Muxic – Minimal XMMS2 client for Mac OS X

XMMS2 is cool. In my experience, its architecture does everything The Right Way, and their support tools (git, mantis, mediawiki, doxygen-generated documentation) are all modern.

The clientlib is good enough that clients (frontends) can be very lightweight. FWICS there are some good Qt and GTK based clients that would probably run fine on OS X, if you can be bothered getting them and their dependencies working.

Even then, other Qt and GTK based applications I have on scud always feel slightly out of place (or very out of place for those using X11). There were no Cocoa/Application Kit based GUIs on the old clientlist. I set out to create a Cocoa UI.

I like Winamp Classic’s UI; it is functional and compact, especially in windowshade mode. If you are used to the keyboard shortcuts (and they make a lot of sense with a QWERTY keyboard), you don’t need huge buttons.

Hence I made a client with similar minimalism, without trying to be Winamp-skin-compatible. I’m quite happy to use the CLI and other clients for managing the media library, but for something that’s sitting on my desktop all the time I wanted small, and I wanted it to fit in with OS X. It’s got Growl support too!

Muxic Desktop screenshot
Introducing: Muxic.

Muxic is a minimal user interface to XMMS2. It should be ready for a release soon, meanwhile you can browse the Muxic source.

Unclean macports gettext upgrade

An innocent port upgrade -uc outdated turned into macports breakage after it tried to deactivate gettext. The error messages, ad infinitum, are:

--->  Deactivating gettext @0.17_3
Error: Deactivating gettext 0.17_3 failed:
Error: Unable to upgrade port: dyld: Library not loaded:
/opt/local/lib/libintl.8.dylib
  Referenced from: /opt/local/bin/ln
  Reason: image not found
Error: Unable to exec port: dyld: Library not loaded:
/opt/local/lib/libintl.8.dylib
  Referenced from: /opt/local/bin/ln
  Reason: image not found

The reason is that I have the coreutils+with_default_names port installed, and those binaries link to the gettext libraries. The coreutils binaries are used by the macports activation scripts, and the macports coreutils are earlier on the PATH. Cue breakage.

The solution, as explained on macports-users, is:

  • Add a binpath to macports.conf that has the (presumably working) Apple coreutils in /usr/bin and /bin before the macports ones
  • port deactivate coreutils
  • port deactivate gettext
  • port activate gettext
  • port activate coreutils

S/MIME gotchas

S/MIME is an attractive option for implementing secure messages, since it works OOTB in more MUAs than OpenPGP. However, for an 11-year-old standard, there are a lot of limitations on the lowest-common-denominator of what works.

A good (and fairly ubiquitous) implementation seemed to be the OpenSSL smime(1) command. This has a few quirks:

  • It doesn’t use CRLF line endings in the outer message as required by RFC 2822. In newer versions there is an undocumented -crlfeol option, but even this doesn’t work properly. I’ve submitted a patch on their tracker.
  • You probably want to use the -text option and not the -binary option when encrypting to fix the CR/LF issues for a text/plain payload.
  • To generate certificates non-interactively, you are probably going to need an OpenSSL config file to go along with the req -batch option. Something like:
    [ req ]
    prompt = no
    default_bits = 2048
    extendedKeyUsage=emailProtection
    subjectAltName=email:foo@example.com
    distinguished_name = dn
    req_extensions = req_extensions
    x509_extensions = req_extensions
    
    [ req_extensions ]
    extendedKeyUsage=emailProtection
    basicConstraints=CA:FALSE
    
    [ dn ]
    O=Example Corp
    C=AU
    CN=Example Corp Secured Email <foo@example.com>
    emailAddress=foo@example.com
    

Below is the micro-HOWTO for non-interactively doing stuff (you can use pipes instead of the files in all these instances when driving OpenSSL via IPC). Note that the certificates are read before the message payload, and you want to get the I/O order right to avoid a deadlock.

openssl req -x509 -nodes -days 14 -newkey rsa:1024 \
-keyout private.pem -out public.pem
openssl pkcs12 -export -passout fd:0 -inkey private.pem -in public.pem \
-out private.pfx
openssl smime -encrypt -des3 -text -in payload.txt \
-to 'foo@example.com' -from 'Me <bar@example.net>' \
-subject "An encrypted email" \
-out message.eml public.pem # or pipe stdout to sendmail
openssl smime -decrypt -in message.eml -out payload2.txt \
-inkey private.pem public.pem
# for low-level debugging:
openssl smime -pk7out -in message.eml | openssl asn1parse

On to the MUAs. The certificate import for Apple Mail is pretty painless with the PKCS#12 key being imported by Keychain Access. Later (it didn’t work immediately for me) extra buttons for signing and encrypting automagically appear in the message editing window on the From line, but they are disabled unless your From address has a certificate. Hence you need a certificate yourself, even if you’re not signing, in order to send an encrypted email to a friend.

Apple Mail gets very confused if the CR/LF stuff isn’t correct: it will display the same message as blank, just the base64-encoded S/MIME part, and the correct decoded text on different occasions.

Thunderbird isn’t very friendly toward self-signed certificates. Choosing the .pfx from Preferences > Advanced > View Certificates > Import will get the key to show up, but when you try to encrypt an email, you get an error message like “the application failed to find an encryption certificate for <foo@example.com>”. However, Thunderbird will use the key for decrypting.

Microsoft Outlook and Outlook Express will use the Windows certificate store, which imports a .pfx with a wizard by default when you open one. You can import it from a shell (or more likely, from wine) with rundll32.exe cryptext.dll,CryptExtAddPFX private.pfx, or use the UI from Internet Explorer (Tools > Internet Options > Contents > Certificates).

Apple Mail and Thunderbird both handle multipart/mixed with text/plain and smime-envelope parts correctly (by concatenating the unencrypted and envelope contents in the message window), although they will report the message as unencrypted (which is true I guess, because only one part of the message is). However, Microsoft Outlook won’t display anything for the secure part (not even an error).