This is report of my GSoC project - OpenPG integration with GNU Mailman for midterm. The code is updated at my launchpad branch.

Accomplishments:

  • A signature rule(src/mailman/rules/signature.py) to check for OpenPGP signature in a message, incase the signature is found it tries to verify the message using gpg utility.
  • A gpg utility(src/mailman/utilities/gpg.py) to perform all the signature related tasks using `python-gnupg`(v0.3.4). It signs and verifies the signature.
  • A signmessage handler(src/mailman/handlers/signmessage.py) to sign the outgoing message using the gpg utility.(Signing a message is still incomplete in the sense we do not have a way to store and use keys. For now it has a pubring.gpg and secring.gpg inside (var/gpg/). It will be replaced with actual keyrings in future.)
  • Tests for each of the three modules above. Testing gpg.py was a small challenge(for me).

Issues and Roadblocks:

  • Signature verification using `python-gnupg` was a PITA to me for sometime. The way it accepts the string and signature for detached signature is not documented at all and is converse of what I could think of. It just occurred to me to try out the other possibility which turned out to be the right way.
  • Version control was also a issue that I encountered. Initially I started to work on git mirror of mailman. When I tried to port the code back to bazaar and push to github it took me(and others) a lot of brainstorming. Finally I did that using bzr-git.
  • Deciding the structure of the signed message that we were going to send out. Initially it was decided to leave sender's signature intact so that if someone wants to verify it he can do it, but there can-not be two 'pgp-signature' parts in a conventional multipart/signed message. I wrote the code to follow an internet-draft i discovered one-day. But then I commented out the code and also added another format.
  •       mutipart/alternative {
                multipart/signed { text/plain, application/pgp-signature }
                multipart/signed { text/plain, application/pgp-signature }
          }
        

Some furthur assistance and research on which format do MUAs support the most should be implemented. * python-gnupg does not provide any way to search for keys based on key-data like email-address. I need some more work to get this working.

Future Plan: The next plans for this project include testing all the above parts thoroughly and then moving on to creating a PKI for the key. Also the settings for the list-manager to adjust a few options related to signed lists - like time limit(decided from date in signature) to consider a message old, and also implementing this in code.