Added check that config file keymap fingerprint exists in actual GPG …

…keyring. Decline encryption if mismatch.
uragit · Nov 22, 2013 · 584eee1 · 584eee1
1 parent 779e712
commit 584eee1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/GnuPG/__init__.py b/GnuPG/__init__.py
@@ -5,14 +5,14 @@ def public_keys( keyhome ):
 	cmd = ['/usr/bin/gpg', '--homedir', keyhome, '--list-keys', '--with-colons']
 	p = subprocess.Popen( cmd, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE )
 	p.wait()
-	keys = list()
+	keys = dict()
 	for line in p.stdout.readlines():
 		if line[0:3] == 'uid' or line[0:3] == 'pub':
 			if ('<' not in line or '>' not in line):
 				continue
-			key = line.split('<')[1].split('>')[0]
-			if keys.count(key) == 0:
-				keys.append(key)
+			email = line.split('<')[1].split('>')[0]
+			fingerprint = line.split(':')[4]
+			keys[fingerprint] = email
 	return keys
 
 class GPGEncryptor:

diff --git a/gpg-mailgate.py b/gpg-mailgate.py
@@ -105,10 +105,16 @@ def get_msg( message ):
 ungpg_to = list()
 
 for to in to_addrs:
-	if to in keys and not ( cfg['default'].has_key('keymap_only') and cfg['default']['keymap_only'] == 'yes'  ):
+	if to in keys.values() and not ( cfg['default'].has_key('keymap_only') and cfg['default']['keymap_only'] == 'yes'  ):
 		gpg_to.append( (to, to) )
 	elif cfg.has_key('keymap') and cfg['keymap'].has_key(to):
-		gpg_to.append( (to, cfg['keymap'][to]) )
+		log("Keymap has key '%s'" % cfg['keymap'][to] )
+		# Check we've got a matching key!  If not, decline to attempt encryption.
+		if not keys.has_key(cfg['keymap'][to]):
+			log("Key '%s' in keymap not found in keyring for email address '%s'.  Won't encrypt." % (cfg['keymap'][to], to))
+			ungpg_to.append(to)
+		else:
+			gpg_to.append( (to, cfg['keymap'][to]) )
 	else:
 		if verbose:
 			log("Recipient (%s) not in keymap list." % to)