From: Kevin McCarthy <kevin@8t8.us>
Date: Sat, 1 Oct 2016 23:21:59 +0000 (-0700)
Subject: Ensure signatures exist when verifying multipart/signed emails. (closes #3881).
X-Git-Tag: neomutt-20161002~1^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b35c403de9628e6ca3473382e410efff806f44e7;p=neomutt

Ensure signatures exist when verifying multipart/signed emails. (closes #3881).

TAKAHASHI Tamotsu reported that when gpg2 isn't in PATH, the
gpgme_op_verify() won't return an error, but instead will return a
result with no signatures.

verify_one() was only returning an error if a signature actually
failed, so in this case the function was defaulting to returning
success.

Other callers of gpgme_op_verify() check to make sure the
result->signatures exist before processing signatures.  Add a check
for verify_one() too.
---

diff --git a/crypt-gpgme.c b/crypt-gpgme.c
index fb51af6a7..d5c6f3347 100644
--- a/crypt-gpgme.c
+++ b/crypt-gpgme.c
@@ -1561,6 +1561,7 @@ static int verify_one (BODY *sigbdy, STATE *s,
     { /* Verification succeeded, see what the result is. */
       int res, idx;
       int anybad = 0;
+      gpgme_verify_result_t verify_result;
 
       if (signature_key)
 	{
@@ -1568,15 +1569,19 @@ static int verify_one (BODY *sigbdy, STATE *s,
 	  signature_key = NULL;
 	}
 
-      for(idx=0; (res = show_one_sig_status (ctx, idx, s)) != -1; idx++)
+      verify_result = gpgme_op_verify_result (ctx);
+      if (verify_result && verify_result->signatures)
+      {
+        for (idx=0; (res = show_one_sig_status (ctx, idx, s)) != -1; idx++)
         {
           if (res == 1)
             anybad = 1;
           else if (res == 2)
             anywarn = 2;
         }
-      if (!anybad)
-        badsig = 0;
+        if (!anybad)
+          badsig = 0;
+      }
     }
 
   if (!badsig)