Send and check "Intended recipient fingerprint" packets

[link2xt]

OpenPGP has "indented recipient fingerprint" packet: https://www.rfc-editor.org/rfc/rfc9580.html#name-intended-recipient-fingerpr

It should be sent to protect against Surreptitious Forwarding and if it is present but does not match receiver should deliver the message to trash.

This should not be sent for broadcast lists when we want to keep recipients anonymous to each other: #6782
For normal groups there should be intended recipient fingerprint inside the encrypted part even when anonymous recipient is used on the outer encryption layer.

For testing it's enough to create an .eml file with a message signed by Alice, intended for Bob but reencypted to Charlie and make sure that Charlie ignores the signature. The message will then likely get assigned to the address-contact corresponding to the outer From field.

Maybe there is no API in rPGP or it involves looking at the packets manually like rsop and rpgpie does. In this case we likely need an API in rPGP first.

[Hocuri]

TODO:

• check if there is an API for it in rpgp, and if not, open an issue in rpgp library
• implementation in Delta Chat, incl. tests

[iequidoo]

a message signed by Alice, intended for Bob but reencypted to Charlie and make sure that charlie delivers it to trash.

Alice and Bob may be interested if this happens, so maybe we should also send an MDN to Alice silently? Not sure though, generating extra traffic and possibly participating in a DDoS isn't good.

[link2xt]

Alice and Bob may be interested if this happens, so maybe we should also send an MDN to Alice silently?

No, we don't want automated messages, especially in the edge case that is supposed to never happen. The error can be logged ofc.

If we follow https://datatracker.ietf.org/doc/draft-ietf-lamps-e2e-mail-guidance/ ("Signature failures") then actually it should be treated as broken signature. Basically treat this as unencrypted (in Autocrypt sense) message, assign this to email contact etc.: "conformant receiving MUA that discovers a failed signature treats the message as though the signature did not exist.". I changed the wording in the first post.

[link2xt]

Compared to rPGP 0.16.0 which is currently the latest released version, unreleased version of rPGP also has a MessageBuilder.sign_with_subpackets method that allows to create subpackets manually:
rpgp/rpgp@3542021

By default only Issuer fingerprint and Signature creation time is produced:
https://github.com/rpgp/rpgp/blob/f168ff350e2fa24ff147f3abfd1e3c8f42f7077a/src/composed/message/builder.rs#L121-L129