# HG changeset patch # User Paul Boddie # Date 1381879579 -7200 # Node ID 4a868ec967ef2189209e985c88f442ddaca2e24d # Parent 1ece83b447d67ae12c8052e7c7fe33f2a535eb0f Added initial support for separate message relaying users. diff -r 1ece83b447d6 -r 4a868ec967ef README.txt --- a/README.txt Fri Sep 13 01:05:05 2013 +0200 +++ b/README.txt Wed Oct 16 01:26:19 2013 +0200 @@ -40,22 +40,22 @@ Import the key into the wiki's GPG homedir: -gpg --homedir wiki/gnupg --import 1C1AAF83.asc +gpg --homedir WIKI/gnupg --import 1C1AAF83.asc For the wiki to receive encrypted data, a key for the wiki must be created: -gpg --homedir wiki/gnupg --gen-key +gpg --homedir WIKI/gnupg --gen-key For the wiki environment to be able to use the key, password access must be disabled. This can be done by either not specifying a password or by removing it later using the --edit-key option: -gpg --homedir wiki/gnupg --edit-key 0891463A +gpg --homedir WIKI/gnupg --edit-key 0891463A passwd Export the wiki's key for encrypting messages sent to the wiki: -gpg --homedir wiki/gnupg --armor --output 0891463A.asc --export 0891463A +gpg --homedir WIKI/gnupg --armor --output 0891463A.asc --export 0891463A This exported key can now be imported into your own environment: @@ -75,6 +75,12 @@ moinmessage_gpg_signing_users_page (optional, default is MoinMessageSigningUserDict) This provides a mapping from Moin usernames to key fingerprints. + moinmessage_gpg_relaying_user (optional) + This specifies the username of a special user who will sign relayed + messages. Partner wikis will need to record the details of this user in + their fingerprint-to-user mapping (see moinmessage_gpg_users_page) to be + able to receive messages from this wiki. + moinmessage_gpg_recipients_page (optional, default is MoinMessageRecipientsDict) This provides a mapping from recipients to remote URLs and key fingerprints. Each user can define the named page as a subpage of their own home page. @@ -89,7 +95,7 @@ This explicitly defines the path to static resources used by Moin, enabling such resources to be attached to messages. When set, the path must refer to the htdocs directory (possibly renamed) containing the different theme - resource directories, together with the robots.txt and favicon.ico files.) + resource directories, together with the robots.txt and favicon.ico files. For signature verification to function, the following needs to be added: @@ -126,6 +132,29 @@ Each username must correspond to a registered user in the wiki. +If a wiki is to perform message relaying, receiving messages from partner +wikis and sending them on, a user is required for this purpose. You could +create such a user as follows: + +moin --config-dir=WIKI account create --name=MessageRelay --email=messagerelay + +(You may need to run this command as the Web server user to be able to change +the wiki installation, as well as indicating the full path to the moin program +either as the program name or by setting the PATH.) + +After doing this, you could define an entry for the relaying user as follows: + + fingerprint:: MessageRelay + +Here, "fingerprint" should be substituted for a key fingerprint used by a +partner wiki to sign messages that it then sends to this wiki. See the next +section for more information on signing keys and identities. + +It may very well be the case that more than one partner wiki will be sending +messages to this wiki: the signing key fingerprint of each partner wiki can be +added to this mapping and specify the same relaying user; there is no +restriction on each fingerprint needing to map to a different user. + The Username-to-Signing Key Mapping ----------------------------------- @@ -142,6 +171,13 @@ whereas the signing of messages requires access to a private key. Thus, the signing process employs a special private key known to the wiki for a user. +If a wiki is to perform message relaying, the special relaying user must be +defined in this mapping together with an appropriate key fingerprint. You can +use the key generated during the wiki's configuration (see "Configuring GPG +for a Wiki" above) for this purpose. This fingerprint can then be used by +partner wikis in their fingerprint-to-user mapping in order to verify incoming +messages and to process them as relayed messages. + The Recipients Mapping ---------------------- diff -r 1ece83b447d6 -r 4a868ec967ef actions/SendMessage.py --- a/actions/SendMessage.py Fri Sep 13 01:05:05 2013 +0200 +++ b/actions/SendMessage.py Wed Oct 16 01:26:19 2013 +0200 @@ -309,7 +309,14 @@ message = gpg.encryptMessage(message, parameters["fingerprint"]) # Add signing for forwarded messages. - # NOTE: Signing with the same identity. + + relaying_user = getattr(self.request.cfg, "moinmessage_gpg_relaying_user") + + # Signing with the same identity if no special relaying user is + # defined. + + if relaying_user: + signer = signing_users and signing_users.get(relaying_user) if forward and signer: timestamp(message)