[gmime-devel] avoiding metadata leaks when handling S/MIME-signed mail in GMime and other tools that use GnuPG
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat Feb 3 20:35:08 CET 2018
On Sat 2018-02-03 18:48:26 +0000, Jeffrey Stedfast wrote:
> I've added code locally to set offline mode but reading the docs:
>
> https://www.gnupg.org/documentation/manuals/gpgme/Offline-Mode.html
>
> it suggests that setting offline mode only works for CMS and not
> OpenPGP? Can anyone from the GPGME team verify this? If so, I'll drop
> the flags that would indicate that this works in OpenPGP mode.
hm, it's not just "only CMS" -- it says:
Offline mode only affects the keylist mode
GPGME_KEYLIST_MODE_VALIDATE and is only relevant to the CMS crypto
engine. Offline mode is ignored otherwise.
in which case, that might mean that it doesn't affect signature
verification at all. :(
GnuPG folks -- what is the best way for a user of GPGME to avoid
metadata leakage in this scenario as a default configuration?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180203/89b8c2d2/attachment.sig>
More information about the Gnupg-devel
mailing list