Thanks for the "security" thing. Didn't know about that one.
Right. Basically it's all under the "cms" subcommand. You can do
something like:
security cms -D < input > output
Where "input" is a DER-format PKCS#7 blob. For decryption you need to
either have your smartcard plugged in or the key in your keychain.
AFAIK, the MacOS X native drivers only support PIV cards at this time.
Right now you'll get CR-LF output out of that which you need to convert
to LF for nmh to read (we have that fixed in the next version). You can
read the man page to see how to encrypt or sign with that as well.
If you feed that into nmh with the appropriate MIME tags, it works, but
is cumbersome. Clearly the right thing to do is support a PKCS#11
module and offload the card support into that. But interfacing a
PKCS#11 module with OpenSSL kind of sucks; there's not a great way
to glue it all together. I am aware of the PKCS#11 ENGINE that
OpenSC provides but that requires all of the OpenSC stack to make
it work, and that can be a bear to configure. So I think the only
way to make it not awful for users is do a lot of the work that
OpenSSL would normally do. Sigh.
Overall MIME sucks a bit for good old terminal mail. Not to disrespect
Ned Freed, Nat Borenstein &c, but Mostly I just want to send people
text. (Although with Markdown I increasingly expect *emphasis* to
uplift so there you go: I'm no better than anyone else here)
I mean ... I hear you. But the reality is the world has moved on,
whether we like it or not. Adapt or die :-/
I'm hoping that SOMETIME in the future we'll be able to do a lot better.
I would have thought with a global pandemic and being stuck at home
a lot I'd have more free time to work on nmh, but somehow the exact
opposite has happened.
--Ken