[ILUG] [justin@solidlinux.com: Mutt/GnuPG guide that I have written]
Rick Moen
rick at linuxmafia.com
Wed Sep 5 02:16:19 IST 2001
begin kevin lyda quotation:
> check it out! a quick document on how to use gpg with a real mail client.
> help him out with making it better.
Quite nice. In case it'll help him, here's some stuff I wrote on the
subject at $FIRM:
MUTT INTEGRATION:
There are two ways to send gpg-encoded content: MIME and non-MIME.
Some people, like me, don't like MIME e-mail and decline to send it,
even to do GnuPG signing. (Non-MIME is called "clearsigning".)
Note the two "macro" lines, below, which make Ctrl-P and Ctrl-S do
signing inside the body of the message, with or without an
"application/pgp"
header.
The necessary, confusing GnuPG plumbing is in my .muttrc as follows
(to do the clearsigning method):
source /usr/share/doc/mutt/examples/gpg.rc
# The contents of gpg.rc are given later in this document.
color body brightblack cyan "^gpg: Signature made.*"
color body brightblack green "^gpg: Good signature from.*"
color body brightblack yellow "^gpg: Can't check signature.*"
color body brightblack yellow "^gpg: WARNING: .*"
color body brightwhite red "^gpg: BAD signature from.*"
macro compose \CP "Fgpg --clearsign\ny"
macro compose \CS "Fgpg --clearsign\ny^T^Uapplication/pgp; \
format=text; x-action=sign\n"
The more-conventional approach would be to auto-sign all outbound mail,
and do so using MIME. To do that, you would substitute the following
for the preceding two macros (to do MIME instead of clearsigning):
set pgp_default_version=gpg
set pgp_key_version=default
set pgp_receive_version=default
set pgp_send_version=default
set pgp_sign_micalg=pgp-sha1
set pgp_gpg=/usr/bin/gpg
set pgp_gpg_pubring=~/.gnupg/pubring.gpg
set pgp_gpg_secring=~/.gnupg/secring.gpg
Note that pubring.gpg and secring.gpg must exist (i.e., you must have
a keypair), or you'll get errors.
The aforementioned gpg.rc plumbing (mostly to auto-process incoming
GnuPG and pgp-signed mail) is as follows:
# -*-muttrc-*-
#
# Command formats for gpg.
#
# This version uses gpg-2comp from
# http://muppet.faveve.uni-stuttgart.de/~gero/gpg-2comp.tar.gz
#
# $Id: gpg.rc,v 1.7 2000/11/20 13:20:28 roessler Exp $
#
# %p The empty string when no passphrase is needed,
# the string "PGPPASSFD=0" if one is needed.
#
# This is mostly used in conditional % sequences.
#
# %f Most PGP commands operate on a single file or a file
# containing a message. %f expands to this file's name.
#
# %s When verifying signatures, there is another temporary file
# containing the detached signature. %s expands to this
# file's name.
#
# %a In "signing" contexts, this expands to the value of the
# configuration variable $pgp_sign_as. You probably need to
# use this within a conditional % sequence.
#
# %r In many contexts, mutt passes key IDs to pgp. %r expands to
# a list of key IDs.
# decode application/pgp
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch
\
--output - %f"
# verify a pgp/mime signature
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s
%f"
# decrypt a pgp/mime attachment
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch \
--output - %f"
# create a pgp/mime signed attachment
# set pgp_sign_command="gpg-2comp --no-verbose --batch --output - \
--passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_sign_command="gpg --no-verbose --batch --output - \
--passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
# create a application/pgp signed (old-style) message
# set pgp_clearsign_command="gpg-2comp --no-verbose --batch --output - \
--passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - \
--passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
# create a pgp/mime encrypted attachment
# set pgp_encrypt_only_command="pgpewrap gpg-2comp -v --batch --output -
# \
--encrypt --textmode --armor --always-trust -- -r %r -- %f"
set pgp_encrypt_only_command="pgpewrap gpg -v --batch --output -
--encrypt \
--textmode --armor --always-trust -- -r %r -- %f"
# create a pgp/mime encrypted and signed attachment
# set pgp_encrypt_sign_command="pgpewrap gpg-2comp --passphrase-fd 0 -v
# \
--batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust
\
-- -r %r -- %f"
set pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 -v --batch
\
--textmode --output - --encrypt --sign %?a?-u %a? --armor
--always-trust \
-- -r %r -- %f"
# import a key into the public key ring
set pgp_import_command="gpg --no-verbose --import -v %f"
# export a key from the public key ring
set pgp_export_command="gpg --no-verbose --export --armor %r"
# verify a key
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint \
--check-sigs %r"
# read in the public key ring
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons \
--list-keys %r"
# read in the secret key ring
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons \
--list-secret-keys %r"
# receive key from keyserver:
#set pgp_getkeys_command="wrap.sh -g %r"
set pgp_getkeys_command=""
The above plumbing, included by reference in ~/.muttrc, isn't able to
auto-process non-MIME-encoded mail (such as the type I send), so the
following procmail recipe in ~/.procmailrc re-writes such arriving mail
to be MIME-type, as it arrives. Make sure you put this recipe before
others in your .procmailrc file.
:0
*!^Content-Type: (message/|multipart/|application/pgp)
{
:0 fBwD
*^-----BEGIN PGP MESSAGE-----
*^-----END PGP MESSAGE-----
| formail \
-i "Content-Type: application/pgp; format=text;
x-action=encrypt"
:0 fBwD
*^-----BEGIN PGP SIGNED MESSAGE-----
*^-----BEGIN PGP SIGNATURE-----
*^-----END PGP SIGNATURE-----
| formail \
-i "Content-Type: application/pgp; format=text; x-action=sign"
}
--
Cheers, Everything is gone;
Rick Moen Your life's work has been destroyed.
rick at linuxmafia.com Squeeze trigger (yes/no)?
-- David Carlson (winner, haiku error message contest)
More information about the ILUG
mailing list