19 files changed, 889 insertions, 395 deletions
diff --git a/framework/qml/AttachmentDelegate.qml b/framework/qml/AttachmentDelegate.qml
index 3c308e65..4469cbdd 100644
--- a/framework/qml/AttachmentDelegate.qml
+++ b/framework/qml/AttachmentDelegate.qml
@@ -23,10 +23,12 @@ Item {
    id: root
    property string name
+    property string type
    property string icon
    property alias actionIcon: actionButton.iconName
    signal clicked;
    signal execute;
+    signal publicKeyImport;
    width: content.width + Kube.Units.smallSpacing * 1.5
    height: content.height + Kube.Units.smallSpacing
@@ -70,6 +72,14 @@ Item {
            color: Kube.Colors.backgroundColor
        }
        Kube.IconButton {
+            visible: root.type == "application/pgp-keys"
+            iconName: Kube.Icons.key_import_inverted
+            height: Kube.Units.gridUnit
+            width: height
+            onClicked: root.publicKeyImport()
+            padding: 0
+        }
+        Kube.IconButton {
            id: actionButton
            height: Kube.Units.gridUnit
            width: height
diff --git a/framework/qml/Icons.qml b/framework/qml/Icons.qml
index 2afe840e..4dfae3d7 100644
--- a/framework/qml/Icons.qml
+++ b/framework/qml/Icons.qml
@@ -63,6 +63,7 @@ Item {
    property string secure: "document-encrypt"
    property string insecure: "document-decrypt"
    property string signed: "document-sign"
+    property string key_import_inverted: "view-certificate-import-inverted"
    property string addNew: "list-add"
    property string remove: "kube-list-remove-inverted"
diff --git a/framework/qml/MailViewer.qml b/framework/qml/MailViewer.qml
index 565adedd..e9ffd108 100644
--- a/framework/qml/MailViewer.qml
+++ b/framework/qml/MailViewer.qml
@@ -283,6 +283,7 @@ Rectangle {
            delegate: AttachmentDelegate {
                name: model.name
+                type: model.type
                icon: model.iconName
                clip: true
@@ -290,6 +291,7 @@ Rectangle {
                actionIcon: Kube.Icons.save_inverted
                onExecute: messageParser.attachments.saveAttachmentToDisk(messageParser.attachments.index(index, 0))
                onClicked: messageParser.attachments.openAttachment(messageParser.attachments.index(index, 0))
+                onPublicKeyImport: messageParser.attachments.importPublicKey(messageParser.attachments.index(index, 0))
            }
        }
    }
diff --git a/framework/src/domain/composercontroller.cpp b/framework/src/domain/composercontroller.cpp
index 2286a71b..a71e66f9 100644
--- a/framework/src/domain/composercontroller.cpp
+++ b/framework/src/domain/composercontroller.cpp
@@ -135,7 +135,7 @@ public:
        SinkLog() << "Searching key for: " << mb.address();
        asyncRun<std::vector<GpgME::Key>>(this,
            [mb] {
-                return MailCrypto::findKeys(QStringList{} << mb.address(), false, false, MailCrypto::OPENPGP);
+                return MailCrypto::findKeys(QStringList{} << mb.address(), false, false);
            },
            [this, addressee, id](const std::vector<GpgME::Key> &keys) {
                if (!keys.empty()) {
@@ -463,18 +463,25 @@ KMime::Message::Ptr ComposerController::assembleMessage()
        };
    });
+    GpgME::Key attachedKey;
    std::vector<GpgME::Key> signingKeys;
    if (getSign()) {
        signingKeys = getPersonalKeys().value<std::vector<GpgME::Key>>();
+        Q_ASSERT(!signingKeys.empty());
+        attachedKey = signingKeys[0];
    }
    std::vector<GpgME::Key> encryptionKeys;
    if (getEncrypt()) {
        //Encrypt to self so we can read the sent message
-        encryptionKeys += getPersonalKeys().value<std::vector<GpgME::Key>>();
+        auto personalKeys = getPersonalKeys().value<std::vector<GpgME::Key>>();
+        attachedKey = personalKeys[0];
+        encryptionKeys += personalKeys;
        encryptionKeys += getRecipientKeys();
    }
-    return MailTemplates::createMessage(mExistingMessage, toAddresses, ccAddresses, bccAddresses, getIdentity(), getSubject(), getBody(), getHtmlBody(), attachments, signingKeys, encryptionKeys);
+    return MailTemplates::createMessage(mExistingMessage, toAddresses, ccAddresses, bccAddresses, getIdentity(), getSubject(), getBody(), getHtmlBody(), attachments, signingKeys, encryptionKeys, attachedKey);
 }
 void ComposerController::send()
diff --git a/framework/src/domain/mime/attachmentmodel.cpp b/framework/src/domain/mime/attachmentmodel.cpp
index 2eb2cc13..8b12679b 100644
--- a/framework/src/domain/mime/attachmentmodel.cpp
+++ b/framework/src/domain/mime/attachmentmodel.cpp
@@ -32,6 +32,11 @@
 #include <QUrl>
 #include <QMimeDatabase>
+#include <QGpgME/ImportJob>
+#include <QGpgME/Protocol>
+#include <memory>
 QString sizeHuman(float size)
 {
    QStringList list;
@@ -210,6 +215,36 @@ bool AttachmentModel::openAttachment(const QModelIndex &index)
    return false;
 }
+bool AttachmentModel::importPublicKey(const QModelIndex &index)
+{
+    Q_ASSERT(index.internalPointer());
+    const auto part = static_cast<MimeTreeParser::MessagePart *>(index.internalPointer());
+    Q_ASSERT(part);
+    auto pkey = part->node()->decodedContent();
+    const auto *proto = QGpgME::openpgp();
+    std::unique_ptr<QGpgME::ImportJob> job(proto->importJob());
+    auto result = job->exec(pkey);
+    bool success = true;
+    QString message;
+    if(result.numConsidered() == 0) {
+        message = tr("No keys were found in this attachment");
+        success = false;
+    } else {
+        message = tr("%n Key(s) imported", "", result.numImported());
+        if(result.numUnchanged() != 0) {
+            message += "\n" + tr("%n Key(s) were already imported", "", result.numUnchanged());
+        }
+    }
+    Kube::Fabric::Fabric{}.postMessage("notification",
+        {{"message", message}});
+    return success;
+}
 QModelIndex AttachmentModel::parent(const QModelIndex &) const
 {
    return QModelIndex();
diff --git a/framework/src/domain/mime/attachmentmodel.h b/framework/src/domain/mime/attachmentmodel.h
index 93ba8d02..d599b1f0 100644
--- a/framework/src/domain/mime/attachmentmodel.h
+++ b/framework/src/domain/mime/attachmentmodel.h
@@ -56,6 +56,8 @@ public:
    Q_INVOKABLE bool saveAttachmentToDisk(const QModelIndex &parent);
    Q_INVOKABLE bool openAttachment(const QModelIndex &index);
+    Q_INVOKABLE bool importPublicKey(const QModelIndex &index);
 private:
    std::unique_ptr<AttachmentModelPrivate> d;
 };
diff --git a/framework/src/domain/mime/mailcrypto.cpp b/framework/src/domain/mime/mailcrypto.cpp
index 62a71e42..4e20c84b 100644
--- a/framework/src/domain/mime/mailcrypto.cpp
+++ b/framework/src/domain/mime/mailcrypto.cpp
@@ -20,324 +20,28 @@
    02110-1301, USA.
 */
 #include "mailcrypto.h"
-#include <QGpgME/Protocol>
-#include <QGpgME/SignJob>
+#include "framework/src/errors.h"
+#include <QGpgME/DataProvider>
 #include <QGpgME/EncryptJob>
-#include <QGpgME/SignEncryptJob>
+#include <QGpgME/ExportJob>
 #include <QGpgME/ImportFromKeyserverJob>
-#include <gpgme++/global.h>
+#include <QGpgME/Protocol>
-#include <gpgme++/signingresult.h>
+#include <QGpgME/SignEncryptJob>
+#include <QGpgME/SignJob>
+#include <gpgme++/data.h>
 #include <gpgme++/encryptionresult.h>
-#include <gpgme++/keylistresult.h>
+#include <gpgme++/global.h>
 #include <gpgme++/importresult.h>
-#include <QDebug>
+#include <gpgme++/keylistresult.h>
+#include <gpgme++/signingresult.h>
-/*
- * FIXME:
- *
- * This code is WIP.
- * It currently only implements OpenPGPMIMEFormat for signing.
- * All the commented code are intentional leftovers that we can clean-up
- * once all necessary signing mechanisms have been implemented.
- *
- * Creating an ecrypted mail:
- * * get keys (email -> fingreprint -> key)
- * * Use Kleo::OpenPGPMIMEFormat,
- *
- */
-// bool chooseCTE()
-// {
-//     Q_Q(SinglepartJob);
-//     auto allowed = KMime::encodingsForData(data);
-//     if (!q->globalPart()->is8BitAllowed()) {
-//         allowed.removeAll(KMime::Headers::CE8Bit);
-//     }
-// #if 0 //TODO signing
-//     // In the following cases only QP and Base64 are allowed:
-//     // - the buffer will be OpenPGP/MIME signed and it contains trailing
-//     //   whitespace (cf. RFC 3156)
-//     // - a line starts with "From "
-//     if ((willBeSigned && cf.hasTrailingWhitespace()) ||
-//             cf.hasLeadingFrom()) {
-//         ret.removeAll(DwMime::kCte8bit);
-//         ret.removeAll(DwMime::kCte7bit);
-//     }
-// #endif
-//     if (contentTransferEncoding) {
-//         // Specific CTE set.  Check that our data fits in it.
-//         if (!allowed.contains(contentTransferEncoding->encoding())) {
-//             q->setError(JobBase::BugError);
-//             q->setErrorText(i18n("%1 Content-Transfer-Encoding cannot correctly encode this message.",
-//                                  KMime::nameForEncoding(contentTransferEncoding->encoding())));
-//             return false;
-//             // TODO improve error message in case 8bit is requested but not allowed.
-//         }
-//     } else {
-//         // No specific CTE set.  Choose the best one.
-//         Q_ASSERT(!allowed.isEmpty());
-//         contentTransferEncoding = new KMime::Headers::ContentTransferEncoding;
-//         contentTransferEncoding->setEncoding(allowed.first());
-//     }
-//     qCDebug(MESSAGECOMPOSER_LOG) << "Settled on encoding" << KMime::nameForEncoding(contentTransferEncoding->encoding());
-//     return true;
-// }
-KMime::Content *createPart(const QByteArray &encodedBody, const QByteArray &mimeType, const QByteArray &charset)
-{
-    auto resultContent = new KMime::Content;
-    auto contentType = new KMime::Headers::ContentType;
-    contentType->setMimeType(mimeType);
-    contentType->setMimeType(charset);
-    // if (!chooseCTE()) {
-    //     Q_ASSERT(error());
-    //     emitResult();
-    //     return;
-    // }
-    // Set headers.
-    // if (contentDescription) {
-    //     resultContent->setHeader(contentDescription);
-    // }
-    // if (contentDisposition) {
-    //     resultContent->setHeader(contentDisposition);
-    // }
-    // if (contentID) {
-    //     resultContent->setHeader(contentID);
-    // }
-    // Q_ASSERT(contentTransferEncoding);   // chooseCTE() created it if it didn't exist.
-    auto contentTransferEncoding = new KMime::Headers::ContentTransferEncoding;
-    auto allowed = KMime::encodingsForData(encodedBody);
-    Q_ASSERT(!allowed.isEmpty());
-    contentTransferEncoding->setEncoding(allowed.first());
-    resultContent->setHeader(contentTransferEncoding);
-    if (contentType) {
-        resultContent->setHeader(contentType);
-    }
-    // Set data.
-    resultContent->setBody(encodedBody);
-    return resultContent;
-}
-KMime::Content *setBodyAndCTE(QByteArray &encodedBody, KMime::Headers::ContentType *contentType, KMime::Content *ret)
-{
-    // MessageComposer::Composer composer;
-    // MessageComposer::SinglepartJob cteJob(&composer);
-    auto part = createPart(encodedBody, contentType->mimeType(), contentType->charset());
-    part->assemble();
-    // cteJob.contentType()->setMimeType(contentType->mimeType());
-    // cteJob.contentType()->setCharset(contentType->charset());
-    // cteJob.setData(encodedBody);
-    // cteJob.exec();
-    // cteJob.content()->assemble();
-    ret->contentTransferEncoding()->setEncoding(part->contentTransferEncoding()->encoding());
-    ret->setBody(part->encodedBody());
-    return ret;
-}
-void makeToplevelContentType(KMime::Content *content, bool sign, const QByteArray &hashAlgo)
-{
-    //Kleo::CryptoMessageFormat format, 
-    // switch (format) {
-    // default:
-    // case Kleo::InlineOpenPGPFormat:
-    // case Kleo::OpenPGPMIMEFormat:
-        if (sign) {
-            content->contentType()->setMimeType(QByteArrayLiteral("multipart/signed"));
-            content->contentType()->setParameter(QStringLiteral("protocol"), QStringLiteral("application/pgp-signature"));
-            content->contentType()->setParameter(QStringLiteral("micalg"), QString::fromLatin1(QByteArray(QByteArrayLiteral("pgp-") + hashAlgo)).toLower());
-        } else {
-            content->contentType()->setMimeType(QByteArrayLiteral("multipart/encrypted"));
-            content->contentType()->setParameter(QStringLiteral("protocol"), QStringLiteral("application/pgp-encrypted"));
-        }
-        return;
-    // case Kleo::SMIMEFormat:
-    //     if (sign) {
-    //         qCDebug(MESSAGECOMPOSER_LOG) << "setting headers for SMIME";
-    //         content->contentType()->setMimeType(QByteArrayLiteral("multipart/signed"));
-    //         content->contentType()->setParameter(QStringLiteral("protocol"), QString::fromAscii("application/pkcs7-signature"));
-    //         content->contentType()->setParameter(QStringLiteral("micalg"), QString::fromAscii(hashAlgo).toLower());
-    //         return;
-    //     }
-    // // fall through (for encryption, there's no difference between
-    // // SMIME and SMIMEOpaque, since there is no mp/encrypted for
-    // // S/MIME)
-    // case Kleo::SMIMEOpaqueFormat:
-    //     qCDebug(MESSAGECOMPOSER_LOG) << "setting headers for SMIME/opaque";
-    //     content->contentType()->setMimeType(QByteArrayLiteral("application/pkcs7-mime"));
-    //     if (sign) {
-    //         content->contentType()->setParameter(QStringLiteral("smime-type"), QString::fromAscii("signed-data"));
-    //     } else {
-    //         content->contentType()->setParameter(QStringLiteral("smime-type"), QString::fromAscii("enveloped-data"));
-    //     }
-    //     content->contentType()->setParameter(QStringLiteral("name"), QString::fromAscii("smime.p7m"));
-    // }
-}
-void setNestedContentType(KMime::Content *content, bool sign)
-{
-// , Kleo::CryptoMessageFormat format
-    // switch (format) {
-    // case Kleo::OpenPGPMIMEFormat:
-        if (sign) {
-            content->contentType()->setMimeType(QByteArrayLiteral("application/pgp-signature"));
-            content->contentType()->setParameter(QStringLiteral("name"), QString::fromLatin1("signature.asc"));
-            content->contentDescription()->from7BitString("This is a digitally signed message part.");
-        } else {
-            content->contentType()->setMimeType(QByteArrayLiteral("application/octet-stream"));
-        }
-        return;
-    // case Kleo::SMIMEFormat:
-    //     if (sign) {
-    //         content->contentType()->setMimeType(QByteArrayLiteral("application/pkcs7-signature"));
-    //         content->contentType()->setParameter(QStringLiteral("name"), QString::fromAscii("smime.p7s"));
-    //         return;
-    //     }
-    // // fall through:
-    // default:
-    // case Kleo::InlineOpenPGPFormat:
-    // case Kleo::SMIMEOpaqueFormat:
-    //     ;
-    // }
-}
-void setNestedContentDisposition(KMime::Content *content, bool sign)
-{
-// Kleo::CryptoMessageFormat format, 
-    // if (!sign && format & Kleo::OpenPGPMIMEFormat) {
-    if (!sign) {
-        content->contentDisposition()->setDisposition(KMime::Headers::CDinline);
-        content->contentDisposition()->setFilename(QStringLiteral("msg.asc"));
-    // } else if (sign && format & Kleo::SMIMEFormat) {
-    //     content->contentDisposition()->setDisposition(KMime::Headers::CDattachment);
-    //     content->contentDisposition()->setFilename(QStringLiteral("smime.p7s"));
-    }
-}
-// bool MessageComposer::Util::makeMultiMime(Kleo::CryptoMessageFormat format, bool sign)
-// {
-//     switch (format) {
-//     default:
-//     case Kleo::InlineOpenPGPFormat:
-//     case Kleo::SMIMEOpaqueFormat:   return false;
-//     case Kleo::OpenPGPMIMEFormat:   return true;
-//     case Kleo::SMIMEFormat:         return sign; // only on sign - there's no mp/encrypted for S/MIME
-//     }
-// }
-KMime::Content *composeHeadersAndBody(KMime::Content *orig, QByteArray encodedBody, bool sign, const QByteArray &hashAlgo)
-{
-    // Kleo::CryptoMessageFormat format,
-    KMime::Content *result = new KMime::Content;
-    // called should have tested that the signing/encryption failed
-    Q_ASSERT(!encodedBody.isEmpty());
-    // if (!(format & Kleo::InlineOpenPGPFormat)) {    // make a MIME message
-        // qDebug() << "making MIME message, format:" << format;
-        makeToplevelContentType(result, sign, hashAlgo);
-        // if (makeMultiMime(sign)) {      // sign/enc PGPMime, sign SMIME
-        if (true) {      // sign/enc PGPMime, sign SMIME
-            const QByteArray boundary = KMime::multiPartBoundary();
-            result->contentType()->setBoundary(boundary);
-            result->assemble();
-            //qCDebug(MESSAGECOMPOSER_LOG) << "processed header:" << result->head();
-            // Build the encapsulated MIME parts.
-            // Build a MIME part holding the code information
-            // taking the body contents returned in ciphertext.
-            KMime::Content *code = new KMime::Content;
-            setNestedContentType(code, sign);
-            setNestedContentDisposition(code, sign);
-            if (sign) {                           // sign PGPMime, sign SMIME
-                // if (format & Kleo::AnySMIME) {      // sign SMIME
-                //     code->contentTransferEncoding()->setEncoding(KMime::Headers::CEbase64);
-                //     code->contentTransferEncoding()->needToEncode();
-                //     code->setBody(encodedBody);
-                // } else {                            // sign PGPMmime
-                    setBodyAndCTE(encodedBody, orig->contentType(), code);
-                // }
-                result->addContent(orig);
-                result->addContent(code);
-            } else {                              // enc PGPMime
-                setBodyAndCTE(encodedBody, orig->contentType(), code);
-                // Build a MIME part holding the version information
-                // taking the body contents returned in
-                // structuring.data.bodyTextVersion.
-                KMime::Content *vers = new KMime::Content;
-                vers->contentType()->setMimeType("application/pgp-encrypted");
-                vers->contentDisposition()->setDisposition(KMime::Headers::CDattachment);
-                vers->contentTransferEncoding()->setEncoding(KMime::Headers::CE7Bit);
-                vers->setBody("Version: 1");
-                result->addContent(vers);
-                result->addContent(code);
-            }
-        } else {                                //enc SMIME, sign/enc SMIMEOpaque
-            result->contentTransferEncoding()->setEncoding(KMime::Headers::CEbase64);
-            result->contentDisposition()->setDisposition(KMime::Headers::CDattachment);
-            result->contentDisposition()->setFilename(QStringLiteral("smime.p7m"));
-            result->assemble();
-            //qCDebug(MESSAGECOMPOSER_LOG) << "processed header:" << result->head();
-            result->setBody(encodedBody);
-        }
-    // } else {                                  // sign/enc PGPInline
-    //     result->setHead(orig->head());
-    //     result->parse();
-    //     // fixing ContentTransferEncoding
+#include <QDebug>
-    //     setBodyAndCTE(encodedBody, orig->contentType(), result);
-    // }
-    result->assemble();
-    return result;
-}
-// bool binaryHint(Kleo::CryptoMessageFormat f)
+#include <future>
-// {
+#include <utility>
-//     switch (f) {
-//     case Kleo::SMIMEFormat:
-//     case Kleo::SMIMEOpaqueFormat:
-//         return true;
-//     default:
-//     case Kleo::OpenPGPMIMEFormat:
-//     case Kleo::InlineOpenPGPFormat:
-//         return false;
-//     }
-// }
-//
-    // GpgME::SignatureMode signingMode(Kleo::CryptoMessageFormat f)
-    // {
-    //     switch (f) {
-    //     case Kleo::SMIMEOpaqueFormat:
-    //         return GpgME::NormalSignatureMode;
-    //     case Kleo::InlineOpenPGPFormat:
-    //         return GpgME::Clearsigned;
-    //     default:
-    //     case Kleo::SMIMEFormat:
-    //     case Kleo::OpenPGPMIMEFormat:
-    //         return GpgME::Detached;
-    //     }
-    // }
 // replace simple LFs by CRLFs for all MIME supporting CryptPlugs
 // according to RfC 2633, 3.1.1 Canonicalization
@@ -404,63 +108,319 @@ static QByteArray canonicalizeContent(KMime::Content *content)
 }
-KMime::Content *MailCrypto::processCrypto(KMime::Content *content, const std::vector<GpgME::Key> &signingKeys, const std::vector<GpgME::Key> &encryptionKeys, MailCrypto::Protocol protocol)
+/**
+ * Get the given `key` in the armor format.
+ */
+Expected<GpgME::Error, QByteArray> exportPublicKey(const GpgME::Key &key)
 {
-    const QGpgME::Protocol *const proto = protocol == MailCrypto::SMIME ? QGpgME::smime() : QGpgME::openpgp();
+    // Not using the Qt API because it apparently blocks (the `result` signal is never
-    Q_ASSERT(proto);
+    // triggered)
+    std::unique_ptr<GpgME::Context> ctx(GpgME::Context::createForProtocol(GpgME::OpenPGP));
-    auto signingMode = GpgME::Detached;
+    ctx->setArmor(true);
-    bool armor = true;
-    bool textMode = false;
+    QGpgME::QByteArrayDataProvider dp;
-    const bool sign = !signingKeys.empty();
+    GpgME::Data data(&dp);
-    const bool encrypt = !encryptionKeys.empty();
+    qDebug() << "Exporting public key:" << key.shortKeyID();
-    QByteArray resultContent;
+    auto error = ctx->exportPublicKeys(key.keyID(), data);
-    QByteArray hashAlgo;
-    //Trust provided keys and don't check them for validity
+    if (error.code()) {
-    bool alwaysTrust = true;
+        return makeUnexpected(error);
-    if (sign && encrypt) {
-        std::unique_ptr<QGpgME::SignEncryptJob> job(proto->signEncryptJob(armor, textMode));
-        const auto res = job->exec(signingKeys, encryptionKeys, canonicalizeContent(content), alwaysTrust, resultContent);
-        if (res.first.error().code()) {
-            qWarning() << "Signing failed:" << res.first.error().asString();
-            return nullptr;
-        } else {
-            hashAlgo = res.first.createdSignature(0).hashAlgorithmAsString();
-        }
-        if (res.second.error().code()) {
-            qWarning() << "Encryption failed:" << res.second.error().asString();
-            return nullptr;
-        }
-    } else if (sign) {
-        std::unique_ptr<QGpgME::SignJob> job(proto->signJob(armor, textMode));
-        auto result = job->exec(signingKeys, canonicalizeContent(content), signingMode, resultContent);
-        if (result.error().code()) {
-            qWarning() << "Signing failed:" << result.error().asString();
-            return nullptr;
-        }
-        hashAlgo = result.createdSignature(0).hashAlgorithmAsString();
-    } else if (encrypt) {
-        std::unique_ptr<QGpgME::EncryptJob> job(proto->encryptJob(armor, textMode));
-        const auto result = job->exec(encryptionKeys, canonicalizeContent(content), alwaysTrust, resultContent);
-        if (result.error().code()) {
-            qWarning() << "Encryption failed:" << result.error().asString();
-            return nullptr;
-        }
-        hashAlgo = "pgp-sha1";
-    } else {
-        qWarning() << "Not signing or encrypting";
-        return nullptr;
    }
-    return composeHeadersAndBody(content, resultContent, sign, hashAlgo);
+    return dp.data();
 }
-KMime::Content *MailCrypto::sign(KMime::Content *content, const std::vector<GpgME::Key> &signers)
+/**
+ * Create an Email with `msg` as a body and `key` as an attachment.
+ *
+ * Will create the given structure:
+ *
+ * + `multipart/mixed`
+ *   - the given `msg`
+ *   - `application/pgp-keys` (the given `key` as attachment)
+ *
+ * Used by the `createSignedEmail` and `createEncryptedEmail` functions.
+ */
+Expected<GpgME::Error, std::unique_ptr<KMime::Content>>
+appendPublicKey(std::unique_ptr<KMime::Content> msg, const GpgME::Key &key)
 {
-    return processCrypto(content, signers, {}, OPENPGP);
+    const auto publicKeyExportResult = exportPublicKey(key);
+    if (!publicKeyExportResult) {
+        // "Could not export public key"
+        return makeUnexpected(publicKeyExportResult.error());
+    }
+    const auto publicKeyData = publicKeyExportResult.value();
+    auto result = std::unique_ptr<KMime::Content>(new KMime::Content);
+    result->contentType()->setMimeType("multipart/mixed");
+    result->contentType()->setBoundary(KMime::multiPartBoundary());
+    KMime::Content *keyAttachment = new KMime::Content;
+    {
+        keyAttachment->contentType()->setMimeType("application/pgp-keys");
+        keyAttachment->contentDisposition()->setDisposition(KMime::Headers::CDattachment);
+        keyAttachment->contentDisposition()->setFilename(QString("0x") + key.shortKeyID() + ".asc");
+        keyAttachment->setBody(publicKeyData);
+    }
+    msg->assemble();
+    result->addContent(msg.release());
+    result->addContent(keyAttachment);
+    result->assemble();
+    return result;
 }
+Expected<GpgME::Error, QByteArray> encrypt(const QByteArray &content, const std::vector<GpgME::Key> &encryptionKeys)
+{
+    QByteArray resultData;
+    const QGpgME::Protocol *const proto = QGpgME::openpgp();
+    std::unique_ptr<QGpgME::EncryptJob> job(proto->encryptJob(/* armor = */ true));
+    const auto result = job->exec(encryptionKeys, content, /* alwaysTrust = */ true, resultData);
+    if (result.error().code()) {
+        qWarning() << "Encryption failed:" << result.error().asString();
+        return makeUnexpected(result.error());
+    }
+    return resultData;
+}
+Expected<GpgME::Error, QByteArray> signAndEncrypt(const QByteArray &content,
+    const std::vector<GpgME::Key> &signingKeys, const std::vector<GpgME::Key> &encryptionKeys)
+{
+    QByteArray resultData;
+    const QGpgME::Protocol *const proto = QGpgME::openpgp();
+    std::unique_ptr<QGpgME::SignEncryptJob> job(proto->signEncryptJob(/* armor = */ true));
+    const auto result = job->exec(signingKeys, encryptionKeys, content, /* alwaysTrust = */ true, resultData);
+    if (result.first.error().code()) {
+        qWarning() << "Signing failed:" << result.first.error().asString();
+        return makeUnexpected(result.first.error());
+    }
+    if (result.second.error().code()) {
+        qWarning() << "Encryption failed:" << result.second.error().asString();
+        return makeUnexpected(result.second.error());
+    }
+    return resultData;
+}
+/**
+ * Create a message part like this (according to RFC 3156 Section 4):
+ *
+ * - multipart/encrypted
+ *   - application/pgp-encrypted (version information)
+ *   - application/octet-stream (given encrypted data)
+ *
+ * Should not be used directly since the public key should be attached, hence
+ * the `createEncryptedEmail` function.
+ *
+ * The encrypted data can be generated by the `encrypt` or `signAndEncrypt` functions.
+ */
+std::unique_ptr<KMime::Content> createEncryptedPart(QByteArray encryptedData)
+{
+    auto result = std::unique_ptr<KMime::Content>(new KMime::Content);
+    result->contentType()->setMimeType("multipart/encrypted");
+    result->contentType()->setBoundary(KMime::multiPartBoundary());
+    result->contentType()->setParameter("protocol", "application/pgp-encrypted");
+    KMime::Content *controlInformation = new KMime::Content;
+    {
+        controlInformation->contentType()->setMimeType("application/pgp-encrypted");
+        controlInformation->contentDescription()->from7BitString("PGP/MIME version identification");
+        controlInformation->setBody("Version: 1");
+        result->addContent(controlInformation);
+    }
+    KMime::Content *encryptedPartPart = new KMime::Content;
+    {
+        const QString filename = "msg.asc";
+        encryptedPartPart->contentType()->setMimeType("application/octet-stream");
+        encryptedPartPart->contentType()->setName(filename, "utf-8");
+        encryptedPartPart->contentDescription()->from7BitString("OpenPGP encrypted message");
+        encryptedPartPart->contentDisposition()->setDisposition(KMime::Headers::CDinline);
+        encryptedPartPart->contentDisposition()->setFilename(filename);
+        encryptedPartPart->setBody(encryptedData);
+        result->addContent(encryptedPartPart);
+    }
+    return result;
+}
+/**
+ * Create an encrypted (optionally signed) email with a public key attached to it.
+ *
+ * Will create a message like this:
+ *
+ * + `multipart/mixed`
+ *   - `multipart/encrypted`
+ *     + `application/pgp-encrypted
+ *     + `application/octet-stream` (a generated encrypted version of the original message)
+ *   - `application/pgp-keys` (the public key as attachment, which is the first of the
+ *     `signingKeys`)
+ */
+Expected<GpgME::Error, std::unique_ptr<KMime::Content>>
+createEncryptedEmail(KMime::Content *content, const std::vector<GpgME::Key> &encryptionKeys,
+    const GpgME::Key &attachedKey, const std::vector<GpgME::Key> &signingKeys = {})
+{
+    auto contentToEncrypt = canonicalizeContent(content);
+    auto encryptionResult = signingKeys.empty() ?
+                                encrypt(contentToEncrypt, encryptionKeys) :
+                                signAndEncrypt(contentToEncrypt, signingKeys, encryptionKeys);
+    if (!encryptionResult) {
+        return makeUnexpected(encryptionResult.error());
+    }
+    auto encryptedPart = createEncryptedPart(encryptionResult.value());
+    auto publicKeyAppendResult = appendPublicKey(std::move(encryptedPart), attachedKey);
+    if(publicKeyAppendResult) {
+        publicKeyAppendResult.value()->assemble();
+    }
+    return publicKeyAppendResult;
+}
+/**
+ * Sign the given content and returns the signing data and the algorithm used
+ * for integrity check in the "pgp-<algorithm>" format.
+ */
+Expected<GpgME::Error, std::pair<QByteArray, QString>>
+sign(const QByteArray &content, const std::vector<GpgME::Key> &signingKeys)
+{
+    QByteArray resultData;
+    const QGpgME::Protocol *const proto = QGpgME::openpgp();
+    std::unique_ptr<QGpgME::SignJob> job(proto->signJob(/* armor = */ true));
+    const auto result = job->exec(signingKeys, content, GpgME::Detached, resultData);
+    if (result.error().code()) {
+        qWarning() << "Signing failed:" << result.error().asString();
+        return makeUnexpected(result.error());
+    }
+    auto algo = result.createdSignature(0).hashAlgorithmAsString();
+    // RFC 3156 Section 5:
+    // Hash-symbols are constructed [...] by converting the text name to lower
+    // case and prefixing it with the four characters "pgp-".
+    auto micAlg = (QString("pgp-") + algo).toLower();
+    return std::pair<QByteArray, QString>{resultData, micAlg};
+}
+/**
+ * Create a message part like this (according to RFC 3156 Section 5):
+ *
+ * + `multipart/signed`
+ *   - whatever the given original `message` is (should be canonicalized)
+ *   - `application/octet-stream` (the given `signature`)
+ *
+ * Should not be used directly since the public key should be attached, hence
+ * the `createSignedEmail` function.
+ *
+ * The signature can be generated by the `sign` function.
+ */
+std::unique_ptr<KMime::Content> createSignedPart(
+    std::unique_ptr<KMime::Content> message, const QByteArray &signature, const QString &micAlg)
+{
+    auto result = std::unique_ptr<KMime::Content>(new KMime::Content);
+    result->contentType()->setMimeType("multipart/signed");
+    result->contentType()->setBoundary(KMime::multiPartBoundary());
+    result->contentType()->setParameter("micalg", micAlg);
+    result->contentType()->setParameter("protocol", "application/pgp-signature");
+    result->addContent(message.release());
+    KMime::Content *signedPartPart = new KMime::Content;
+    {
+        signedPartPart->contentType()->setMimeType("application/pgp-signature");
+        signedPartPart->contentType()->setName("signature.asc", "utf-8");
+        signedPartPart->contentDescription()->from7BitString(
+            "This is a digitally signed message part");
+        signedPartPart->setBody(signature);
+        result->addContent(signedPartPart);
+    }
+    return result;
+}
+/**
+ * Create a signed email with a public key attached to it.
+ *
+ * Will create a message like this:
+ *
+ * + `multipart/mixed`
+ *   - `multipart/signed`
+ *     + whatever the given original `content` is (should not be canonalized)
+ *     + `application/octet-stream` (a generated signature of the original message)
+ *   - `application/pgp-keys` (the public key as attachment, which is the first of the
+ *     `signingKeys`)
+ */
+Expected<GpgME::Error, std::unique_ptr<KMime::Content>>
+createSignedEmail(std::unique_ptr<KMime::Content> content,
+    const std::vector<GpgME::Key> &signingKeys, const GpgME::Key &attachedKey)
+{
+    Q_ASSERT(!signingKeys.empty());
+    auto contentToSign = canonicalizeContent(content.get());
+    auto signingResult = sign(contentToSign, signingKeys);
+    if (!signingResult) {
+        return makeUnexpected(signingResult.error());
+    }
+    QByteArray signingData;
+    QString micAlg;
+    std::tie(signingData, micAlg) = signingResult.value();
+    auto signedPart = createSignedPart(std::move(content), signingData, micAlg);
+    auto publicKeyAppendResult = appendPublicKey(std::move(signedPart), attachedKey);
+    if (publicKeyAppendResult) {
+        publicKeyAppendResult.value()->assemble();
+    }
+    return publicKeyAppendResult;
+}
+Expected<GpgME::Error, std::unique_ptr<KMime::Content>>
+MailCrypto::processCrypto(std::unique_ptr<KMime::Content> content, const std::vector<GpgME::Key> &signingKeys,
+    const std::vector<GpgME::Key> &encryptionKeys, const GpgME::Key &attachedKey)
+{
+    if (!encryptionKeys.empty()) {
+        return createEncryptedEmail(content.release(), encryptionKeys, attachedKey, signingKeys);
+    } else if (!signingKeys.empty()) {
+        return createSignedEmail(std::move(content), signingKeys, signingKeys[0]);
+    } else {
+        qWarning() << "Processing cryptography, but neither signing nor encrypting";
+        return content;
+    }
+}
 void MailCrypto::importKeys(const std::vector<GpgME::Key> &keys)
 {
@@ -470,7 +430,7 @@ void MailCrypto::importKeys(const std::vector<GpgME::Key> &keys)
    job->exec(keys);
 }
-static GpgME::KeyListResult listKeys(GpgME::Protocol protocol, const QStringList &patterns, bool secretOnly, int keyListMode, std::vector<GpgME::Key> &keys)
+static GpgME::KeyListResult listKeys(const QStringList &patterns, bool secretOnly, int keyListMode, std::vector<GpgME::Key> &keys)
 {
    QByteArrayList list;
    std::transform(patterns.constBegin(), patterns.constEnd(), std::back_inserter(list), [] (const QString &s) { return s.toUtf8(); });
@@ -479,7 +439,7 @@ static GpgME::KeyListResult listKeys(GpgME::Protocol protocol, const QStringList
    pattern.push_back(0);
    GpgME::initializeLibrary();
-    auto ctx = QSharedPointer<GpgME::Context>{GpgME::Context::createForProtocol(protocol)};
+    auto ctx = QSharedPointer<GpgME::Context>{GpgME::Context::createForProtocol(GpgME::OpenPGP)};
    ctx->setKeyListMode(keyListMode);
    if (const GpgME::Error err = ctx->startKeyListing(pattern.data(), secretOnly)) {
        return GpgME::KeyListResult(0, err);
@@ -497,10 +457,10 @@ static GpgME::KeyListResult listKeys(GpgME::Protocol protocol, const QStringList
    return result;
 }
-std::vector<GpgME::Key> MailCrypto::findKeys(const QStringList &filter, bool findPrivate, bool remote, Protocol protocol)
+std::vector<GpgME::Key> MailCrypto::findKeys(const QStringList &filter, bool findPrivate, bool remote)
 {
    std::vector<GpgME::Key> keys;
-    GpgME::KeyListResult res = listKeys(protocol == SMIME ? GpgME::CMS : GpgME::OpenPGP, filter, findPrivate, remote ? GpgME::Extern : GpgME::Local, keys);
+    GpgME::KeyListResult res = listKeys(filter, findPrivate, remote ? GpgME::Extern : GpgME::Local, keys);
    if (res.error()) {
        qWarning() << "Failed to lookup keys: " << res.error().asString();
        return keys;
@@ -517,4 +477,3 @@ std::vector<GpgME::Key> MailCrypto::findKeys(const QStringList &filter, bool fin
    return keys;
 }
diff --git a/framework/src/domain/mime/mailcrypto.h b/framework/src/domain/mime/mailcrypto.h
index 0a6c2f4c..832f68ec 100644
--- a/framework/src/domain/mime/mailcrypto.h
+++ b/framework/src/domain/mime/mailcrypto.h
@@ -19,19 +19,24 @@
 #pragma once
-#include <QByteArray>
+#include "framework/src/errors.h"
 #include <KMime/Message>
 #include <gpgme++/key.h>
+#include <QByteArray>
 #include <functional>
+#include <memory>
+namespace MailCrypto {
+Expected<GpgME::Error, std::unique_ptr<KMime::Content>>
+processCrypto(std::unique_ptr<KMime::Content> content, const std::vector<GpgME::Key> &signingKeys,
+    const std::vector<GpgME::Key> &encryptionKeys, const GpgME::Key &attachedKey);
+std::vector<GpgME::Key> findKeys(const QStringList &filter, bool findPrivate = false, bool remote = false);
+void importKeys(const std::vector<GpgME::Key> &keys);
-namespace MailCrypto
+}; // namespace MailCrypto
-{
-    enum Protocol {
-        OPENPGP,
-        SMIME
-    };
-    KMime::Content *processCrypto(KMime::Content *content, const std::vector<GpgME::Key> &signingKeys, const std::vector<GpgME::Key> &encryptionKeys, MailCrypto::Protocol protocol);
-    KMime::Content *sign(KMime::Content *content, const std::vector<GpgME::Key> &signers);
-    std::vector<GpgME::Key> findKeys(const QStringList &filter, bool findPrivate = false, bool remote = false, Protocol protocol = OPENPGP);
-    void importKeys(const std::vector<GpgME::Key> &keys);
-};
diff --git a/framework/src/domain/mime/mailtemplates.cpp b/framework/src/domain/mime/mailtemplates.cpp
index 30f9a48d..997eb3ae 100644
--- a/framework/src/domain/mime/mailtemplates.cpp
+++ b/framework/src/domain/mime/mailtemplates.cpp
@@ -1025,7 +1025,11 @@ static KMime::Types::Mailbox::List stringListToMailboxes(const QStringList &list
    return mailboxes;
 }
-KMime::Message::Ptr MailTemplates::createMessage(KMime::Message::Ptr existingMessage, const QStringList &to, const QStringList &cc, const QStringList &bcc, const KMime::Types::Mailbox &from, const QString &subject, const QString &body, bool htmlBody, const QList<Attachment> &attachments, const std::vector<GpgME::Key> &signingKeys, const std::vector<GpgME::Key> &encryptionKeys)
+KMime::Message::Ptr MailTemplates::createMessage(KMime::Message::Ptr existingMessage,
+    const QStringList &to, const QStringList &cc, const QStringList &bcc,
+    const KMime::Types::Mailbox &from, const QString &subject, const QString &body, bool htmlBody,
+    const QList<Attachment> &attachments, const std::vector<GpgME::Key> &signingKeys,
+    const std::vector<GpgME::Key> &encryptionKeys, const GpgME::Key &attachedKey)
 {
    auto mail = existingMessage;
    if (!mail) {
@@ -1089,12 +1093,12 @@ KMime::Message::Ptr MailTemplates::createMessage(KMime::Message::Ptr existingMes
    QByteArray bodyData;
    if (!signingKeys.empty() || !encryptionKeys.empty()) {
-        auto result = MailCrypto::processCrypto(bodyPart.get(), signingKeys, encryptionKeys, MailCrypto::OPENPGP);
+        auto result = MailCrypto::processCrypto(std::move(bodyPart), signingKeys, encryptionKeys, attachedKey);
        if (!result) {
-            qWarning() << "Signing failed";
+            qWarning() << "Crypto failed";
            return {};
        }
-        bodyData = result->encodedContent();
+        bodyData = result.value()->encodedContent();
    } else {
        if (!bodyPart->contentType(false)) {
            bodyPart->contentType(true)->setMimeType("text/plain");
diff --git a/framework/src/domain/mime/mailtemplates.h b/framework/src/domain/mime/mailtemplates.h
index 9447e169..154b76a2 100644
--- a/framework/src/domain/mime/mailtemplates.h
+++ b/framework/src/domain/mime/mailtemplates.h
@@ -38,5 +38,5 @@ namespace MailTemplates
    void forward(const KMime::Message::Ptr &origMsg, const std::function<void(const KMime::Message::Ptr &result)> &callback);
    QString plaintextContent(const KMime::Message::Ptr &origMsg);
    QString body(const KMime::Message::Ptr &msg, bool &isHtml);
-    KMime::Message::Ptr createMessage(KMime::Message::Ptr existingMessage, const QStringList &to, const QStringList &cc, const QStringList &bcc, const KMime::Types::Mailbox &from, const QString &subject, const QString &body, bool htmlBody, const QList<Attachment> &attachments, const std::vector<GpgME::Key> &signingKeys = {}, const std::vector<GpgME::Key> &encryptionKeys = {});
+    KMime::Message::Ptr createMessage(KMime::Message::Ptr existingMessage, const QStringList &to, const QStringList &cc, const QStringList &bcc, const KMime::Types::Mailbox &from, const QString &subject, const QString &body, bool htmlBody, const QList<Attachment> &attachments, const std::vector<GpgME::Key> &signingKeys = {}, const std::vector<GpgME::Key> &encryptionKeys = {}, const GpgME::Key &attachedKey = {});
 };
diff --git a/framework/src/domain/mime/tests/mailtemplatetest.cpp b/framework/src/domain/mime/tests/mailtemplatetest.cpp
index 6338cd58..d5642bb6 100644
--- a/framework/src/domain/mime/tests/mailtemplatetest.cpp
+++ b/framework/src/domain/mime/tests/mailtemplatetest.cpp
@@ -31,16 +31,16 @@ static std::vector< GpgME::Key, std::allocator< GpgME::Key > > getKeys(bool smim
    if (smime) {
        const QGpgME::Protocol *const backend = QGpgME::smime();
        Q_ASSERT(backend);
-        job = backend->keyListJob(false);
+        job = backend->keyListJob(/* remote = */ false);
    } else {
        const QGpgME::Protocol *const backend = QGpgME::openpgp();
        Q_ASSERT(backend);
-        job = backend->keyListJob(false);
+        job = backend->keyListJob(/* remote = */ false);
    }
    Q_ASSERT(job);
    std::vector< GpgME::Key > keys;
-    GpgME::KeyListResult res = job->exec(QStringList(), true, keys);
+    GpgME::KeyListResult res = job->exec(QStringList(), /* secretOnly = */ true, keys);
    if (!smime) {
        Q_ASSERT(keys.size() == 3);
@@ -401,7 +401,7 @@ private slots:
        std::vector<GpgME::Key> keys = getKeys();
-        auto result = MailTemplates::createMessage({}, to, cc, bcc, from, subject, body, false, attachments, keys);
+        auto result = MailTemplates::createMessage({}, to, cc, bcc, from, subject, body, false, attachments, keys, {}, keys[0]);
        QVERIFY(result);
        // qWarning() << "---------------------------------";
@@ -409,9 +409,17 @@ private slots:
        // qWarning() << "---------------------------------";
        QCOMPARE(result->subject()->asUnicodeString(), subject);
        QVERIFY(result->date(false)->dateTime().isValid());
-        QVERIFY(result->contentType()->isMimeType("multipart/signed"));
-        const auto contents = result->contents();
+        QCOMPARE(result->contentType()->mimeType(), "multipart/mixed");
+        auto resultAttachments = result->attachments();
+        QCOMPARE(resultAttachments.size(), 1);
+        QCOMPARE(resultAttachments[0]->contentDisposition()->filename(), "0x8F246DE6.asc");
+        auto signedMessage = result->contents()[0];
+        QVERIFY(signedMessage->contentType()->isMimeType("multipart/signed"));
+        const auto contents = signedMessage->contents();
        QCOMPARE(contents.size(), 2);
        {
            auto c = contents.at(0);
@@ -441,9 +449,19 @@ private slots:
        QVERIFY(result);
        QCOMPARE(result->subject()->asUnicodeString(), subject);
        QVERIFY(result->date(false)->dateTime().isValid());
-        QVERIFY(result->contentType()->isMimeType("multipart/signed"));
-        const auto contents = result->contents();
+        QCOMPARE(result->contentType()->mimeType(), "multipart/mixed");
+        auto resultAttachments = result->attachments();
+        QCOMPARE(resultAttachments.size(), 3);
+        // It seems KMime searches for the attachments using depth-first
+        // search, so the public key is last
+        QCOMPARE(resultAttachments[2]->contentDisposition()->filename(), "0x8F246DE6.asc");
+        auto signedMessage = result->contents()[0];
+        QVERIFY(signedMessage->contentType()->isMimeType("multipart/signed"));
+        const auto contents = signedMessage->contents();
        QCOMPARE(contents.size(), 2);
        {
            auto c = contents.at(0);
diff --git a/framework/src/errors.h b/framework/src/errors.h
new file mode 100644
index 00000000..4249cf8d
--- /dev/null
+++ b/framework/src/errors.h
@@ -0,0 +1,308 @@
+/*
+    Copyright (c) 2018 Christian Mollekopf <mollekopf@kolabsys.com>
+    This library is free software; you can redistribute it and/or modify it
+    under the terms of the GNU Library General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or (at your
+    option) any later version.
+    This library is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+    FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+    License for more details.
+    You should have received a copy of the GNU Library General Public License
+    along with this library; see the file COPYING.LIB.  If not, write to the
+    Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+    02110-1301, USA.
+*/
+#pragma once
+#include <memory>
+#include <type_traits>
+#include <utility>
+#include <QtGlobal>
+// A somewhat implementation of the expected monad, proposed here:
+// https://isocpp.org/files/papers/n4015.pdf
+// A class used to differentiate errors and values when they are of the same type.
+template <typename Error>
+class Unexpected
+{
+    static_assert(!std::is_same<Error, void>::value, "Cannot have an Unexpected void");
+public:
+    Unexpected() = delete;
+    constexpr explicit Unexpected(const Error &error) : mValue(error) {}
+    constexpr explicit Unexpected(Error &&error) : mValue(std::move(error)) {}
+    // For implicit conversions when doing makeUnexpected(other)
+    template <typename Other>
+    constexpr explicit Unexpected(const Unexpected<Other> &error) : mValue(error.value())
+    {
+    }
+    template <typename Other>
+    constexpr explicit Unexpected(Unexpected<Other> &&error) : mValue(std::move(error.value()))
+    {
+    }
+    constexpr const Error &value() const &
+    {
+        return mValue;
+    }
+    Error &value() &
+    {
+        return mValue;
+    }
+    constexpr const Error &&value() const &&
+    {
+        return std::move(mValue);
+    }
+    Error &&value() &&
+    {
+        return std::move(mValue);
+    }
+private:
+    Error mValue;
+};
+template <class Error>
+Unexpected<typename std::decay<Error>::type> makeUnexpected(Error &&e)
+{
+    return Unexpected<typename std::decay<Error>::type>(std::forward<Error>(e));
+}
+template <typename Error>
+bool operator==(const Unexpected<Error> &lhs, const Unexpected<Error> &rhs)
+{
+    return lhs.value() == rhs.value();
+}
+template <typename Error>
+bool operator!=(const Unexpected<Error> &lhs, const Unexpected<Error> &rhs)
+{
+    return lhs.value() != rhs.value();
+}
+namespace detail {
+namespace tags {
+struct Expected
+{};
+struct Unexpected
+{};
+} // namespace tags
+// Write functions here when storage related and when Type != void
+template <typename Error, typename Type>
+struct StorageBase
+{
+protected:
+    // Rule of 5 {{{
+    StorageBase(const StorageBase &other) : mIsValue(other.mIsValue)
+    {
+        // This is a constructor, you have to construct object, not assign them
+        // (hence the placement new)
+        //
+        // Here's the problem:
+        //
+        // Object that are part of a union are not initialized (which is
+        // normal). If we replaced the placement new by a line like this:
+        //
+        // ```
+        // mValue = other.mValue;
+        // ```
+        //
+        // If overloaded, this will call `mValue.operator=(other.mValue);`, but
+        // since we're in the constructor, mValue is not initialized. This can
+        // cause big issues if `Type` / `Error` is not trivially (move)
+        // assignable.
+        //
+        // And so, the placement new allows us to call the constructor of
+        // `Type` or `Error` instead of its assignment operator.
+        if (mIsValue) {
+            new (std::addressof(mValue)) Type(other.mValue);
+        } else {
+            new (std::addressof(mError)) Unexpected<Error>(other.mError);
+        }
+    }
+    StorageBase(StorageBase &&other) : mIsValue(other.mIsValue)
+    {
+        // If you're thinking WTF, see the comment in the copy constructor above.
+        if (mIsValue) {
+            new (std::addressof(mValue)) Type(std::move(other.mValue));
+        } else {
+            new (std::addressof(mError)) Unexpected<Error>(std::move(other.mError));
+        }
+    }
+    constexpr StorageBase &operator=(const StorageBase &other)
+    {
+        mIsValue = other.mIsValue;
+        if (mIsValue) {
+            mValue = other.mValue;
+        } else {
+            mError = other.mError;
+        }
+        return *this;
+    }
+    constexpr StorageBase &operator=(StorageBase &&other)
+    {
+        this->~StorageBase();
+        mIsValue = other.mIsValue;
+        if (mIsValue) {
+            mValue = std::move(other.mValue);
+        } else {
+            mError = std::move(other.mError);
+        }
+        return *this;
+    }
+    ~StorageBase()
+    {
+        if (mIsValue) {
+            mValue.~Type();
+        } else {
+            mError.~Unexpected<Error>();
+        }
+    }
+    // }}}
+    template <typename... Args>
+    constexpr StorageBase(tags::Expected, Args &&... args)
+        : mValue(std::forward<Args>(args)...), mIsValue(true)
+    {
+    }
+    template <typename... Args>
+    constexpr StorageBase(tags::Unexpected, Args &&... args)
+        : mError(std::forward<Args>(args)...), mIsValue(false)
+    {
+    }
+    union
+    {
+        Unexpected<Error> mError;
+        Type mValue;
+    };
+    bool mIsValue;
+};
+// Write functions here when storage related and when Type == void
+template <typename Error>
+struct StorageBase<Error, void>
+{
+protected:
+    constexpr StorageBase(tags::Expected) : mIsValue(true) {}
+    template <typename... Args>
+    constexpr StorageBase(tags::Unexpected, Args &&... args)
+        : mError(std::forward<Args>(args)...), mIsValue(false)
+    {
+    }
+    Unexpected<Error> mError;
+    bool mIsValue;
+};
+// Write functions here when storage related, whether Type is void or not
+template <typename Error, typename Type>
+struct Storage : StorageBase<Error, Type>
+{
+protected:
+    // Forward the construction to StorageBase
+    using StorageBase<Error, Type>::StorageBase;
+};
+// Write functions here when dev API related and when Type != void
+template <typename Error, typename Type>
+struct ExpectedBase : detail::Storage<Error, Type>
+{
+    constexpr ExpectedBase() : detail::Storage<Error, Type>(detail::tags::Expected{}) {}
+    template <typename OtherError>
+    constexpr ExpectedBase(const Unexpected<OtherError> &error)
+        : detail::Storage<Error, Type>(detail::tags::Unexpected{}, error)
+    {
+    }
+    template <typename OtherError>
+    constexpr ExpectedBase(Unexpected<OtherError> &&error)
+        : detail::Storage<Error, Type>(detail::tags::Unexpected{}, std::move(error))
+    {
+    }
+    constexpr ExpectedBase(const Type &value)
+        : detail::Storage<Error, Type>(detail::tags::Expected{}, value)
+    {
+    }
+    constexpr ExpectedBase(Type &&value)
+        : detail::Storage<Error, Type>(detail::tags::Expected{}, std::move(value))
+    {
+    }
+    // Warning: will crash if this is an error. You should always check this is
+    // an expected value before calling `.value()`
+    constexpr const Type &value() const &
+    {
+        Q_ASSERT(this->mIsValue);
+        return this->mValue;
+    }
+    Type &&value() &&
+    {
+        Q_ASSERT(this->mIsValue);
+        return std::move(this->mValue);
+    }
+};
+// Write functions here when dev API related and when Type == void
+template <typename Error>
+struct ExpectedBase<Error, void> : detail::Storage<Error, void>
+{
+    // Rewrite constructors for unexpected because Expected doesn't have direct access to it.
+    template <typename OtherError>
+    constexpr ExpectedBase(const Unexpected<OtherError> &error)
+        : detail::Storage<Error, void>(detail::tags::Unexpected{}, error)
+    {
+    }
+    template <typename OtherError>
+    constexpr ExpectedBase(Unexpected<OtherError> &&error)
+        : detail::Storage<Error, void>(detail::tags::Unexpected{}, std::move(error))
+    {
+    }
+};
+} // namespace detail
+// Write functions here when dev API related, whether Type is void or not
+template <typename Error, typename Type = void>
+class Expected : public detail::ExpectedBase<Error, Type>
+{
+    static_assert(!std::is_same<Error, void>::value, "Expected with void Error is not implemented");
+public:
+    using detail::ExpectedBase<Error, Type>::ExpectedBase;
+    constexpr const Error &error() const &
+    {
+        return this->mError.value();
+    }
+    constexpr bool isValue() const
+    {
+        return this->mIsValue;
+    }
+    constexpr explicit operator bool() const
+    {
+        return this->mIsValue;
+    }
+};
diff --git a/icons/breeze/icons/actions/22/view-certificate-import-inverted.svg b/icons/breeze/icons/actions/22/view-certificate-import-inverted.svg
new file mode 100644
index 00000000..ff539ffc
--- /dev/null
+++ b/icons/breeze/icons/actions/22/view-certificate-import-inverted.svg
@@ -0,0 +1,14 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 22">
+  <defs id="defs3051">
+    <style type="text/css" id="current-color-scheme">
+      .ColorScheme-Text {
+        color:#f2f2f2;
+      }
+      </style>
+  </defs>
+ <path 
+    style="fill:currentColor;fill-opacity:1;stroke:none" 
+    d="M 3 5 L 3 17 L 13 17 L 13 16 L 4 16 L 4 6 L 18 6 L 18 11 L 19 11 L 19 5 L 3 5 z M 7.5 7 C 6.669 7 6 7.669 6 8.5 L 6 10 L 5 10 L 5 13 L 10 13 L 10 10 L 9 10 L 9 8.5 C 9 7.669 8.331 7 7.5 7 z M 7.5 8 C 7.777 8 8 8.223 8 8.5 L 8 10 L 7 10 L 7 8.5 C 7 8.223 7.223 8 7.5 8 z M 11 8 L 11 9 L 17 9 L 17 8 L 11 8 z M 11 10 L 11 11 L 16 11 L 16 10 L 11 10 z M 11 12 L 11 13 L 15 13 L 15 12 L 11 12 z M 17.5 12 L 14.707031 14.792969 L 14 15.5 L 14.707031 16.207031 L 17.5 19 L 18.207031 18.292969 L 15.914062 16 L 21 16 L 21 15 L 20.207031 15 L 15.914062 15 L 18.207031 12.707031 L 17.5 12 z "
+        class="ColorScheme-Text"
+    />  
+</svg>
diff --git a/icons/breeze/icons/actions/22/view-certificate-import.svg b/icons/breeze/icons/actions/22/view-certificate-import.svg
new file mode 100644
index 00000000..ec5250cc
--- /dev/null
+++ b/icons/breeze/icons/actions/22/view-certificate-import.svg
@@ -0,0 +1,14 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 22">
+  <defs id="defs3051">
+    <style type="text/css" id="current-color-scheme">
+      .ColorScheme-Text {
+        color:#4d4d4d;
+      }
+      </style>
+  </defs>
+ <path 
+    style="fill:currentColor;fill-opacity:1;stroke:none" 
+    d="M 3 5 L 3 17 L 13 17 L 13 16 L 4 16 L 4 6 L 18 6 L 18 11 L 19 11 L 19 5 L 3 5 z M 7.5 7 C 6.669 7 6 7.669 6 8.5 L 6 10 L 5 10 L 5 13 L 10 13 L 10 10 L 9 10 L 9 8.5 C 9 7.669 8.331 7 7.5 7 z M 7.5 8 C 7.777 8 8 8.223 8 8.5 L 8 10 L 7 10 L 7 8.5 C 7 8.223 7.223 8 7.5 8 z M 11 8 L 11 9 L 17 9 L 17 8 L 11 8 z M 11 10 L 11 11 L 16 11 L 16 10 L 11 10 z M 11 12 L 11 13 L 15 13 L 15 12 L 11 12 z M 17.5 12 L 14.707031 14.792969 L 14 15.5 L 14.707031 16.207031 L 17.5 19 L 18.207031 18.292969 L 15.914062 16 L 21 16 L 21 15 L 20.207031 15 L 15.914062 15 L 18.207031 12.707031 L 17.5 12 z "
+        class="ColorScheme-Text"
+    />  
+</svg>
diff --git a/icons/breeze/icons/actions/24/view-certificate-import-inverted.svg b/icons/breeze/icons/actions/24/view-certificate-import-inverted.svg
new file mode 100644
index 00000000..e0691d6d
--- /dev/null
+++ b/icons/breeze/icons/actions/24/view-certificate-import-inverted.svg
@@ -0,0 +1,13 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
+  <defs id="defs3051">
+    <style type="text/css" id="current-color-scheme">
+      .ColorScheme-Text {
+        color:#f2f2f2;
+      }
+      </style>
+  </defs>
+ <path style="fill:currentColor;fill-opacity:1;stroke:none" 
+     d="M 4 6 L 4 18 L 14 18 L 14 17 L 5 17 L 5 7 L 19 7 L 19 12 L 20 12 L 20 6 L 4 6 z M 8.5 8 C 7.669 8 7 8.669 7 9.5 L 7 11 L 6 11 L 6 14 L 11 14 L 11 11 L 10 11 L 10 9.5 C 10 8.669 9.331 8 8.5 8 z M 8.5 9 C 8.777 9 9 9.223 9 9.5 L 9 11 L 8 11 L 8 9.5 C 8 9.223 8.223 9 8.5 9 z M 12 9 L 12 10 L 18 10 L 18 9 L 12 9 z M 12 11 L 12 12 L 17 12 L 17 11 L 12 11 z M 12 13 L 12 14 L 16 14 L 16 13 L 12 13 z M 18.5 13 L 15.707031 15.792969 L 15 16.5 L 15.707031 17.207031 L 18.5 20 L 19.207031 19.292969 L 16.914062 17 L 22 17 L 22 16 L 21.207031 16 L 16.914062 16 L 19.207031 13.707031 L 18.5 13 z "
+     class="ColorScheme-Text"
+     />
+</svg>
diff --git a/icons/breeze/icons/actions/24/view-certificate-import.svg b/icons/breeze/icons/actions/24/view-certificate-import.svg
new file mode 100644
index 00000000..f82c65b3
--- /dev/null
+++ b/icons/breeze/icons/actions/24/view-certificate-import.svg
@@ -0,0 +1,13 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
+  <defs id="defs3051">
+    <style type="text/css" id="current-color-scheme">
+      .ColorScheme-Text {
+        color:#4d4d4d;
+      }
+      </style>
+  </defs>
+ <path style="fill:currentColor;fill-opacity:1;stroke:none" 
+     d="M 4 6 L 4 18 L 14 18 L 14 17 L 5 17 L 5 7 L 19 7 L 19 12 L 20 12 L 20 6 L 4 6 z M 8.5 8 C 7.669 8 7 8.669 7 9.5 L 7 11 L 6 11 L 6 14 L 11 14 L 11 11 L 10 11 L 10 9.5 C 10 8.669 9.331 8 8.5 8 z M 8.5 9 C 8.777 9 9 9.223 9 9.5 L 9 11 L 8 11 L 8 9.5 C 8 9.223 8.223 9 8.5 9 z M 12 9 L 12 10 L 18 10 L 18 9 L 12 9 z M 12 11 L 12 12 L 17 12 L 17 11 L 12 11 z M 12 13 L 12 14 L 16 14 L 16 13 L 12 13 z M 18.5 13 L 15.707031 15.792969 L 15 16.5 L 15.707031 17.207031 L 18.5 20 L 19.207031 19.292969 L 16.914062 17 L 22 17 L 22 16 L 21.207031 16 L 16.914062 16 L 19.207031 13.707031 L 18.5 13 z "
+     class="ColorScheme-Text"
+     />
+</svg>
diff --git a/icons/copybreeze.sh b/icons/copybreeze.sh
index b7c85229..5697b4b6 100755
--- a/icons/copybreeze.sh
+++ b/icons/copybreeze.sh
@@ -13,6 +13,7 @@ wantedIcons = [
    "document-decrypt.svg",
    "document-edit.svg",
    "document-encrypt.svg",
+    "view-certificate-import.svg",
    "document-save.svg",
    "document-sign.svg",
    "edit-delete.svg",
diff --git a/tests/teststore.cpp b/tests/teststore.cpp
index 9d56dd33..84e2da20 100644
--- a/tests/teststore.cpp
+++ b/tests/teststore.cpp
@@ -64,6 +64,19 @@ static void createMail(const QVariantMap &object, const QByteArray &folder = {})
    auto ccAddresses = toStringList(object["cc"].toList());
    auto bccAddresses = toStringList(object["bcc"].toList());
+    QList<Attachment> attachments = {};
+    if (object.contains("attachments")) {
+        auto attachmentSpecs = object["attachments"].toList();
+        for (int i = 0; i < attachmentSpecs.size(); ++i) {
+            auto const &spec = attachmentSpecs.at(i).toMap();
+            attachments << Attachment{spec["name"].toString(),
+                spec["name"].toString(),
+                spec["mimeType"].toByteArray(),
+                false,
+                spec["data"].toByteArray()};
+        }
+    }
    KMime::Types::Mailbox mb;
    mb.fromUnicodeString("identity@example.org");
    auto msg = MailTemplates::createMessage({},
@@ -74,7 +87,7 @@ static void createMail(const QVariantMap &object, const QByteArray &folder = {})
            object["subject"].toString(),
            object["body"].toString(),
            object["bodyIsHtml"].toBool(),
-            {},
+            attachments,
            {},
            {});
    if (object.contains("messageId")) {
diff --git a/views/conversation/main.qml b/views/conversation/main.qml
index 64f7f273..cb42fe5c 100644
--- a/views/conversation/main.qml
+++ b/views/conversation/main.qml
@@ -127,6 +127,81 @@ ApplicationWindow {
                            to: ["to@example.org"],
                            unread: true
                        },
+                        {
+                            resource: "resource1",
+                            date: "2017-07-20T17:47:29",
+                            subject: "WithAttachment",
+                            body: "Hi Mélanie,\n\nI'm sorry to start this on such late notice, but we'd like to get Foo and boo to woo next week, because the following weeks are unfortunately not possible for us.\n",
+                            to: ["to@example.org"],
+                            unread: true,
+                            attachments: [
+                                {
+                                    name: "myImage.png",
+                                    mimeType: "image/png",
+                                    data: "no real data",
+                                }
+                            ],
+                        },
+                        {
+                            resource: "resource1",
+                            date: "2017-07-20T17:47:29",
+                            subject: "WithBadPKeyAttachment",
+                            body: "Hi Mélanie,\n\nI'm sorry to start this on such late notice, but we'd like to get Foo and boo to woo next week, because the following weeks are unfortunately not possible for us.\n",
+                            to: ["to@example.org"],
+                            unread: true,
+                            attachments: [
+                                {
+                                    name: "myKey.asc",
+                                    mimeType: "application/pgp-keys",
+                                    data: "no real data",
+                                }
+                            ],
+                        },
+                        {
+                            resource: "resource1",
+                            date: "2017-07-20T17:47:29",
+                            subject: "WithGoodPKeyAttachment",
+                            body: "Hi Mélanie,\n\nI'm sorry to start this on such late notice, but we'd like to get Foo and boo to woo next week, because the following weeks are unfortunately not possible for us.\n",
+                            to: ["to@example.org"],
+                            unread: true,
+                            attachments: [
+                                {
+                                    name: "myKey.asc",
+                                    mimeType: "application/pgp-keys",
+                                    data:
+"-----BEGIN PGP PUBLIC KEY BLOCK-----
+mQENBEr9ij4BCADaFvyhzV7IrCAr/sCvfoPerAd4dYIGTeCeBmInu3p4oEG0rXTB
+2zL2t9zd7jVwCmYLsqb0Y4+7UIulBTSVa/SxsFkxPIzQaGd+CYpIpCl2P7oXBQH/
+365i/gvng4UTb5CytBp9MToft2tUgqvK/LD30fBWbWVE1ohmuGYDviJesuqJGeRG
+KPOmjRk8LcXecZoNAnahy6y/rHPQzbC7LVazrWfdYCsZ1w202kwwLAPj0aNO6d4n
+M9NYo26/mB+5+odJ5gbxfdKWQQOFCha8UzEXbZzjJsRNFhUyuEDEd2gBlhDm3jrY
+ACT3u1adLJ1GsY6biN3u1IEUwi/7+uofZRPXABEBAAG0K3VuaXR0ZXN0IGtleSAo
+bm8gcGFzc3dvcmQpIDx0ZXN0QGtvbGFiLm9yZz6JATgEEwECACIFAkr9ij4CGwMG
+CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEI2YYMWPJG3mxggH/iDnmHhKI40r
+bPvDPSMVFz4pNL5oYrGMjOUIz5ibjn9N19Fz/T5kxupbYVRbdcx6kRy4uQd97sJ8
+4985JkHEr/TSHne5p0F+tQLKq+WcJST+cbvkFR9m9WTZISOo+bP/rKGsf6GOGfl/
+vzObv8tF0E8Yy0Lu1lYdynnBRygT+VKt5GzcNzsS3Af1kgrnoQ1gVWjKueSR32hJ
+BILfOpQlKP/RdrOND1N0uljaJBQsUmYDJ5Gd+YL0VX4/56tfqt4gcuqhiD+Vz6BG
+55gqwuFK4/o2gawPELjOLUy5dh/b6MDvWehbasRPcyT1fFm9YY6iku4ZEx8EzLv
+IJKiXLAx1+i5AQ0ESv2KPgEIAO6+rYyBG0YBfacSx36VCrzvRe8V0CqmUkzIHZJ0
+EN/s95yCQwG0yC3M0KRGDzTeCXRik68h/qdw3KEgfZzu4rJAj9w/J4JMtcuhuCYL
+rL4iP32hvLfqZDqwBaRCmlEkqArF0Jahb5SW3cPYZlE+I9I2V1xYX3bSZ7jcihAx
+VWtkheYtZcDY3u/7cWZNUauGNKRh4E0+ToCBI+erEd5EPCQDQrL/e5pEj+s/+Coy
+BvJeQdAPX/wjfYVe8t+5GDLqOvpbUBWJWUptv/oTd3wOtJCwwr/OWNeXf7ipgtoG
+KpJgr+FHLOEb3cXtF1YPzwpTOs/J/bv3JdGyQ3Kx1BlTUzUAEQEAAYkBHwQYAQIA
+CQUCSv2KPgIbDAAKCRCNmGDFjyRt5h0nB/40FPmVWhD2ok3opPRTwYMzUAOHkgMU
+k2bJfIH185hMvnHLAPCgUMr8xvjcx3NphiRCaC6mabIxHI9hDAbi6uyDBNTyQtm2
+sl/r1vqjFcxX49l9yt0AgMy3284IdwK9xdlwMLY/MbCL9GKe/D6RmZ6i/4wpxHdP
+9X3cGh66UW09NUO1Gria0isRfwf/OxkV+KxA7qxX2bWOHS3noUAj7I43MJCvTuAP
+gTIgEfjdpx1C2Tv97SxoLZ4t6raztvmwqIyCQIuzukD0H9JGFjWT9bGY7obPl7hO
+Bvr+rojxTJ3X+pzb2LJQwJnALL/VdIF3yHtGu2//Yfu4oxGGA0M90KiW
+=an8Y
+-----END PGP PUBLIC KEY BLOCK-----
+",
+                                }
+                            ],
+                        },
                    ]
                }],
        }