mail-gpg 0.1.7 → 0.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 431a878dcca05522a519c9edca6a42e658c9b0c2
+  data.tar.gz: 18f9aeb942581062f8644e14391520d825829473
+SHA512:
+  metadata.gz: baf5ef3a729d141a0d76d1fe1466a8cbbdc954e373af0c23e58020d64933af087cf3839a1ff6bdc9ccfebaa539aa2af5026b6c543848998912344361718a3163
+  data.tar.gz: 0052629db9f5c1a595c10d2dbf491be5f9544ae0fdb37b7541437bb2bf4866f559a9f7cd98d235d9cd414494e049905069c7dd730181d9fb749deec277943eaa

data/History.txt

@@ -1,3 +1,14 @@
+== 0.2.1 2014-07-23
+
+* keep original message id if set
+
+== 0.2.0 2014-07-16
+
+* implement signature verification for inline signed messages
+* make signature verification more consistent with decryption by providing
+  Mail::Message#verify which strips raw signature data and initializes verify_result member.
+* add Mail::Message#signatures as an easy way to retrieve all signatures on a Message
+
 == 0.1.7 2014-06-03
 
 * preserve References: header

data/README.md

@@ -119,14 +119,28 @@ Receive the mail as usual. Check if it is signed using the `signed?` method. Che
 ```ruby
 mail = Mail.first
 if !mail.encrypted? && mail.signed?
-  # do not call signed on encrypted mails. The signature on encrypted mails
-  # must be checked by setting the :verify option when decrypting
-  puts "signature(s) valid: #{mail.signature_valid?}"
+  verified = mail.verify
+  puts "signature(s) valid: #{verified.signature_valid?}"
+  puts "message signed by: #{verified.signatures.map{|sig|sig.from}.join("\n")}"
 end
 ```
 
-Note that for encrypted mails the signatures can not be checked using these methods. For encrypted mails
-the `:verify` option for the `decrypt` operation must be used instead.
+Note that for encrypted mails the signatures can not be checked using these
+methods. For encrypted mails the `:verify` option for the `decrypt` operation
+must be used instead:
+
+```ruby
+if mail.encrypted?
+  decrypted = mail.decrypt(verify: true, password: 's3cr3t')
+  puts "signature(s) valid: #{decrypted.signature_valid?}"
+  puts "message signed by: #{decrypted.signatures.map{|sig|sig.from}.join("\n")}"
+end
+```
+
+It's important to actually use the information contained in the `signatures`
+array to check if the message really has been signed by the person that you (or
+your users) think is the sender - usually by comparing the key id of the
+signature with the key id of the expected sender.
 
 ### Key import from public key servers
 
@@ -201,5 +215,7 @@ around with your personal gpg keychain.
 
 Thanks to:
 
+* [Planio GmbH](https://plan.io) for sponsoring the ongoing maintenance and development of this library
 * [morten-andersen](https://github.com/morten-andersen) for implementing decryption support for PGP/MIME and inline encrypted messages
-* [FewKinG](https://github.com/FewKinG) for implementing the sign only featur and keyserver url lookup
+* [FewKinG](https://github.com/FewKinG) for implementing the sign only feature and keyserver url lookup
+* [Fup Duck](https://github.com/duckdalbe) for various tweaks and fixes

data/lib/mail/gpg.rb

@@ -3,6 +3,7 @@ require 'mail/message'
 require 'gpgme'
 
 require 'mail/gpg/version'
+require 'mail/gpg/missing_keys_error'
 require 'mail/gpg/version_part'
 require 'mail/gpg/decrypted_part'
 require 'mail/gpg/encrypted_part'
@@ -11,6 +12,8 @@ require 'mail/gpg/gpgme_helper'
 require 'mail/gpg/message_patch'
 require 'mail/gpg/rails'
 require 'mail/gpg/signed_part'
+require 'mail/gpg/mime_signed_message'
+require 'mail/gpg/inline_signed_message'
 
 module Mail
   module Gpg
@@ -71,6 +74,8 @@ module Mail
     def self.signature_valid?(signed_mail, options = {})
       if signed_mime?(signed_mail)
         signature_valid_pgp_mime?(signed_mail, options)
+      elsif signed_inline?(signed_mail)
+        signature_valid_inline?(signed_mail, options)
       else
         raise EncodingError, "Unsupported signature format '#{signed_mail.content_type}'"
       end
@@ -108,6 +113,9 @@ module Mail
             self.header[field] = h.value
           end
         end
+        if cleartext_mail.message_id
+          header['Message-ID'] = cleartext_mail['Message-ID'].value
+        end
         cleartext_mail.header.fields.each do |field|
           if MORE_HEADERS.include?(field.name) or field.name =~ /^X-/
             header[field.name] = field.value
@@ -126,7 +134,8 @@ module Mail
       if !VersionPart.isVersionPart? encrypted_mail.parts[0]
         raise EncodingError, "RFC 3136 first part not a valid version part '#{encrypted_mail.parts[0]}'"
       end
-      Mail.new(DecryptedPart.new(encrypted_mail.parts[1], options)) do
+      decrypted = DecryptedPart.new(encrypted_mail.parts[1], options)
+      Mail.new(decrypted) do
         %w(from to cc bcc subject reply_to in_reply_to).each do |field|
           send field, encrypted_mail.send(field)
         end
@@ -136,6 +145,7 @@ module Mail
         encrypted_mail.header.fields.each do |field|
           header[field.name] = field.value if field.name =~ /^X-/ && header[field.name].nil?
         end
+        verify_result decrypted.verify_result if options[:verify]
       end
     end
 
@@ -144,15 +154,49 @@ module Mail
       InlineDecryptedMessage.new(encrypted_mail, options)
     end
 
+    def self.verify(signed_mail, options = {})
+      if signed_mime?(signed_mail)
+        Mail::Gpg::MimeSignedMessage.new signed_mail, options
+      elsif signed_inline?(signed_mail)
+        Mail::Gpg::InlineSignedMessage.new signed_mail, options
+      else
+        signed_mail
+      end
+    end
+
     # check signature for PGP/MIME (RFC 3156, section 5) signed mail
     def self.signature_valid_pgp_mime?(signed_mail, options)
       # MUST contain exactly two body parts
       if signed_mail.parts.length != 2
         raise EncodingError, "RFC 3136 mandates exactly two body parts, found '#{signed_mail.parts.length}'"
       end
-      SignPart.signature_valid?(signed_mail.parts[0], signed_mail.parts[1], options)
+      result, verify_result = SignPart.verify_signature(signed_mail.parts[0], signed_mail.parts[1], options)
+      signed_mail.verify_result = verify_result
+      return result
     end
 
+    # check signature for inline signed mail
+    def self.signature_valid_inline?(signed_mail, options)
+      result = nil
+      if signed_mail.multipart?
+        signed_mail.parts.each do |part|
+          if signed_inline?(part)
+            if result.nil?
+              result = true
+              signed_mail.verify_result = []
+            end
+            result &= signature_valid_inline?(part, options)
+            signed_mail.verify_result << part.verify_result
+          end
+        end
+      else
+        result, verify_result = GpgmeHelper.inline_verify(signed_mail.body.to_s, options)
+        signed_mail.verify_result = verify_result
+      end
+      return result
+    end
+
+
     # check if PGP/MIME encrypted (RFC 3156)
     def self.encrypted_mime?(mail)
       mail.has_content_type? &&

data/lib/mail/gpg/decrypted_part.rb

@@ -1,6 +1,7 @@
+require 'mail/gpg/verified_part'
 module Mail
   module Gpg
-    class DecryptedPart < Mail::Part
+    class DecryptedPart < VerifiedPart
 
       # options are:
       #
@@ -11,6 +12,7 @@ module Mail
         end
 
         decrypted = GpgmeHelper.decrypt(cipher_part.body.decoded, options)
+        self.verify_result = decrypted.verify_result if options[:verify]
         super(decrypted)
       end
     end

data/lib/mail/gpg/gpgme_ext.rb

@@ -0,0 +1,9 @@
+require 'gpgme'
+require 'mail/gpg/verify_result_attribute'
+
+# extend GPGME::Data with an attribute to hold the result of signature
+# verifications
+class GPGME::Data
+  include Mail::Gpg::VerifyResultAttribute
+end
+

data/lib/mail/gpg/gpgme_helper.rb

@@ -1,3 +1,5 @@
+require 'mail/gpg/gpgme_ext'
+
 # GPGME methods for encryption/decryption/signing
 module Mail
   module Gpg
@@ -11,6 +13,10 @@ module Mail
 
         recipient_keys = keys_for_data options[:recipients], options.delete(:keys)
 
+        if recipient_keys.empty?
+          raise MissingKeysError.new('No keys to encrypt to!')
+        end
+
         flags = 0
         flags |= GPGME::ENCRYPT_ALWAYS_TRUST if options[:always_trust]
 
@@ -46,6 +52,7 @@ module Mail
           begin
             if options[:verify]
               ctx.decrypt_verify(cipher_data, plain_data)
+              plain_data.verify_result = ctx.verify_result
             else
               ctx.decrypt(cipher_data, plain_data)
             end
@@ -72,13 +79,36 @@ module Mail
         crypto.sign GPGME::Data.new(plain), options
       end
 
+      # returns [success(bool), VerifyResult(from gpgme)]
+      # success will be true when there is at least one sig and no invalid sig
       def self.sign_verify(plain, signature, options = {})
-        signed = false
-        GPGME::Crypto.new.verify(signature, signed_text: plain) do |sig|
-          return false if !sig.valid? # just one invalid signature leads to false
-          signed = true
+        signed_data = GPGME::Data.new(plain)
+        signature = GPGME::Data.new(signature)
+
+        success = verify_result = nil
+        GPGME::Ctx.new(options) do |ctx|
+          ctx.verify signature, signed_data, nil
+          verify_result = ctx.verify_result
+          signatures = verify_result.signatures
+          success = signatures &&
+            signatures.size > 0 &&
+            signatures.detect{|s| !s.valid? }.nil?
+        end
+        return [success, verify_result]
+      end
+
+      def self.inline_verify(signed_text, options = {})
+        signed_data = GPGME::Data.new(signed_text)
+        success = verify_result = nil
+        GPGME::Ctx.new(options) do |ctx|
+          ctx.verify signed_data, nil
+          verify_result = ctx.verify_result
+          signatures = verify_result.signatures
+          success = signatures &&
+            signatures.size > 0 &&
+            signatures.detect{|s| !s.valid? }.nil?
         end
-        return signed
+        return [success, verify_result]
       end
 
       private

data/lib/mail/gpg/inline_decrypted_message.rb

@@ -1,3 +1,5 @@
+require 'mail/gpg/verified_part'
+
 # decryption of the so called 'PGP-Inline' message types
 # this is not a standard, so the implementation is based on the notes
 # here http://binblog.info/2008/03/12/know-your-pgp-implementation/
@@ -17,11 +19,12 @@ module Mail
               header[field.name] = field.value
             end
             cipher_mail.parts.each do |part|
-              part Mail::Part.new do |p|
+              p = VerifiedPart.new do |p|
                 if part.has_content_type? && /application\/(?:octet-stream|pgp-encrypted)/ =~ part.mime_type
                   # encrypted attachment, we set the content_type to the generic 'application/octet-stream'
                   # and remove the .pgp/gpg/asc from name/filename in header fields
                   decrypted = GpgmeHelper.decrypt(part.decoded, options)
+                  p.verify_result decrypted.verify_result if options[:verify]
                   p.content_type part.content_type.sub(/application\/(?:octet-stream|pgp-encrypted)/, 'application/octet-stream')
                     .sub(/name=(?:"')?(.*)\.(?:pgp|gpg|asc)(?:"')?/, 'name="\1"')
                   p.content_disposition part.content_disposition.sub(/filename=(?:"')?(.*)\.(?:pgp|gpg|asc)(?:"')?/, 'filename="\1"')
@@ -29,7 +32,9 @@ module Mail
                   p.body Mail::Encodings::Base64::encode(decrypted.to_s)
                 else
                   if part.body.include?('-----BEGIN PGP MESSAGE-----')
-                    p.body GpgmeHelper.decrypt(part.decoded, options).to_s
+                    decrypted = GpgmeHelper.decrypt(part.decoded, options)
+                    p.verify_result decrypted.verify_result if options[:verify]
+                    p.body decrypted.to_s
                   else
                     p.content_type part.content_type
                     p.content_transfer_encoding part.content_transfer_encoding
@@ -37,6 +42,7 @@ module Mail
                   end
                 end
               end
+              add_part p
             end
           end # of multipart
         else
@@ -46,6 +52,7 @@ module Mail
               header[field.name] = field.value
             end
             body decrypted.to_s
+            verify_result decrypted.verify_result if options[:verify] && '' != decrypted
           end
         end
       end

data/lib/mail/gpg/inline_signed_message.rb

@@ -0,0 +1,72 @@
+require 'mail/gpg/verified_part'
+
+module Mail
+  module Gpg
+    class InlineSignedMessage < Mail::Message
+
+      def initialize(signed_mail, options = {})
+        if signed_mail.multipart?
+          super() do
+            global_verify_result = []
+            signed_mail.header.fields.each do |field|
+              header[field.name] = field.value
+            end
+            signed_mail.parts.each do |part|
+              if Mail::Gpg.signed_inline?(part)
+                signed_text = part.body.to_s
+                success, vr = GpgmeHelper.inline_verify(signed_text, options)
+                p = VerifiedPart.new(part)
+                if success
+                  p.body self.class.strip_inline_signature signed_text
+                end
+                p.verify_result vr
+                global_verify_result << vr
+                add_part p
+              else
+                add_part part
+              end
+            end
+            verify_result global_verify_result
+          end # of multipart
+        else
+          super() do
+            signed_mail.header.fields.each do |field|
+              header[field.name] = field.value
+            end
+            signed_text = signed_mail.body.to_s
+            success, vr = GpgmeHelper.inline_verify(signed_text, options)
+            if success
+              body self.class.strip_inline_signature signed_text
+            else
+              body signed_text
+            end
+            verify_result vr
+          end
+        end
+      end
+
+      END_SIGNED_TEXT = '-----END PGP SIGNED MESSAGE-----'
+      END_SIGNED_TEXT_RE = /^#{END_SIGNED_TEXT}\s*$/
+      INLINE_SIG_RE = Regexp.new('^-----BEGIN PGP SIGNATURE-----\s*$.*^-----END PGP SIGNATURE-----\s*$', Regexp::MULTILINE)
+      BEGIN_SIG_RE = /^(-----BEGIN PGP SIGNATURE-----)\s*$/
+
+
+      # utility method to remove inline signature and related pgp markers
+      def self.strip_inline_signature(signed_text)
+        if signed_text =~ INLINE_SIG_RE
+          signed_text = signed_text.dup
+          if signed_text !~ END_SIGNED_TEXT_RE
+            # insert the 'end of signed text' marker in case it is missing
+            signed_text = signed_text.gsub BEGIN_SIG_RE, "-----END PGP SIGNED MESSAGE-----\n\\1"
+          end
+          signed_text.gsub! INLINE_SIG_RE, ''
+          signed_text.strip!
+        end
+        signed_text
+      end
+
+    end
+  end
+end
+
+

data/lib/mail/gpg/message_patch.rb

@@ -1,4 +1,5 @@
 require 'mail/gpg/delivery_handler'
+require 'mail/gpg/verify_result_attribute'
 
 module Mail
   module Gpg
@@ -7,6 +8,7 @@ module Mail
       def self.included(base)
         base.class_eval do
           attr_accessor :raise_encryption_errors
+          include VerifyResultAttribute
         end
       end
 
@@ -51,21 +53,35 @@ module Mail
         end
       end
 
+      # true if this mail is encrypted
       def encrypted?
         Mail::Gpg.encrypted?(self)
       end
 
+      # returns the decrypted mail object.
+      #
+      # pass verify: true to verify signatures as well. The gpgme verification
+      # result will be available via decrypted_mail.verify_result
       def decrypt(options = {})
         Mail::Gpg.decrypt(self, options)
       end
 
+      # true if this mail is signed (but not encrypted)
       def signed?
         Mail::Gpg.signed?(self)
       end
 
-      def signature_valid?(options = {})
-        Mail::Gpg.signature_valid?(self, options)
+      # verify signatures. returns a new mail object with signatures removed and
+      # populated verify_result.
+      #
+      # verified = signed_mail.verify()
+      # verified.signature_valid?
+      # signers = mail.signatures.map{|sig| sig.from}
+      def verify(options = {})
+        Mail::Gpg.verify(self, options)
       end
+
+
     end
   end
 end

data/lib/mail/gpg/mime_signed_message.rb

@@ -0,0 +1,30 @@
+require 'mail/gpg/verified_part'
+
+module Mail
+  module Gpg
+    class MimeSignedMessage < Mail::Message
+
+      def initialize(signed_mail, options = {})
+        content_part, signature = signed_mail.parts
+        success, vr = SignPart.verify_signature(content_part, signature, options)
+        super() do
+          verify_result vr
+          signed_mail.header.fields.each do |field|
+            header[field.name] = field.value
+          end
+          content_part.header.fields.each do |field|
+            header[field.name] = field.value
+          end
+          if content_part.multipart?
+            content_part.parts.each{|part| add_part part}
+          else
+            body content_part.body.to_s
+          end
+        end
+      end
+    end
+  end
+end
+
+
+

data/lib/mail/gpg/missing_keys_error.rb

@@ -0,0 +1,6 @@
+module Mail
+  module Gpg
+    class MissingKeysError < StandardError
+    end
+  end
+end

data/lib/mail/gpg/sign_part.rb

@@ -12,7 +12,13 @@ module Mail
         end
       end
 
+      # true if all signatures are valid
       def self.signature_valid?(plain_part, signature_part, options = {})
+        verify_signature(plain_part, signature_part, options)[0]
+      end
+
+      # will return [success(boolean), verify_result(as returned by gpgme)]
+      def self.verify_signature(plain_part, signature_part, options = {})
         if !(signature_part.has_content_type? &&
              ('application/pgp-signature' == signature_part.mime_type))
           return false

data/lib/mail/gpg/verified_part.rb

@@ -0,0 +1,10 @@
+require 'mail/gpg/verify_result_attribute'
+
+module Mail
+  module Gpg
+    class VerifiedPart < Mail::Part
+      include VerifyResultAttribute
+    end
+  end
+end
+

data/lib/mail/gpg/verify_result_attribute.rb

@@ -0,0 +1,31 @@
+module Mail
+  module Gpg
+    module VerifyResultAttribute
+
+      # the result of signature verification, as provided by GPGME
+      def verify_result(result = nil)
+        if result
+          self.verify_result = result
+        else
+          @verify_result
+        end
+      end
+      def verify_result=(result)
+        @verify_result = result
+      end
+
+      # checks validity of signatures (true / false)
+      def signature_valid?
+        sigs = self.signatures
+        sigs.any? && sigs.detect{|s|!s.valid?}.blank?
+      end
+
+      # list of all signatures from verify_result
+      def signatures
+        [verify_result].flatten.compact.map do |vr|
+          vr.signatures
+        end.flatten.compact
+      end
+    end
+  end
+end

data/lib/mail/gpg/version.rb

@@ -1,5 +1,5 @@
 module Mail
   module Gpg
-    VERSION = "0.1.7"
+    VERSION = "0.2.1"
   end
 end

data/test/decrypted_part_test.rb

@@ -26,6 +26,10 @@ class DecryptedPartTest < Test::Unit::TestCase
       assert mail == @mail
       assert mail.message_id == @mail.message_id
       assert mail.message_id != @part.message_id
+      assert vr = mail.verify_result
+      assert sig = vr.signatures.first
+      assert sig.to_s=~ /Joe/
+      assert sig.valid?
     end
 
     should 'raise encoding error for non gpg mime type' do
@@ -33,5 +37,7 @@ class DecryptedPartTest < Test::Unit::TestCase
       part.content_type = 'text/plain'
       assert_raise(EncodingError) { Mail::Gpg::DecryptedPart.new(part) }
     end
+
+
   end
 end

data/test/gpg_test.rb

@@ -36,6 +36,11 @@ class GpgTest < Test::Unit::TestCase
       assert sig.valid?
     end
     assert Mail::Gpg.signature_valid?(signed)
+    assert verified = signed.verify
+    assert verified.verify_result.present?
+    assert verified.verify_result.signatures.any?
+    assert verified.signatures.any?
+    assert verified.signature_valid?
   end
 
   def check_mime_structure_signed(mail = @mail, signed = @signed)
@@ -250,6 +255,10 @@ class GpgTest < Test::Unit::TestCase
       should 'decrypt and verify' do
         assert mail = Mail::Gpg.decrypt(@encrypted, { :verify => true, :password => 'abc' })
         assert mail == @mail
+        assert mail.verify_result
+        assert sig = mail.signatures.first
+        assert sig.to_s =~ /Joe/
+        assert sig.valid?
       end
     end
 
@@ -330,7 +339,7 @@ class GpgTest < Test::Unit::TestCase
     context 'multipart mail' do
       setup do
         @mail.add_file 'Rakefile'
-        @encrypted = Mail::Gpg.encrypt(@mail)
+        @encrypted = Mail::Gpg.encrypt(@mail, sign: true, password: 'abc')
       end
 
       should 'have same recipients and subject' do
@@ -355,10 +364,16 @@ class GpgTest < Test::Unit::TestCase
         assert_match /Rakefile/, m.parts.last.content_disposition
       end
 
-      should 'decrypt' do
-        assert mail = Mail::Gpg.decrypt(@encrypted, { :password => 'abc' })
+      should 'decrypt and verify' do
+        assert mail = Mail::Gpg.decrypt(@encrypted, { :verify => true, :password => 'abc' })
         assert mail == @mail
         assert mail.parts[1] == @mail.parts[1]
+        assert mail.verify_result
+        assert signatures = mail.signatures
+        assert_equal 1, signatures.size
+        assert sig = signatures[0]
+        assert sig.to_s =~ /Joe/
+        assert sig.valid?
       end
     end
   end

data/test/inline_decrypted_message_test.rb

@@ -17,15 +17,19 @@ class InlineDecryptedMessageTest < Test::Unit::TestCase
     end
 
     context "inline message" do
-      should "decrypt body" do
+      should "decrypt and verify body" do
         mail = Mail.new(@mail)
         mail.body = InlineDecryptedMessageTest.encrypt(mail, mail.body.to_s)
 
         assert !mail.multipart?
         assert mail.encrypted?
-        assert decrypted = mail.decrypt(:password => 'abc')
+        assert decrypted = mail.decrypt(:password => 'abc', verify: true)
         assert decrypted == @mail
         assert !decrypted.encrypted?
+        assert vr = decrypted.verify_result
+        assert sig = vr.signatures.first
+        assert sig.to_s=~ /Joe/
+        assert sig.valid?
       end
     end
 
@@ -55,7 +59,7 @@ class InlineDecryptedMessageTest < Test::Unit::TestCase
     end
 
     context "cleartext body and encrypted attachment message" do
-      should "decrypt attachment" do
+      should "decrypt and verify attachment" do
         rakefile = File.open('Rakefile') { |file| file.read }
         mail = Mail.new(@mail)
         mail.content_type = 'multipart/mixed'
@@ -68,7 +72,7 @@ class InlineDecryptedMessageTest < Test::Unit::TestCase
 
         assert mail.multipart?
         assert mail.encrypted?
-        assert decrypted = mail.decrypt(:password => 'abc')
+        assert decrypted = mail.decrypt(password: 'abc', verify: true)
         assert !decrypted.encrypted?
         check_headers(@mail, decrypted)
         assert_equal 2, decrypted.parts.length
@@ -76,11 +80,17 @@ class InlineDecryptedMessageTest < Test::Unit::TestCase
         assert /application\/octet-stream; (?:charset=UTF-8; )?name=Rakefile/ =~ decrypted.parts[1].content_type
         assert_equal 'attachment; filename=Rakefile', decrypted.parts[1].content_disposition
         assert_equal rakefile, decrypted.parts[1].body.decoded
+
+        assert_nil decrypted.parts[0].verify_result
+        assert vr = decrypted.parts[1].verify_result
+        assert sig = vr.signatures.first
+        assert sig.to_s=~ /Joe/
+        assert sig.valid?
       end
     end
 
     context "encrypted body and attachment message" do
-      should "decrypt" do
+      should "decrypt and verify" do
         rakefile = File.open('Rakefile') { |file| file.read }
         mail = Mail.new(@mail)
         mail.content_type = 'multipart/mixed'
@@ -94,7 +104,7 @@ class InlineDecryptedMessageTest < Test::Unit::TestCase
 
         assert mail.multipart?
         assert mail.encrypted?
-        assert decrypted = mail.decrypt(:password => 'abc')
+        assert decrypted = mail.decrypt(password: 'abc', verify: true)
         assert !decrypted.encrypted?
         check_headers(@mail, decrypted)
         assert_equal 2, decrypted.parts.length
@@ -102,6 +112,12 @@ class InlineDecryptedMessageTest < Test::Unit::TestCase
         assert /application\/octet-stream; (?:charset=UTF-8; )?name=Rakefile/ =~ decrypted.parts[1].content_type
         assert_equal 'attachment; filename=Rakefile', decrypted.parts[1].content_disposition
         assert_equal rakefile, decrypted.parts[1].body.decoded
+        decrypted.parts.each do |part|
+          assert vr = part.verify_result
+          assert sig = vr.signatures.first
+          assert sig.to_s=~ /Joe/
+          assert sig.valid?
+        end
       end
     end
   end

data/test/inline_signed_message_test.rb

@@ -0,0 +1,121 @@
+require 'test_helper'
+
+# test cases for PGP inline signed messages (i.e. non-mime)
+class InlineSignedMessageTest < Test::Unit::TestCase
+
+  context "InlineSignedMessage" do
+
+    setup do
+      (@mails = Mail::TestMailer.deliveries).clear
+      @mail = Mail.new do
+        to 'jane@foo.bar'
+        from 'joe@foo.bar'
+        subject 'test'
+        body 'i am unencrypted'
+      end
+    end
+
+    context 'strip_inline_signature' do
+      should 'strip signature from signed text' do
+        body = self.class.inline_sign(@mail, 'i am signed')
+        assert stripped_body = Mail::Gpg::InlineSignedMessage.strip_inline_signature(body)
+        assert_equal "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\ni am signed\n-----END PGP SIGNED MESSAGE-----", stripped_body
+      end
+
+      should 'not change unsigned text' do
+        assert stripped_body = Mail::Gpg::InlineSignedMessage.strip_inline_signature("foo\nbar\n")
+        assert_equal "foo\nbar\n", stripped_body
+      end
+    end
+
+    context "signed message" do
+      should "verify body" do
+        mail = Mail.new(@mail)
+        mail.body = self.class.inline_sign(mail, mail.body.to_s)
+        assert !mail.multipart?
+        assert mail.signed?
+        assert verified = mail.verify
+        assert verified.signature_valid?
+        assert sig = verified.signatures.first
+        assert sig.to_s=~ /Joe/
+        assert sig.valid?
+      end
+
+      should "detect invalid sig" do
+        mail = Mail.new(@mail)
+        mail.body = self.class.inline_sign(mail, mail.body.to_s).gsub /i am/, 'i was'
+        assert !mail.multipart?
+        assert mail.signed?
+        assert verified = mail.verify
+        assert !verified.signature_valid?
+        assert vr = verified.verify_result
+        assert sig = verified.signatures.first
+        assert sig.to_s=~ /Joe/
+        assert !sig.valid?
+      end
+
+    end
+
+    context "message with signed attachment" do
+      should "check attachment signature" do
+        mail = Mail.new(@mail)
+        mail.body = 'foobar'
+        mail.part do |p|
+          p.body = self.class.inline_sign(mail, 'sign me!')
+        end
+        assert mail.multipart?
+        assert mail.signed?
+        assert verified = mail.verify
+        assert verified.signature_valid?
+        assert vr = verified.parts.last.verify_result
+        assert !verified.parts.first.signed?
+        assert verified.parts.last.signed?
+        assert Mail::Gpg.signed_inline?(verified.parts.last)
+        assert_equal [vr], verified.verify_result
+        assert sig = verified.signatures.first
+        assert sig.to_s=~ /Joe/
+        assert sig.valid?
+      end
+
+      should "detect invalid sig" do
+        mail = Mail.new(@mail)
+        mail.body = 'foobar'
+        mail.part do |p|
+          p.body = self.class.inline_sign(mail, 'i am signed!').gsub /i am/, 'i was'
+        end
+        mail.part do |p|
+          p.body = self.class.inline_sign(mail, 'i am signed!')
+        end
+
+        assert mail.multipart?
+        assert mail.signed?
+        assert verified = mail.verify
+        assert !verified.signature_valid?
+        assert vr = verified.verify_result
+        assert_equal 2, vr.size
+
+        invalid = verified.parts[1]
+        assert !invalid.signature_valid?
+        assert sig = invalid.verify_result.signatures.first
+        assert sig.to_s=~ /Joe/
+        assert !sig.valid?
+
+        valid = verified.parts[2]
+        assert valid.signature_valid?
+        assert sig = valid.verify_result.signatures.first
+        assert sig.to_s=~ /Joe/
+        assert sig.valid?
+      end
+    end
+  end
+
+
+  def self.inline_sign(mail, plain, armor = true)
+    GPGME::Crypto.new.clearsign(plain,
+      password: 'abc',
+      signers: mail.from,
+      armor: armor).to_s
+  end
+
+end
+

data/test/message_test.rb

@@ -42,6 +42,35 @@ class MessageTest < Test::Unit::TestCase
         @mail.gpg sign: true, password: 'abc'
       end
 
+      context 'with multiple parts' do
+        setup do
+          p = Mail::Part.new do
+            body 'and another part'
+          end
+          @mail.add_part p
+          p = Mail::Part.new do
+            body 'and a third part'
+          end
+          @mail.add_part p
+
+          @mail.deliver
+          @signed = @mails.first
+          @verified = @signed.verify
+        end
+
+        should 'verify signature' do
+          assert @verified.signature_valid?
+        end
+
+        should 'have original three parts' do
+          assert_equal 3, @mail.parts.size
+          assert_equal 3, @verified.parts.size
+          assert_equal 'i am unencrypted', @verified.parts[0].body.to_s
+          assert_equal 'and another part', @verified.parts[1].body.to_s
+          assert_equal 'and a third part', @verified.parts[2].body.to_s
+        end
+      end
+
       context "" do
         setup do
           @mail.header['Auto-Submitted'] = 'foo'
@@ -59,14 +88,18 @@ class MessageTest < Test::Unit::TestCase
           assert !m.encrypted?
           assert m.signed?
           assert m.multipart?
-          assert m.signature_valid?
           assert sign_part = m.parts.last
-          #assert m = Mail::Message.new(m.parts.first)
-          #assert !m.multipart?
           GPGME::Crypto.new.verify(sign_part.body.to_s, signed_text: m.parts.first.encoded) do |sig|
             assert sig.valid?
           end
-          assert_equal 'i am unencrypted', m.parts.first.body.to_s
+        end
+
+        should 'verify signed mail' do
+          assert m = @mails.first
+          assert verified = m.verify
+          assert verified.signature_valid?
+          assert !verified.multipart?
+          assert_equal 'i am unencrypted', verified.body.to_s
         end
 
         should "fail signature on tampered body" do
@@ -76,13 +109,36 @@ class MessageTest < Test::Unit::TestCase
           assert !m.encrypted?
           assert m.signed?
           assert m.multipart?
-          assert m.signature_valid?
+          assert verified = m.verify
+          assert verified.signature_valid?
           m.parts.first.body = 'replaced body'
-          assert !m.signature_valid?
+          assert verified = m.verify
+          assert !verified.signature_valid?
         end
       end
     end
 
+    context 'with encryption and signing' do
+      setup do
+        @mail.gpg encrypt: true, sign: true, password: 'abc'
+        @mail.deliver
+      end
+
+      should 'decrypt and check signature' do
+        assert_equal 1, @mails.size
+        assert m = @mails.first
+        assert_equal 'test', m.subject
+        assert m.multipart?
+        assert m.encrypted?
+        assert decrypted = m.decrypt(:password => 'abc', verify: true)
+        assert_equal 'test', decrypted.subject
+        assert decrypted == @mail
+        assert_equal 'i am unencrypted', decrypted.body.to_s
+        assert decrypted.signature_valid?
+        assert_equal 1, decrypted.signatures.size
+      end
+    end
+
     context "with gpg turned on" do
       setup do
         @mail.gpg encrypt: true
@@ -94,7 +150,7 @@ class MessageTest < Test::Unit::TestCase
         end
 
         should "raise encryption error" do
-          assert_raises(GPGME::Error::InvalidValue){
+          assert_raises(Mail::Gpg::MissingKeysError){
             @mail.deliver
           }
         end
@@ -106,6 +162,7 @@ class MessageTest < Test::Unit::TestCase
         end
       end
 
+
       context "" do
         setup do
           @mail.deliver

metadata

@@ -1,64 +1,58 @@
 --- !ruby/object:Gem::Specification
 name: mail-gpg
 version: !ruby/object:Gem::Version
-  version: 0.1.7
-  prerelease: 
+  version: 0.2.1
 platform: ruby
 authors:
 - Jens Kraemer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-06-03 00:00:00.000000000 Z
+date: 2014-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mail
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '2.5'
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 2.5.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '2.5'
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 2.5.3
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '2.0'
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 2.0.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '2.0'
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 2.0.2
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -66,7 +60,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -74,7 +67,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -82,7 +74,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -90,55 +81,48 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: actionmailer
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 3.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 3.2.0
 - !ruby/object:Gem::Dependency
   name: pry-nav
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: shoulda-context
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -146,15 +130,13 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.1'
-description: ! 'GPG/MIME encryption plugin for the Ruby Mail Library
-
-  This tiny gem adds GPG capabilities to Mail::Message and ActionMailer::Base. Because
-  privacy matters.'
+description: |-
+  GPG/MIME encryption plugin for the Ruby Mail Library
+  This tiny gem adds GPG capabilities to Mail::Message and ActionMailer::Base. Because privacy matters.
 email:
 - jk@jkraemer.net
 executables: []
@@ -174,13 +156,19 @@ files:
 - lib/mail/gpg/decrypted_part.rb
 - lib/mail/gpg/delivery_handler.rb
 - lib/mail/gpg/encrypted_part.rb
+- lib/mail/gpg/gpgme_ext.rb
 - lib/mail/gpg/gpgme_helper.rb
 - lib/mail/gpg/inline_decrypted_message.rb
+- lib/mail/gpg/inline_signed_message.rb
 - lib/mail/gpg/message_patch.rb
+- lib/mail/gpg/mime_signed_message.rb
+- lib/mail/gpg/missing_keys_error.rb
 - lib/mail/gpg/rails.rb
 - lib/mail/gpg/rails/action_mailer_base_patch.rb
 - lib/mail/gpg/sign_part.rb
 - lib/mail/gpg/signed_part.rb
+- lib/mail/gpg/verified_part.rb
+- lib/mail/gpg/verify_result_attribute.rb
 - lib/mail/gpg/version.rb
 - lib/mail/gpg/version_part.rb
 - mail-gpg.gemspec
@@ -195,6 +183,7 @@ files:
 - test/gpghome/trustdb.gpg
 - test/hkp_test.rb
 - test/inline_decrypted_message_test.rb
+- test/inline_signed_message_test.rb
 - test/message_test.rb
 - test/sign_part_test.rb
 - test/test_helper.rb
@@ -202,27 +191,26 @@ files:
 homepage: https://github.com/jkraemer/mail-gpg
 licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.23.2
+rubygems_version: 2.2.2
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: GPG/MIME encryption plugin for the Ruby Mail Library
 test_files:
 - test/action_mailer_test.rb
@@ -236,7 +224,9 @@ test_files:
 - test/gpghome/trustdb.gpg
 - test/hkp_test.rb
 - test/inline_decrypted_message_test.rb
+- test/inline_signed_message_test.rb
 - test/message_test.rb
 - test/sign_part_test.rb
 - test/test_helper.rb
 - test/version_part_test.rb
+has_rdoc: