When reloading the configuration with :reload, global variables in the
config package are reset to their startup values and then, the config is
parsed from disk. While the parsing is done, these variables are
temporarily in an inconsistent and possibly invalid state.
When commands are executed interactively from aerc, they are handled by
the main goroutine which also deals with UI rendering. No UI render will
be done while :reload is in progress.
However, the IPC socket handler runs in an independent goroutine. This
has the unfortunate side effect to let the UI goroutine to run while
config parsing is in progress and causes crashes:
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x6bb142]
goroutine 1 [running]:
git.sr.ht/~rjarry/aerc/lib/log.PanicHandler()
lib/log/panic-logger.go:51 +0x6cf
panic({0xc1d960?, 0x134a6e0?})
/usr/lib/go/src/runtime/panic.go:783 +0x132
git.sr.ht/~rjarry/aerc/config.(*StyleConf).getStyle(0xc00038b908?, 0x4206b7?)
config/style.go:386 +0x42
git.sr.ht/~rjarry/aerc/config.StyleSet.Get({0x0, 0x0, 0x0, {0x0, 0x0, 0x0}}, 0x421a65?, 0x0)
config/style.go:408 +0x8b
git.sr.ht/~rjarry/aerc/config.(*UIConfig).GetStyle(...)
config/ui.go:379
git.sr.ht/~rjarry/aerc/lib/ui.(*TabStrip).Draw(0xc000314700, 0xc000192230)
lib/ui/tab.go:378 +0x15b
git.sr.ht/~rjarry/aerc/lib/ui.(*Grid).Draw(0xc000186fc0, 0xc0002c25f0)
lib/ui/grid.go:126 +0x28e
git.sr.ht/~rjarry/aerc/app.(*Aerc).Draw(0x14b9f00, 0xc0002c25f0)
app/aerc.go:192 +0x1fe
git.sr.ht/~rjarry/aerc/lib/ui.Render()
lib/ui/ui.go:155 +0x16b
main.main()
main.go:310 +0x997
Make the reload operation safe by changing how config objects are
exposed and updated. Change all objects to be atomic pointers. Expose
public functions to access their value atomically. Only update their
value after a complete and successful config parse. This way the UI
thread will always have access to a valid configuration.
NB: The account configuration is not included in this change since it
cannot be reloaded.
Fixes: https://todo.sr.ht/~rjarry/aerc/319
Reported-by: Anachron <gith@cron.world>
Signed-off-by: Robin Jarry <robin@jarry.cc>
Go has evolved significantly over the years and has introduced some
handy helper functions that make the code easier to read.
Use helper functions like slices.Contains, map.Copy, and
strings.CutPrefix, when appropriate.
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Acked-by: Robin Jarry <robin@jarry.cc>
This patch fixes an error that occurs when decrypting an email with an
invalid gpg signature. The error "gpg-exit 33554433" will be thrown and
the email will not be opened.
Signed-off-by: Bryce Vandegrift <bryce@brycevandegrift.xyz>
Acked-by: Robin Jarry <robin@jarry.cc>
Update go-pgpmail which has a similar fix to the one we had in place.
Update our fix to use the same implementation: do not parse the whole
signed part. Only parse the part header, remove the mime-version header
from it if any and re-write it, followed the part body verbatim without
any decoding/re-encoding.
Fixes: 7346d20343 ("gpg: fix signed message encoding")
Fixes: 7b8fbe2a3d ("gpg: fix mime-version header position")
Signed-off-by: Robin Jarry <robin@jarry.cc>
Reviewed-by: Simon Ser <contact@emersion.fr>
When sending signed messages with outgoing = jmap://, the following
error is returned by the server (provider=Fastmail):
Message contains bare newlines
RFC 5322 section 2.3 states that:
> CR and LF MUST only occur together as CRLF; they MUST NOT appear
> independently in the body.
Most MTA handle invalid messages without warnings, but some others
reject them.
Ensure GPG generated parts use CRLF to comply with the RFC.
Fixes: 57699b1fa6 ("feat: add gpg integration")
Link: https://www.rfc-editor.org/rfc/rfc5322.html#section-2.3
Changelog-fixed: GPG signatures and encrypted parts now use CRLF line
endings as required by RFC 5322.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Matěj Cepl <mcepl@cepl.eu>
By preparing a maliciously crafted message an attacker could send an
encrypted message without signature that would appear as signed within
the aerc client. It is caused by the fact that the gpg status messages,
which are used for determining the validity signature, are interspered
with message contents. An example of such malicious message was added to
the `reader_test.go`.
This change redirects the satus-fd to stderr, while the usual stderr
logs are discarded to /dev/null. In addition to fixing the vulnerability
described above, this has the added benefit of stdout containing only
useful output which does not need to be filtered. This simplifies the
logic and avoids needless copies.
Previous stderr parsing logic which detected when no valid OpenPGP data
was present is replaced with detecting `NODATA 1` in status-fd messages.
The stderr logs are different depending on user locale, thus, they
should not be parsed. On the other hand, the status-fd are relatively
stable. The previous method of detecting invalid OpenPGP data would fail
on systems with non-English locale.
Signed-off-by: Marcin Serwin <marcin@serwin.dev>
Acked-by: Robin Jarry <robin@jarry.cc>
During encryption gpg was ignoring trust model of the user in favor of
always using the insecure "always". This change removes this override
and adds a helpful message if a user tries to encrypt a message with an
untrusted key. To revert to the previous behavior users can add
"trust-model always" to their gpg.conf file (default ~/.gnupg/gpg.conf).
Signed-off-by: Marcin Serwin <marcin@serwin.dev>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
Add pinentry support to GPG for signing, enrypting and decrypting
messages.
Signed-off-by: Koni Marti <koni.marti@gmail.com>
Acked-by: Robin Jarry <robin@jarry.cc>
golangci-lint 1.56 does not work with go 1.23. It causes obscure errors:
[linters_context/goanalysis] buildir: panic during analysis:
Cannot range over: func(yield func(K, V) bool), goroutine 4743 [running]: runtime/debug.Stack()
/usr/lib/go/src/runtime/debug/stack.go:26 +0x5e
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyzeSafe.func1()
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_action.go:104 +0x5a
panic({0x164b260?, 0xc00669b4a0?})
/usr/lib/go/src/runtime/panic.go:785 +0x132
honnef.co/go/tools/go/ir.(*builder).rangeStmt(0xc000051910, 0xc00a29cf00, 0xc009bf55c0, 0x0, {0x1af1960, 0xc009bf55c0})
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2214 +0x894
honnef.co/go/tools/go/ir.(*builder).stmt(0xc000051910, 0xc00a29cf00, {0x1af6970?, 0xc009bf55c0?})
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2427 +0x20a
honnef.co/go/tools/go/ir.(*builder).stmtList(...)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:847
honnef.co/go/tools/go/ir.(*builder).stmt(0xc000051910, 0xc00a29cf00, {0x1af6880?, 0xc004f52ed0?})
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2385 +0x1415
honnef.co/go/tools/go/ir.(*builder).buildFunction(0xc000051910, 0xc00a29cf00)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2497 +0x417
honnef.co/go/tools/go/ir.(*builder).buildFuncDecl(0xc000051910, 0xc00622eea0, 0xc004f52f00)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2534 +0x189
honnef.co/go/tools/go/ir.(*Package).build(0xc00622eea0)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2638 +0xb46
sync.(*Once).doSlow(0xc009b81260?, 0xc009bf5bc0?)
/usr/lib/go/src/sync/once.go:76 +0xb4
sync.(*Once).Do(...)
/usr/lib/go/src/sync/once.go:67
honnef.co/go/tools/go/ir.(*Package).Build(...)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/go/ir/builder.go:2556
honnef.co/go/tools/internal/passes/buildir.run(0xc000cf61a0)
/home/build/go/pkg/mod/honnef.co/go/tools@v0.4.6/internal/passes/buildir/buildir.go:86 +0x18b
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyze(0xc002d77d70)
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_action.go:190 +0x9cd
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyzeSafe.func2()
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_action.go:112 +0x17
github.com/golangci/golangci-lint/pkg/timeutils.(*Stopwatch).TrackStage(0xc0007a5c70, {0x1859190, 0x7}, 0xc001c28f48)
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/timeutils/stopwatch.go:111 +0x44
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyzeSafe(0xc00212f680?)
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_action.go:111 +0x6e
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*loadingPackage).analyze.func2(0xc002d77d70)
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_loadingpackage.go:80 +0xa5
created by github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*loadingPackage).analyze in goroutine 3468
/home/build/go/pkg/mod/github.com/golangci/golangci-lint@v1.56.1/pkg/golinters/goanalysis/runner_loadingpackage.go:75 +0x1e9
Update golangci-lint to 1.61.0 that works with go 1.23. It has new
checkers that report errors that we need to fix:
lib/crypto/gpg/gpgbin/gpgbin.go:226:22: printf: non-constant format string in call to fmt.Errorf (govet)
return fmt.Errorf(strings.TrimPrefix(line, "[GNUPG:] "))
^
worker/imap/observer.go:142:21: printf: non-constant format string in call to fmt.Errorf (govet)
Error: fmt.Errorf(errMsg),
^
app/dirlist.go:409:5: S1009: should omit nil check; len() for []string is defined as zero (gosimple)
if dirlist.dirs == nil || len(dirlist.dirs) == 0 {
^
app/dirtree.go:181:5: S1009: should omit nil check; len() for []*git.sr.ht/~rjarry/aerc/worker/types.Thread is defined as zero (gosimple)
if dt.list == nil || len(dt.list) == 0 || dt.countVisible(dt.list) < y+dt.Scroll() {
^
app/authinfo.go:30:34: printf: non-constant format string in call to (*git.sr.ht/~rjarry/aerc/lib/ui.Context).Printf (govet)
ctx.Printf(0, 0, defaultStyle, text)
^
app/authinfo.go:34:27: printf: non-constant format string in call to (*git.sr.ht/~rjarry/aerc/lib/ui.Context).Printf (govet)
ctx.Printf(0, 0, style, text)
^
app/authinfo.go:62:34: printf: non-constant format string in call to (*git.sr.ht/~rjarry/aerc/lib/ui.Context).Printf (govet)
x += ctx.Printf(x, 0, style, text)
^
Pretty much all of these errors are us passing non-const format strings
to various methods. In C land, this is a large security issue. I would
assume the same stands in Go. Thank you golangci-lint!
Link: https://builds.sr.ht/~rjarry/job/1332376#task-validate-500
Signed-off-by: Tristan Partin <tristan@partin.io>
Acked-by: Robin Jarry <robin@jarry.cc>
Fix the content encoding for GPG-signed messages.
To remove the Mime-Version header field for the signed message part, the
raw message is parsed with go-message. go-message.Read(), however,
decodes the message body as well (i.e. from quoted-printable to UTF8
depending on the Content-Transfer-Encoding header). This means that the
msg.Body field now contains the decoded message (it is no longer encoded
as quoted-printable). We never encode the message back to the proper
Content-Transfer-Encoding.
To fix this, use net/mail.ReadMessage() to parse the headers and to not
decode the message body.
To verify the issue, send a signed message with the following text:
"19+1=20!"
The message will be properly signed, but the text is wrong; it shows
"19+1 !"; instead it should read "19+1=3D20!".
Fixes: 5e443bce ("gpg: fix mime-version header position")
References: https://todo.sr.ht/~rjarry/aerc/79
Signed-off-by: Koni Marti <koni.marti@gmail.com>
Tested-by: Jens Grassel <jens@wegtam.com>
Acked-by: Robin Jarry <robin@jarry.cc>
Implement a cleartext function in the cryptoutil package to decrypt an
encrypted message to cleartext and construct a valid rfc2822 message.
The headers from the decrypt message body will be merged with the
original headers to create a fully decrypted message.
Implements: https://todo.sr.ht/~rjarry/aerc/238
Signed-off-by: Koni Marti <koni.marti@gmail.com>
Tested-by: Jens Grassel <jens@wegtam.com>
Reviewed-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Robin Jarry <robin@jarry.cc>
Some MTAs try to normalize the case of all headers (including signed
text parts headers). Unfortunately, Mime-Version can be normalized to
different casing depending on the implementation (MIME- vs Mime-).
Since the signature is computed on the whole part, including its header,
changing the case can cause the signature to become invalid.
Due to how multipart/signed messages are constructed, we need to hack
around go-message writers to intercept the writing of a text part,
compute its signature and write the actual message with the proper
headers.
Unfortunately, go-message does not allow creating a message writer that
does not insert a Mime-Version header. This causes the Mime-Version
header to be inserted in the wrong place: it is put inside the signed
text part header instead on the top level header. Thus, included in the
signed content.
Make sure to remove any Mime-Version header from the signed part header.
Finally, ensure that Mime-Version is set on the top-level header so that
messages are compliant with RFC 2045.
Fixes: https://todo.sr.ht/~rjarry/aerc/143
Link: https://github.com/emersion/go-message/issues/165
Link: https://github.com/emersion/go-pgpmail/pull/15
Link: https://lists.sr.ht/~rjarry/aerc-devel/%3CCQRPF5EA0TF8.PEJ4AKCEGMFM%40fembook%3E
Changelog-fixed: `Mime-Version` is no longer inserted in signed
text parts headers. MTAs normalizing header case will not corrupt
signatures anymore.
Reported-by: Coco Liliace <chloe@liliace.dev>
Reported-by: Kirill Chibisov <contact@kchibisov.com>
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Tim Culverhouse <tim@timculverhouse.com>
github.com/mitchellh/go-homedir has not received any update since 2019.
The last release of github.com/kyoh86/xdg was in 2020 and it has been
marked as deprecated by its author.
Replace these with internal functions.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Reviewed-by: Moritz Poldrack <moritz@poldrack.dev>
A lot of libraries are starting to use generics (introduced in go 1.18).
Restricting aerc on 1.17 prevents us from updating our dependencies.
Since 1.18 is a major milestone, it has a chance to remain supported for
a while.
Update the minimum go version to 1.18. Run go mod tidy -compat=1.18.
Update our CI to run on 1.18.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Bence Ferdinandy <bence@ferdinandy.com>
There is only one instance of AercConfig which is associated to the Aerc
widget. Everywhere we need to access configuration options, we need
somehow to get a reference either to the Aerc widget or to a pointer to
the AercConfig instance. This makes the code cluttered.
Remove the AercConfig structure and every place where it is referenced.
Instead, declare global variables for every configuration section and
access them directly from the `config` module.
Since bindings and ui sections can be "contextual" (i.e. per account,
per folder or per subject), leave most local references intact.
Replacing them with config.{Ui,Binds}.For{Account,Folder,Subject} would
make this patch even more unreadable. This is something that may be
addressed in the future.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
The main goal is to ensure that by default, the log file (if configured)
does not grow out of proportions. Most of the logging messages in aerc
are actually for debugging and/or trace purposes.
Define clear rules for logging levels. Enforce these rules everywhere.
After this patch, here is what the log file looks like after starting up
with a single account:
INFO 2022/11/24 20:26:16.147164 aerc.go:176: Starting up version 0.13.0-100-g683981479c60 (go1.18.7 amd64 linux)
INFO 2022/11/24 20:26:17.546448 account.go:254: [work] connected.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Bence Ferdinandy <bence@ferdinandy.com>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
When quoting an encrypted message for reply, the quoted text is shown as
"Version: 1.0". This is due to this being the first non-multipart text
portion of the message, which is what the quoted reply logic looks for.
Properly quote replies to encrypted messages by decrypting the message,
and quoting the content. The message must be open in a message view in
order to quote it (it must be decrypted, which is handled by the message
viewer).
Suggested-by: Moritz Poldrack <moritz@poldrack.dev>
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: Jens Grassel <jens@wegtam.com>
Since the minimum required version of Go has been bumped to 1.16, the
deprecation of io/ioutil can now be acted upon. This Commit removes the
remaining dependencies on ioutil and replaces them with their io or os
counterparts.
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Acked-by: Robin Jarry <robin@jarry.cc>
Fix the following test failures:
FAIL: TestMessageInfoHandledError (0.00s)
parse_test.go:53: could not parse envelope: date parsing failed:
unrecognized date format:
FAIL: TestReader (0.07s)
gpg_test.go:27: using GNUPGHOME = /tmp/TestReader2384941142/001
reader_test.go:108: Test case: Invalid Signature
reader_test.go:112: gpg.Read() = gpgmail: failed to read PGP
message: gpg: failed to run verification: exit status 1
Fixes: 5ca6022d00 ("lint: ensure errors are at least logged (errcheck)")
Fixes: 70bfcfef42 ("lint: work nicely with wrapped errors (errorlint)")
Signed-off-by: Robin Jarry <robin@jarry.cc>
Signed-off-by: Moritz Poldrack <moritz@poldrack.dev>
Error wrapping as introduced in Go 1.13 adds some additional logic to
use for comparing errors and adding information to it.
Signed-off-by: Moritz Poldrack <moritz@poldrack.dev>
Acked-by: Robin Jarry <robin@jarry.cc>
Do not pass logger objects around anymore. Shuffle some messages to make
them consistent with the new logging API. Avoid using %v when a more
specific verb exists for the argument types.
The loggers are completely disabled (i.e. Sprintf is not even called)
by default. They are only enabled when redirecting stdout to a file.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
This makes it more explicit for non pgp compatible clients. Without
this, they may show "unnamed part" or "noname".
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
An non-zero exit code from the execution of gpg during decryption would
prevent aerc from parsing the output of gpg. The output should always be
parsed. Gpg can exit with an error due to not being able to validate a
signature. Aerc handles this error with the UI, and therefore all output
should be parsed regardless of exit state of gpg. The parsing of stdout
will find the errors and report back to aerc properly.
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
Add error handling for messages that were unable to be encrypted.
Previously, messages that failed encryption would be sent with no
content. This patch adds error handling - when encryption fails, the
user is returned to the Review screen and instructed to check the public
keys for their recipients.
Reported-by: Moritz Poldrack <moritz@poldrack.dev>
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
Refactor lib/crypto/gpg tests to facilitate unit test runs on macos.
Macos creates temporary directories with names too long to call
gpg-agent (108 characters). Additionally, too many concurrent test calls
created IPC errors to gpg-agent. To get around this, tests were given
shorter names and refactored into subtests to create fewer concurrent
tests
Tested on Linux and MacOS.
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Robin Jarry <robin@jarry.cc>
Skip the tests if gpg is not installed.
Avoid interference with the global ~/.gnupg.
Automatically delete GNUPGHOME at the end of tests.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
Add compose command ("attach-key") to attach the public key associated
with the sending account. Public key is attached in ascii armor format,
with the mimetype set according to RFC 3156 ("application/pgp-keys").
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: Koni Marti <koni.marti@gmail.com>
Add check for public keys of all message recipients (to, cc, and bcc)
before sending the message. Adds an OnFocusLost callback to header
editors to facilitate a callback for checking keys whenever a new
recipient is added (OnChange results in too many keyring checks).
Once encryption is initially set, the callbacks are registered. If a
public key is not available for any recipient, encryption is turned off.
However, notably, the callbacks are still registered meaning as s soon
as the user removes the recipients with missing keys, encryption is
turned back on.
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: Koni Marti <koni.marti@gmail.com>
The gpg decrypt function was catching errors but not returning them.
This patch returns errors that are caught instead of aerc panicking.
Reported-by: ReK2 <rek2@hispagatos.org>
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: ReK2 <rek2@hispagatos.org>
Acked-by: Robin Jarry <robin@jarry.cc>
Check that the signing key exists when the user issues the :sign
command. The signing key ID will be displayed in the security status
also, allowing the user to see what key will be used to sign the
message.
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Tested-by: Jens Grassel <jens@wegtam.com>
This commit adds gpg system integration. This is done through two new
packages: gpgbin, which handles the system calls and parsing; and gpg
which is mostly a copy of emersion/go-pgpmail with modifications to
interface with package gpgbin. gpg includes tests for many cases, and
by it's nature also tests package gpgbin. I separated these in case an
external dependency is ever used for the gpg sys-calls/parsing (IE we
mirror how go-pgpmail+openpgp currently are dependencies)
Two new config options are introduced:
* pgp-provider. If it is not explicitly set to "gpg", aerc will default to
it's internal pgp provider
* pgp-key-id: (Optionally) specify a key by short or long keyId
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Koni Marti <koni.marti@gmail.com>
Acked-by: Robin Jarry <robin@jarry.cc>
This commit refactors the internal PGP implementation to make way for
GPG integration.
Signed-off-by: Tim Culverhouse <tim@timculverhouse.com>
Acked-by: Koni Marti <koni.marti@gmail.com>
Acked-by: Robin Jarry <robin@jarry.cc>
