date format:
FAIL: TestReader (0.07s)
gpg_test.go:27: using GNUPGHOME = /tmp/TestReader2384941142/001
reader_test.go:108: Test case: Invalid Signature
reader_test.go:112: gpg.Read() = gpgmail: failed to read PGP
message: gpg: failed to run verification: exit status 1
Fixes: 5ca6022d007b ("lint: ensure errors are at least logged (errcheck)")
Fixes: 70bfcfef4257 ("lint: work nicely with wrapped errors (errorlint)")
Signed-off-by: Robin Jarry <robin@jarry.cc>
Signed-off-by: Moritz Poldrack <moritz@poldrack.dev>
|
|
|
|
|
|
|
|
| |
Error wrapping as introduced in Go 1.13 adds some additional logic to
use for comparing errors and adding information to it.
Signed-off-by: Moritz Poldrack <moritz@poldrack.dev>
Acked-by: Robin Jarry <robin@jarry.cc>
|
|
|
|
|
| |
Signed-off-by: Moritz Poldrack <moritz@poldrack.dev>
Acked-by: Robin Jarry <robin@jarry.cc>
|
|
|
|
|
|
|
| |
Run `make fmt`.
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Acked-by: Robin Jarry <robin@jarry.cc>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not pass logger objects around anymore. Shuffle some messages to make
them consistent with the new logging API. Avoid using %v when a more
specific verb exists for the argument types.
The loggers are completely disabled (i.e. Sprintf is not even called)
by default. They are only enabled when redirecting stdout to a file.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
|
|
|
|
|
|
|
|
| |
This makes it more explicit for non pgp compatible clients. Without
this, they may show "unnamed part" or "noname".
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the following error:
panic()
runtime/panic.go:838
bytes.(*Buffer).ReadFrom()
bytes/buffer.go:204
io.copyBuffer()
io/io.go:412
io.Copy()
io/io.go:385
git.sr.ht/~rjarry/aerc/lib/crypto/gpg/gpgbin.Sign()
git.sr.ht/~rjarry/aerc/lib/crypto/gpg/gpgbin/sign.go:25
git.sr.ht/~rjarry/aerc/lib/crypto/gpg.(*Signer).Close()
git.sr.ht/~rjarry/aerc/lib/crypto/gpg/writer.go:52
git.sr.ht/~rjarry/aerc/lib/crypto/gpg.multiCloser.Close()
git.sr.ht/~rjarry/aerc/lib/crypto/gpg/writer.go:92
git.sr.ht/~rjarry/aerc/widgets.(*Composer).WriteMessage()
git.sr.ht/~rjarry/aerc/widgets/compose.go:601
git.sr.ht/~rjarry/aerc/commands/compose.Send.Execute.func1()
git.sr.ht/~rjarry/aerc/commands/compose/send.go:127
Fixes: https://todo.sr.ht/~rjarry/aerc/53
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
An non-zero exit code from the execution of gpg during decryption would
prevent aerc from parsing the output of gpg. The output should always be
parsed. Gpg can exit with an error due to not being able to validate a
signature. Aerc handles this error with the UI, and therefore all output
should be parsed regardless of exit state of gpg. The parsing of stdout
will find the errors and report back to aerc properly.
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add error handling for messages that were unable to be encrypted.
Previously, messages that failed encryption would be sent with no
content. This patch adds error handling - when encryption fails, the
user is returned to the Review screen and instructed to check the public
keys for their recipients.
Reported-by: Moritz Poldrack <moritz@poldrack.dev>
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor lib/crypto/gpg tests to facilitate unit test runs on macos.
Macos creates temporary directories with names too long to call
gpg-agent (108 characters). Additionally, too many concurrent test calls
created IPC errors to gpg-agent. To get around this, tests were given
shorter names and refactored into subtests to create fewer concurrent
tests
Tested on Linux and MacOS.
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Robin Jarry <robin@jarry.cc>
|
|
|
|
|
|
|
| |
Report errors as they are printed by gpg.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
|
|
|
|
|
|
|
|
|
| |
Skip the tests if gpg is not installed.
Avoid interference with the global ~/.gnupg.
Automatically delete GNUPGHOME at the end of tests.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
|
|
|
|
|
|
|
|
|
| |
Add compose command ("attach-key") to attach the public key associated
with the sending account. Public key is attached in ascii armor format,
with the mimetype set according to RFC 3156 ("application/pgp-keys").
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: Koni Marti <koni.marti@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add check for public keys of all message recipients (to, cc, and bcc)
before sending the message. Adds an OnFocusLost callback to header
editors to facilitate a callback for checking keys whenever a new
recipient is added (OnChange results in too many keyring checks).
Once encryption is initially set, the callbacks are registered. If a
public key is not available for any recipient, encryption is turned off.
However, notably, the callbacks are still registered meaning as s soon
as the user removes the recipients with missing keys, encryption is
turned back on.
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: Koni Marti <koni.marti@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
The gpg decrypt function was catching errors but not returning them.
This patch returns errors that are caught instead of aerc panicking.
Reported-by: ReK2 <rek2@hispagatos.org>
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: ReK2 <rek2@hispagatos.org>
Acked-by: Robin Jarry <robin@jarry.cc>
|
|
|
|
|
|
|
|
|
|
| |
Check that the signing key exists when the user issues the :sign
command. The signing key ID will be displayed in the security status
also, allowing the user to see what key will be used to sign the
message.
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: Jens Grassel <jens@wegtam.com>
|
|
This commit adds gpg system integration. This is done through two new
packages: gpgbin, which handles the system calls and parsing; and gpg
which is mostly a copy of emersion/go-pgpmail with modifications to
interface with package gpgbin. gpg includes tests for many cases, and
by it's nature also tests package gpgbin. I separated these in case an
external dependency is ever used for the gpg sys-calls/parsing (IE we
mirror how go-pgpmail+openpgp currently are dependencies)
Two new config options are introduced:
* pgp-provider. If it is not explicitly set to "gpg", aerc will default to
it's internal pgp provider
* pgp-key-id: (Optionally) specify a key by short or long keyId
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Koni Marti <koni.marti@gmail.com>
Acked-by: Robin Jarry <robin@jarry.cc>
|