[gmime-devel] avoiding metadata leaks when handling S/MIME-signed mail in GMime and other tools that use GnuPG

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Feb 3 20:35:08 CET 2018

On Sat 2018-02-03 18:48:26 +0000, Jeffrey Stedfast wrote:
> I've added code locally to set offline mode but reading the docs:
> https://www.gnupg.org/documentation/manuals/gpgme/Offline-Mode.html
> it suggests that setting offline mode only works for CMS and not
> OpenPGP? Can anyone from the GPGME team verify this? If so, I'll drop
> the flags that would indicate that this works in OpenPGP mode.

hm, it's not just "only CMS" -- it says:

    Offline mode only affects the keylist mode
    GPGME_KEYLIST_MODE_VALIDATE and is only relevant to the CMS crypto
    engine. Offline mode is ignored otherwise.

in which case, that might mean that it doesn't affect signature
verification at all. :(

GnuPG folks -- what is the best way for a user of GPGME to avoid
metadata leakage in this scenario as a default configuration?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180203/89b8c2d2/attachment.sig>

More information about the Gnupg-devel mailing list