mutt integration: sq sign generates bad signatures
I was trying to get the native sq CLI integrated directly into mutt, and managed to get almost every command mapped with the config from https://wiki.debian.org/OpenPGP/Sequoia#mutt, copied here for future reference:
# OpenPGP support using Sequoia-PGP.
# Based on <https://git.sr.ht/~ireas/sq-mutt/tree/master/sq.rc>.
# vim:syn=muttrc:
set crypt_use_gpgme=no
#unset pgp_use_gpg_agent
set pgp_timeout=3600
# Encryption and signing
set pgp_decode_command="sq inspect -- %f"
set pgp_verify_command="sq verify --detached %s -- %f"
# XXX: Fails
#set pgp_sign_command="sq sign --batch %?a?--signer-key %a? --detached -- %f"
# Works
set pgp_sign_command="gpg-sq --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0 --pinentry-mode=loopback? --armor --detach-sign --textmode %?a?-u %a? %f"
# Works
set pgp_clearsign_command="sq sign --batch %?a?--signer-key %a? --cleartext-signature -- %f"
# Works
#set pgp_clearsign_command="gpg-sq --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0 --pinentry-mode=loopback? --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_decrypt_command="sq decrypt --batch --signatures 0 -- %f"
# Note: We use pgpewrap because %r is a list, and --recipient-cert only
# handles one argument per option.
set pgp_encrypt_only_command="/usr/lib/mutt/pgpewrap sq encrypt --batch -- --recipient-cert %r -- %f"
set pgp_encrypt_sign_command="/usr/lib/mutt/pgpewrap sq encrypt --batch %?a?--signer-key %a? -- --recipient-cert %r -- %f"
# Keyring management
set pgp_import_command="sq cert import -- %f"
set pgp_export_command="sq cert export -- %r"
#set pgp_getkeys_command="sq network fetch -- %r"
set pgp_verify_key_command="sq pki identify -- %r"
# TODO: This relies on gpg-sq, ideally this would use a native interface.
# note: the second --with-fingerprint adds fingerprints to subkeys
set pgp_list_pubring_command="gpg-sq --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-keys %r"
set pgp_list_secring_command="gpg-sq --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-secret-keys %r"
set pgp_good_sign="^[[:space:]]*Good signature from "
set pgp_decryption_okay="^[[:space:]]*Encrypted using "
# TODO: does mutt handle non-zero error codes correctly?
set pgp_check_exit=yes
unset pgp_check_gpg_decrypt_status_fdWhen testing this I noticed that signing messages generate invalid signatures, that both sq and gpg fail to verify, stating either bad signature or bad checksum. I tried to play a bit with the messages in case it was a matter of how they are normalized WRT blank lines, but didn't manage to get very far. I'm filing this here to have a tracking place for the issue, which might end up being a problem in mutt or the integration with the config.
(Edited: I've updated config to my current working set, for easier reference.)
Edited by Guillem Jover