LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/howto/linuxdoc/Mutt-GnuPG-PGP-HOWTO.sgml

914 lines
36 KiB
Plaintext
Raw Permalink Blame History

<!doctype linuxdoc system>
<article>
<title>Mutt-i, GnuPG and PGP Howto
<author>Andrés Seco <htmlurl url="mailto:AndresSH@ctv.es"
name="AndresSH@ctv.es"> and J.Horacio M.G.
<htmlurl url="mailto:homega@ciberia.es" name="homega@ciberia.es">
<date>v1.2, February 2000
<abstract>
This document briefly explains how to configure <em/Mutt-i/, <em/PGP/ and
<em/GnuPG/ in its diferents versions (2.6.x, 5.x and GnuPG), noting the
common problems that can occur while sending signed or encrypted mail to
be read by mail clients not PGP/MIME compliants as defined in RFC2015 and
in other operating systems. It also includes an example of procmail
configuration to send the public keys automatically to received e-mails
asking for it, as a key servers does.
</abstract>
<toc>
<sect>Introduction
<p>
This document explains how to configure <em/Mutt-i/, <em/PGP/ and
<em/GnuPG/ in its diferents versions (2.6.x, 5.x and GnuPG) to quickly
start using a mail reader with encryption and digital signing
capabilities.
For this purpose, example configuration files will be included to help you
starting with it. To obtain maximum performance and to use all the
features of the programs that we will be using, it will be necesary to
read its documentation and to reconfigure the example files.
Also, some problems derived from not using RFC2015 about PGP/MIME by many
mail user agents in Linux and other operating systems will be comented.
An aditional procmail configuration example will be showed to enable our
mail client to send a public key on request.
This document has been translated from the Spanish original by Andrés Seco
<htmlurl url="mailto:AndresSH@ctv.es" name="AndresSH@ctv.es">, and revised
and corrected by Jordi Mallach Pérez <htmlurl
url="mailto:jordi-sd@softhome.net" name="jordi-sd@softhome.net"> and
J.Horacio M.G. <htmlurl url="mailto:homega@ciberia.es"
name="homega@ciberia.es">. It was finished in October 1999. We would like
to thanks Roland Rosenfeld <htmlurl url="mailto:roland@spinnaker.de"
name="roland@spinnaker.de">, Christophe Pernod <htmlurl
url="mailto:xtof.pernod@wanadoo.fr" name="xtof.pernod@wanadoo.fr">,
Denis Alan Hainsworth <htmlurl url="mailto:denis@cs.brandeis.edu"
name="denis@cs.brandeis.edu"> and Angel Carrasco <htmlurl
url="mailto:acarrasco@jet.es" name="acarrasco@jet.es"> for their
corrections and suggestions.
<sect>Copyright and discharge of responsability
<p>
This document is <tt>copyright &copy; 1999 Andres Seco and J.Horacio
M.G.</tt>, and it's free. You can distribute it under the terms of the
<bf/GNU General Public License/, which you can get at <htmlurl
url="http://www.gnu.org/copyleft/gpl.html"
name="http://www.gnu.org/copyleft/gpl.html">. You can get unofficial
translated issues somewhere in the internet, as well as the Spanish
translated copy at <htmlurl
url="http://visar.csustan.edu/~carlos/gpl-es.html"
name="http://visar.csustan.edu/~carlos/gpl-es.html"> or Lucas <htmlurl
url="http://www.lucas.org" name="http://www.lucas.org">.
Information and other contents in this document are the best of our
knowledge. However, we may have make errors. So you should determine if
you want to follow the instructions given in this document.
Nobody is responsible for any damage in your computers and any other loss
derived from the use of the information contained herein.
THE AUTHORS AND MAINTAINERS ARE NOT RESPONSIBLE FOR ANY DAMAGE INCURRED
DUE TO ACTIONS TAKEN BASED ON INFORMATION CONTAINED IN THIS DOCUMENT.
Of course, we are open to all type of suggestions and corrections on the
content of this document.
<sect>Sending mail to and receiving mail from the internet
<p>
This document does not deal with exchanging mail messages between local
machine and other nodes (inside a local area network or over the
internet). This exchange should be carried out by messages transfer agents
(MTAs) such as <tt/sendmail/ <htmlurl url="http://www.sendmail.org"
name="http://www.sendmail.org">, <tt/qmail/ <htmlurl
url="http://www.qmail.org" name="http://www.qmail.org">, <tt/exim/
<htmlurl url="http://www.exim.org" name="http://www.exim.org">, <tt/smail/
<htmlurl url="ftp://ftp.planix.com/pub/Smail"
name="ftp://ftp.planix.com/pub/Smail">, etc.
In this document it is presupposed that this method of send/receive
messages outside of the local computer is already installed and working in
a correct way. If you can send a message and read your mail with the
<tt/mail/ command from the command line in your computer,
<tscreen>&dollar; mail -s &lt;subject&gt; &lt;user@domain.net&gt;&nl;
write here the text, and finish with an alone point in the next line&nl;
.</tscreen>
you must have installed any type of MTA that is doing the messages
transfer. In other way, you can get documentation about setting it up in
the manual pages of <em/smail/:
<tscreen>&dollar; man smail</tscreen>
or the MTA that you have, and <em/fetchmail/:
<tscreen>&dollar; man fetchmail</tscreen>
or in other similar document that makes reference to those programs.
<sect>Mutt configuration
<p>
Next file is a valid example to start using <em/Mutt/ in a basic way,
including paths for alias file, sent messages and postponed messages. You
can further personalize it attending to the <em/Mutt/ manual indications
and <tt>/usr/doc/mutt/</tt> or <tt>/usr/doc/mutt-i/</tt>.
Simple example of <tt>&tilde;/.muttrc</tt>:
<tscreen><verb>
set folder=~/Mail
set alias_file=.alias
set postponed=.postponed
set record=SendMessages
set signature=.signature
my_hdr From: Name Surname <Name@domain.com>
source =.alias
</verb></tscreen>
It is necesary that the directory <tt>&tilde;/Mail</tt> exists, that is
the one that appears as an "equal to" sign in the configuration file
<tt/.muttrc/ (that is, <tt/=.alias/ is to <em/Mutt/ as
<tt>&tilde;/Mail/.alias</tt>, and <tt/=.postponed/ is to <em/Mutt/
<tt>&tilde;/Mail/.postponed</tt>). Nevertheless it is possible to have
these files in another directory provided we indicate the complete path in
<tt>&tilde;/.muttrc</tt>, and we have the necesary permissions to work in
this directory.
It is also necesary to personalize the <tt/my_hdr/ line with the name and
electronic mail address you need. In the <tt>&tilde;/Mail/.signature</tt>
file you caninclude the signature that will appear in all the messages
that are sent.
This configuration file can end up being made very big, so it is common to
separate some of its commands in different files. For the time being, the
<em/PGP/ or <em/GnuPG/ configuration lines are easily detachable, and the
keyboard macros that we will personalize. To do that, it will be necesary
to add the following lines to the <tt>&tilde;/.muttrc</tt> file:
<tscreen><verb>
source = ~/Mail/.mutt.macros
source = ~/Mail/.gnupgp.mutt
</verb></tscreen>
and to use the <tt>&tilde;/Mail/.mutt.macros</tt> and
<tt>&tilde;/Mail/.gnupgp.mutt</tt> files to put in them the keyboard
macros and the <em/PGP/ or <em/GnuPG/ configuration that are commented
forward.
To get a more extensive and complete information over the use and
configuration of <em/Mutt/, and about advanced features, see the Mutt
manual <htmlurl url="http://www.mutt.org" name="http://www.mutt.org">.
<sect>PGP and GnuPG
<p>
To use anyone of the versions of <em/PGP/ with <em/Mutt-i/, first it will
be necesary to configure <em/PGP/ properly in the way that the public keys
file (public keys ring) and the private keys file (private keys ring) will
exist. It is convenient to previously test PGP from the command line to
assure that it signs and encrypt correctly.
Remember that the <em/PGP/ versions that exist for <em/Unix/ are <tt/2.6.3(i)/ and <tt/5.0(i)/, that we call <bf/PGP2/ and <bf/PGP5/ respectively forward. <bf/GnuPG/ is a new encrypt system, being developed in these days, in an advanced state of development, open source and free, in many aspects better than <bf/PGP/ (see GnuPG mini howto <htmlurl url="http://www.dewinter.com/gnupg_howto" name="http://www.dewinter.com/gnupg_howto">).
We will also clarify that <em/PGP/, as being a program developed in the
US, is restricted by certain exporting laws about programs that include
cryptographic code; this is the reason for the existance of an
international version to almost all binary versions, and it is noted with
the &dquot;<bf/i/&dquot; letter (<bf/pgp - pgpi/).
<sect1>PGP2
<p>
<em/PGP2/ generates keys with the RSA <htmlurl url="http://www.rsa.com"
name="http://www.rsa.com">,algorithm and it uses IDEA <htmlurl
url="http://www.ascom.ch" name="http://www.ascom.ch"> as the encryption
algorithm. Both are propietary algorithms and its use is restricted by its
respectives patents.
To run it correctly, you must have it installed, as well as having a directory called <tt>&tilde;/.pgp</tt>, containing the configuration file <tt/pgp-i.conf/ and the private and public keys rings files, <tt/pubring.pgp/ and <tt/secring.pgp/ respectively.
<sect1>PGP5
<p>
The keys generated by <em/PGP5/ are <bf>DSS/DH</bf> (Digital Signature
Standard / Diffie-Helman). PGP5 uses <bf/CAST/, <bf/Triple-DES/, and
<bf/IDEA/ as encrypt algorithms. PGP5 can work with encrypted or signed
data with <em/RSA/ (PGP2), and use that keys to sign or encrypt (with the
keys generated with PGP2, because PGP5 can not generate that type of
keys). In the other hand, PGP2 can not use the <em>DSS/DH</em> keys from
PGP5; this creates incompatibility problems, because many users continue
using PGP2 with <em>Unix/Linux</em>.
To run PGP5 correctly, in the <tt>&tilde;/.pgp</tt> directory you will
have the public and private key rings (<tt/pubring.pkr/ and
<tt/secring.skr/ respectively), and the configuration file <tt/pgp.cfg/.
In the case that you have installed the both versions of <em/PGP/ (PGP2
installed and configured before PGP5), we will create the configuration
file <tt>&tilde;/.pgp/pgp.cfg</tt> of PGP5 as a simbolic link to the
<tt>&tilde;/.pgp/pgp-i.conf</tt> configuration file,
<tscreen>&tilde;/.pgp&dollar; ln -s pgp-i.conf pgp.cfg</tscreen>
adding the following lines at the end of the file
<tt>&tilde;/.pgp/pgp-i.conf</tt>:
<tscreen><verb>
PubRing = "~/.pgp/pubring.pkr"
SecRing = "~/.pgp/secring.skr"
RandSeed = "~/.pgp/randseed.bin"
</verb></tscreen>
The files with the keys rings of the different versions can cohexist
without any problem in the same directory.
<sect1>GnuPG
<p>
<bf/GnuPG/ is a program with the same functions that the previous. The
difference with <em/PGP/, <em/GnuPG/ do not uses algorithms with
restrictive patents. <em/PGP/ is free for personal uses but not comercial
jobs and its development is closed. <em/GnuPG/ is free to be used in any
job and it is open source, as our favorite operating system (also its
implementation and development is made mainly in <em/Linux/).
The keys generated by <em/GnuPG/ are of the type <bf>DSA/ElGamal</bf>
(<em/Digital Signature Algorithm/, also known as <em/DSS/). Is totaly
compatible with <em/PGP/, except with the use of restricted patents
algorithms <em/RSA/ and <em/IDEA/. Anyway, it is posible to implement
certain compatibility with that (see GnuPG mini howto <htmlurl
url="http://www.dewinter.com/gnupg_howto"
name="http://www.dewinter.com/gnupg_howto"> to get it interacting with
PGP2 and PGP5).
<sect>PGP and Mutt integration
<p>
The operation to carry out in the outgoing messages (sign, encrypt or
both) is chosen exactly before presing &dquot;<tt/y/&dquot; to send the
message, inside the option menu that is visible with the
&dquot;<tt/p/&dquot; option. Once you have choosen the operation to carry
out, only the line <em/PGP/ in the message header showed in the screen
will change, but until you send the message with &dquot;<tt/y/&dquot; you
won't be asked to insert the pass phrase to activate the sign of the
message or the public keys to use to encrypt in the case that no receptors
were found in our public keys ring.
<bf/NOTE:/ In the case that the pass phrase was mistyped when it was asked
for, <em/Mutt/ seems to be &quot;hung&quot;, but that's not true, it is
waiting for it to be retyped. To do this, push the <tt/&lt;Enter&gt;/ key
and delete the pass phrase from memory with <tt/&lt;Ctrl&gt;F/. Next we
repeat the message sending with (&dquot;<tt/y/&dquot;) and retype the pass
phrase.
Through this procedure, <em/Mutt/ will use <em>PGP/MIME</em> to send the
message, and one more file will appear in the list of files to be sent
with the sign (if we only select to sign) or it will encrypt the complete
message (all its <em/MIME/ parts) and it will only leave two MIME parts,
the first with the PGP/MIME version and the second with the encrypted
message (with all its MIME parts inside) and signed (if we selected to do
it).
<bf/Note:/ By some reasons, if the receptor mail user agent can not use
<em/MIME/, we may need that the sign will be included inside the message
body. See section about <em>application/pgp</em> with <ref
id="sec-app-pgp" name="PGP5"> and with <ref id="sec-app-gpg"
name="GnuPG">.
<em/Mutt/ will try to verify the sign or decrypt automatically the
incoming messages that use <em>PGP/MIME</em>. See section <ref
id="sec-procmail.2" name="Procmail notes and tips">, in which it is
commented how to change the <em/MIME/ type automatically to the incoming
messages that do not set its <em/MIME/ type correctly.
<sect1>Optional configuration files
<label id="sec-opcion">
<p>
In the next sections you can find modifications to the <em/Mutt/
configuration file to use <ref id="sec-conf-pgp2" name="PGP2">, <ref
id="sec-conf-pgp5" name="PGP5">, and <ref id="sec-conf-gpg" name="GnuPG">
easily.
To do that, a new configuration file that we called <tt/.gnupgp.mutt/
(that's our name, you can call it any other name setting the name of this
file into the main configuration file <tt>&tilde;/.muttrc</tt>).
This can be done including the complete path (its location) of the
configuration file <tt/.gnupgp.mutt/, in a line at the end of the
<tt>&tilde;/.muttrc</tt> file. The directory in which we put this and
other optional configuration files can be anywhere, if we have correct
permissions (in a previous section we included it inside the
<tt>&tilde;/Mail/</tt>) directory, or any other inside our home directory,
with any name:
<tscreen>&tilde;&dollar; mkdir mutt.varios</tscreen>
in which we copy (or create) the optional configuration file
<tt/.gnupgp.mutt/, and next we set the origin of this file in the
<tt/.muttrc/ file with the <tt/source/ command, like the following:
<tscreen><verb>
source ~/mutt.varios/.gnupgp.mutt
</verb></tscreen>
Now <em/Mutt/ will accept configuration variables in <tt/.gnupgp.mutt/ as if it were in <tt/.muttrc/ directly.
This method is a good way to avoid having a very big, unsorted
configuration file, and can be used to set any other group of
configuration variables in other separate file. For example, as before, if
we use <em/vim/ as the default editor in <em/Mutt/, we can tell to
<tt/.muttrc/ to use a different configuration file <tt/.vimrc/ that we use
when using <em/vim/ from the command line. First, copy
<tt>&tilde;/.vimrc</tt> to our optional configuration files directory
<tt>&tilde;/mutt.varios/</tt> and set it with other name (ex.
<tt/vim.mutt/):
<tscreen>
&dollar; cd /home/user
&tilde;&dollar; cp .vimrc mutt.varios/vim.mutt
</tscreen>
next change the configuration variables that we want to be different in
<em/vim/ as the <em/Mutt/ editor, and finally modify <tt/.muttrc/ to
reflect this change:
<tscreen><verb>
set editor="/usr/bin/vim -u ~/mutt.varios/vim.mutt"
</verb></tscreen>
With this last line we are setting <tt/Mutt/ to use an external editor,
<em/Vim/, with the needed configuration options.
<sect1>General Configuration Variables
<label id="sec-conf-gen">
<p>
There are some variables that we will use globally with the three public
key encrypt programs with <em/Mutt/. These variables are boolean, and can
be <bf/set/ (activated) or <bf/unset/ (deactivated).
In the configuration file (<tt>&tilde;/.muttrc</tt>, or
<tt>&tilde;/mutt.varios/.gnupgp.mutt</tt>, or whatever you use), the sign
(<bf/&num;/) is a comment and will be ignored. So, we will use it from
here in advance to comment each variable:
<descrip>
<tag/unset pgp&lowbar;autosign/
&num; if this variables is set, <em/Mutt/ will ask to sign all the&nl;
&num; outbound messages. <ref id="uno" name="(1)">
<tag/unset pgp_autoencrypt/
&num; if this variable is set, <em/Mutt/ will ask to encrypt all the&nl;
&num; outbound messages. <ref id="uno" name="(1)">
<tag/set pgp_encryptself/
&num; save an encrypted copy of all sent messages that we want to encrypt&nl;
&num; (need the general configuration variable <tt/set copy=yes/).
<tag/set pgp_replysign/
&num; when you answer a signed message, the response message will be&nl;
&num; signed too.
<tag/set pgp_replyencrypt/
&num; when you answer an encrypted message, the response message&nl;
&num; will be encrypted too.
<tag/set pgp_verify_sig=yes/
&num; Do you want to automatically verify incoming signed messages?&nl;
&num; Of course!
<tag/set pgp_timeout=&lt;n&gt;/
&num; delete pass phrase from the memory cache &lt;n&gt; seconds&nl;
&num; after typing it.<ref id="dos" name="(2)">
<tag/set pgp_sign_as="0xABC123D4"/
&num; what key do you want to use to sign outgoing messages?&nl;
&num; <bf/Note:/ it is posible to set it to the user id, but&nl;
&num; this can be confuse if you have the same user id with different keys.&nl;
<tag/set pgp_strict_enc/
&num; use &dquot;quoted-printable&dquot; when PGP requires it.&nl;
<tag/unset pgp_long_ids/
&num; Do not use 64 bits key ids, use 32 bits key ids.&nl;
<tag/set pgp_sign_micalg=&lt;some&gt;/
&num; message integrity check algorithm, where&nl;
&num; &lt;some&gt; is something from the next:<ref id="tres" name="(3)">
<itemize>
<item><bf/pgp-mda5/&nl;
to RSA keys
<item><bf/pgp-sha1/&nl;
to DSS (DSA) keys
<item><bf/pgp-rmd160/&nl;
</itemize>
</descrip>
In the three next sections the configuration variables to each of the PGP
versions will be explained. The fourth section will explain how to modify
the variables if you use more than one PGP version.
(1)<label id="uno"> as <em/Mutt/ requires to type the passphrase every
time you want to sign or select the receipts if you want to encrypt, it
may be unconvenient to set this variable. Possibly you may want to unset
this variable. This is specially true encrypting messages, as you don't
have all the public keys of the message receipts.
(2)<label id="dos"> depending on the number of messages that we sign or
decrypt, we would like to maintain the pass phrase in cache memory more or
less time. This option avoid you from type the pass phrase each time you
sign a new message or decrypt an incoming message. <bf/Warning:/
maintaining the pass phrase in cache memory is not secure, specially in
network connected systems.
(3)<label id="tres"> this is only necesary with the key that we use to
sign. When the key is selected from the compose menu, <em/Mutt/ will
calculate the algoritm.
<sect1>PGP2 configuration variables
<label id="sec-conf-pgp2">
<p>
To use PGP2 with <em/Mutt-i/ you need to add the following lines to the
<tt>&tilde;/mutt.varios/.gnupgp.mutt</tt> file:
<tscreen><verb>
set pgp_default_version=pgp2
set pgp_key_version=default
set pgp_receive_version=default
set pgp_send_version=default
set pgp_sign_micalg=pgp-md5
set pgp_v2=/usr/bin/pgp
set pgp_v2_pubring=~/.pgp/pubring.pgp
set pgp_v2_secring=~/.pgp/secring.pgp
</verb></tscreen>
As you know, the <tt>&tilde;/.pgp/pubring.pgp</tt> and <tt/secring.pgp/
files must exist. More information on PGP2 with the <tt/man pgp/ command.
<sect1>PGP5 configuration variables
<label id="sec-conf-pgp5">
<p>
To use PGP5 with <em/Mutt-i/ you need to add the following lines to the
<tt>&tilde;/mutt.varios/.gnupgp.mutt</tt> file:
<tscreen><verb>
set pgp_default_version=pgp5
set pgp_key_version=default
set pgp_receive_version=default
set pgp_send_version=default
set pgp_sign_micalg=pgp-sha1
set pgp_v5=/usr/bin/pgp
set pgp_v5_pubring=~/.pgp/pubring.pkr
set pgp_v5_secring=~/.pgp/secring.skr
</verb></tscreen>
As you know, the <tt>&tilde;/.pgp/pubring.pkr</tt> and <tt/secring.pkr/
files must exist. More information on PGP 5 with the <tt/man pgp5/
command.
<sect1>GnuPG configuration variables
<label id="sec-conf-gpg">
<p>
To use <em/GnuPG/ with <em/Mutt-i/ you need to add the following lines to
the <tt>&tilde;/mutt.varios/.gnupgp.mutt</tt> file:
<tscreen><verb>
set pgp_default_version=gpg
set pgp_key_version=default
set pgp_receive_version=default
set pgp_send_version=default
set pgp_sign_micalg=pgp-sha1
set pgp_gpg=/usr/bin/gpg
set pgp_gpg_pubring=~/.gnupg/pubring.gpg
set pgp_gpg_secring=~/.gnupg/secring.gpg
</verb></tscreen>
As you know, the <tt>&tilde;/.gnupg/pubring.gpg</tt> and <tt/secring.gpg/
files must exist. More information on GnuPG with the <tt/man gpg.gnupg/,
<tt/man gpgm/, and <tt/man gpg/ commands.
<sect1>Mixed configuration variables
<label id="sec-conf-mix">
<p>
If you want to use more than one PGP software you need to modify some of
the variables that we have commented previously. Really, it is only to
remove the redundant version variables.
If, for example, you want to use GnuPG as the default signing tool, all
menu commands in <em/Mutt/ to use GnuPG/PGP would call to this program to
the signing, decrypting, encrypting, verifying, etc... operations&nl;
To do that you must set the configuration variable <tt/&dollar;set&lowbar;pgp&lowbar;default/ <bf/once/, so:
<tscreen><verb>
set pgp&lowbar;default&lowbar;version=gpg
</verb></tscreen>
now, to use the all three programs, the
<tt>&tilde;/mutt.varios/.gnupgp.mutt</tt> file could be like this:
<tscreen><verb>
set pgp_default_version=gpg # default version to use
set pgp_key_version=default # default key to use
# in this case, gnupg defines it
set pgp_receive_version=default # default version to decrypt will be the default
set pgp_send_version=default # version defined in the first line (gpg)
set pgp_gpg=/usr/bin/gpg # where to find the GnuPG binary
set pgp_gpg_pubring=~/.gnupg/pubring.gpg # public key file to GnuPG
set pgp_gpg_secring=~/.gnupg/secring.gpg # secret key file to GnuPG
set pgp_v2=/usr/bin/pgp # where to find the PGP2 binary
set pgp_v2_pubring=~/.pgp/pubring.pgp # public key file to PGP2
set pgp_v2_secring=~/.pgp/secring.pgp # secret key file to PGP2
set pgp_v5=/usr/bin/pgp # where to find the PGP5 binary
set pgp_v5_pubring=~/.pgp/pubring.pkr # public key file to PGP5
set pgp_v5_secring=~/.pgp/secring.skr # secret key file to PGP5
</verb></tscreen>
<sect>Interesting Macros for Mutt
<p>
<em/Mutt/ is highly configurable and its working mode can be modified in a
very flexible manner if the configuration variables inside <tt/.muttrc/
are well configured.
Here you can see some macros that help you to generate signed messages
avoiding the <em>PGP/MIME</em> standard, to send it to receipts that don't
support this type of signed messages following the <em>PGP/MIME</em>
standard, and to edit the alias file and reload it without exiting
<em/Mutt/ (this last macro is not related to <em>PGP/GnuPG</em>, it is
presented only as an example to show the macro power in <em/Mutt/).
It is possible to tell Mutt the key bindings you want to use with
<em>PGP/GnuPG</em>. Even when some of this options are yet configured, we
can change it or add others easily modifiying the configuration file.
<sect1>Signing on the message body without using PGP/MIME with PGP5
<label id="sec-app-pgp">
<p>
Before existing <em>PGP/MIME</em>, the signature in a message was included
in the message body. This is a very common form of sending signed messages
in many mail user agents.
If we want to sign like this, we have two options, leave the <em/MIME/
type of the message or modify it as <tt>application/pgp</tt>.
To implement this two forms of signing in <em/Mutt/, we will add the
following lines to the <tt>&tilde;/mutt.varios/mutt.macros</tt> file.
Previously, we have to set this option file path in the <tt/.muttrc/ main
configuration file (see <ref id="sec-opcion" name="Optional configuration
files">):
<tscreen><verb>
macro compose \Cp "F/usr/bin/pgps\ny"
macro compose S "F/usr/bin/pgps\ny^T^Uapplication/pgp; format=text; x-action=sign\n"
</verb></tscreen>
and now, pressing <tt/&lt;Ctrl&gt;p/ or <tt/S/ we can include the
signature into the message part that has the cursor on it, just before
send the message.
<sect1>Signing on the message body without using PGP/MIME with GnuPG
<label id="sec-app-gpg">
<p>
As in the previous case, but with GnuPG. The macros are:
<tscreen><verb>
macro compose \CP "Fgpg --clearsign\ny"
macro compose \CS "Fgpg --clearsign\ny^T^Uapplication/pgp; format=text; x-action=sign\n"
</verb></tscreen>
<sect1>Modifying the alias file and reloading it
<p>
With this macro included in <tt>&tilde;/mutt.varios/macros.mutt</tt> you
can edit with <em/vi/ (changing the line you can use other editor) the
alias file without exiting <em/Mutt/ pressing <tt/&lt;Alt&gt;a/.
<tscreen><verb>
macro index \ea "!vi ~/Mail/.alias\n:source =.alias\n"
</verb></tscreen>
<sect1>More macro examples
<p>
The next listing has been obtained from Roland Rosenfeld and it shows
macros to change the default signing/encrypting software and to sign
without PGP/MIME with GnuPG:
<tscreen><verb>
# ~/Mail/.muttrc.macros
# keyboard configuration file for Mutt-i
# copied, modified and translated from the original:
#
################################################################
# The ultimative Key-Bindings for Mutt #
# #
# (c) 1997-1999 Roland Rosenfeld <roland@spinnaker.rhein.de> #
# #
# $ Id: keybind,v 1.36 1999/02/20 19:36:28 roland Exp roland $ #
################################################################
#
# To use it, add the next line to ~/.muttrc:
# source ~/Mail/.muttrc.macros
#
# Generic keybindings
# (for all the Mutt menus, except the pager!)
# With the next three we can change the encrypting default selected software:
# <ESC>1 to use GnuPG
macro generic \e1 ":set pgp_default_version=gpg ?pgp_default_version\n"\
"Switch to GNU-PG"
# <ESC>2 to use PGP2
macro generic \e2 ":set pgp_default_version=pgp2 ?pgp_default_version\n"\
"Switch to PGP 2.*"
# <ESC>5 to use PGP5
macro generic \e5 ":set pgp_default_version=pgp5 ?pgp_default_version\n"\
"Switch to PGP 5.*"
#NOTE: Be careful with the last backspace at the end of the previous
macros. If you write that line and the next in the same line, do not write
it.
# index, OpMain, MENU_MAIN
# (Main menu)
# The next macro only runs from the main menu (the one that appears when
# you starts Mutt). The keys <CTRL>K permit us to extract the public keys
# from a message if it has (this is known because it has the K letter in
# the message line):
macro pager \Ck ":set pipe_decode pgp_key_version=pgp2\n\e\ek:set pgp_key_version=pgp5\n\e\ek:set pgp_key_version=gpg\n\e\ek:set pgp_key_version=default nopipe_decode\n"\ "Extract PGP keys to PGP2, PGP 5, and GnuPG keyrings"
# pager, OpPager, MENU_PAGER
# (Pager menu)
# It permits the same operations that previous, with the same key combinations,
# but in this case from the pager menu:
macro pager \e1 ":set pgp_default_version=gpg ?pgp_default_version\n"\
"switch to GNUPG"
macro pager \e2 ":set pgp_default_version=pgp2 ?pgp_default_version\n"\
"switch to PGP 2.*"
macro pager \e5 ":set pgp_default_version=pgp5 ?pgp_default_version\n"\
"switch to PGP 5.*"
# compose, OpCompose+OpGerneric, MENU_COMPOSE
# (Compose menu)
# The next operations are used from the compose menu.
# That is, after you have composed your message and you close it to send it,
# just before pressing the "Y" key that allows us to send it to the MTA.
# In this case, we create a menu that appears when you press "P".
# The options in this menu are going to be bound to MENU_PGP. This are the
# main use options (encryption and signing).
bind compose p pgp-menu
# As many programs can't use PGP/MIME (especially from M$), the <CTRL>P key
# will allow us to sign "as in the old times" (Application/PGP):
macro compose \CP "Fgpg --clearsign\ny"
# The next, <CTRL>S will allow us to sign using PGP/MIME with the private key
# that we have defined as default. This macro is not necesary, as we can
# do the same from the "P" menu:
macro compose \CS "Fgpg --clearsign\ny^T^Uapplication/pgp; format=text; x-action=sign\n"
</verb></tscreen>
You can add more macros, and some other are yet configured as default in
newer versions of Mutt. Some other options include:
<itemize>
<item>&lt;CTRL&gt;K (extract public keys from a message)
<item>&lt;ESC&gt;K (adjunt a public key to a message)
<item>&lt;CTRL&gt;F (when using the key phrase to sign or decrypt a message, it is still in memory. With this you can delete it from memory)
<item>etc...
</itemize>
To see what other options are activated, you must go to the help menu (?)
from the menu where you were.
<sect>Procmail notes and tips
<sect1>Configuring Procmail to send automatically your public keys
<label id="sec-procmail.1">
<p>
As this is not the objetive of this Howto, we will comment that the
securest way to get the public key from anybody is that he gives it to us
directly by hand.
As many times this is not an easy method (how long they are) the people
can send the public key by electronic mail, or searching it in a key
server, but none of those methods assure that the obtained key is really
from whom it seems to be. If you use other communication media considered
&quot;secure&quot; (searching the owner in the phone listing and asking
him to read his key "fingerprint" to contrast with the fingerprint from
the key we have obtained from the non-secure path).
What we are going to see is a "tip" to put into the <tt>.procmailrc</tt>
from the Procmail mail processor to get back automatically your publick
key to the remitent when you get a message with a determined text in the
<tt>Subject</tt> line:
<tscreen><verb>
:0 h
* ^Subject:[ ]+\/(|send)[ ]+key pub\>.*
| mutt -s "Re: $MATCH" `formail -rtzxTo:` &lt;/clau/mykey.asc
</verb></tscreen>
What it is said in the previous paragraph is: we have a copy in ASCII of
our public key, in any directory (in this case the <tt>/clau</tt>
directory) in a file named <tt>mykey.asc</tt>; when procmail gets a
message that include "send key pub" in the <tt>Subject:</tt> line, send
the file to the remitent.
IMPORTANT: what you have between the brackets is <bf>an space</bf> and
<bf>a tab</bf>.
<sect1>Verify and decrypt automatically messages without PGP/MIME
<label id="sec-procmail.2">
<p>
When you receive a signed message that uses PGP/MIME and you open it with
your preferred MUA (Mutt, isn't it?), it recognizes the message as
PGP/MIME and checks the signature if you have the remitent public key.
These messages are the ones that have the "S" in the first part of the
message line in Mutt:
<tscreen><verb>
36 S 05/09 Andres Seco Her ( 12K) Al fin
</verb></tscreen>
while the encrypted messages have the "P":
<tscreen><verb>
12 P 03/24 Andres Seco Her (6,3K) Re: FW: Re: Mutt - pgp/gnupg
</verb></tscreen>
But if the message is signed and has the &dquot;application/pgp&dquot;
MIME type, when you open it Mutt doesn't check its sign, and this sign is
into the message body, as here:
<tscreen><verb>
-----BEGIN PGP SIGNED MESSAGE-----
Date: Tue, 25 May 1999 13:04:26 +0200
From: La Corporación <bill@reboot.com>
Subject: Actualización S.O.
To: Sufrido Usuario <pepe@casa.es>
Sufrido usuario:
le comunicamos que puede usted adquirir la última actualización del
programa O.E. con la adquisición de nuestro sistema operativo reboot99
por el módico precio de ... etc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iKBGNpUBX0235VapRBUy1KklAQGl9wQA3SBMio0bbbajHAnyKMOlx3tcgNG7/UVC
AbqXcUnyGGOo13Nbas95G34Fee3wsXIFo1obEfgiRzqPzZPLWoZdAnyTlZyTwCHe
6ifVpLTuaXvcn9/76rXoI6u9svN2cqHCgHuNASKHaK9034uq81PSdW4QdGLgLoeB
vnGmxE+tGg32=
=Xidf
-----END PGP SIGNATURE-----
</verb></tscreen>
To verify it, you must save it and use the command line. But, it is
possible to convert this MIME messages type with <em/Procmail/ to allow
<em/Mutt/ to recognize it as <em>PGP/MIME</em>. You only need to add this
to <tt/.procmailrc/:
<tscreen><verb>
:0
* !^Content-Type: message/
* !^Content-Type: multipart/
* !^Content-Type: application/pgp
{
:0 fBw
* ^-----BEGIN PGP MESSAGE-----
* ^-----END PGP MESSAGE-----
| formail \
-i "Content-Type: application/pgp; format=text; x-action=encrypt"
:0 fBw
* ^-----BEGIN PGP SIGNED MESSAGE-----
* ^-----BEGIN PGP SIGNATURE-----
* ^-----END PGP SIGNATURE-----
| formail \
-i "Content-Type: application/pgp; format=text; x-action=sign"
}
</verb></tscreen>
As you can see, this is valid to signed messages and to encrypted messages
with application/pgp.
<sect1>Change MIME type for messages with keys inside without PGP/MIME
<p>
When you receive a public key block from a non <em>PGP/MIME</em> compliant
MUA, you must save the message body in your disk and then insert it into
your public key ring, but, including this lines into your <tt/.procmailrc/
file, you can include it directly from mutt.
<tscreen><verb>
:0 fBw
* ^-----BEGIN PGP PUBLIC KEY BLOCK-----
* ^-----END PGP PUBLIC KEY BLOCK-----
| formail -i "Content-Type: application/pgp-keys; format=text;"
</verb></tscreen>
Thanks to Denis Alan for this procmail note.
<sect>Interchanging signed/encrypted messages with different MUAs and platforms
<p>
In the first days, the PGP sign was included inside the text to sign.
Later, it was included the <tt>application/pgp</tt> MIME type to show that
the next attach was the sign or the encrypted PGP message, and finally,
with the PGP/MIME specification, it was possible to isolate the sign from
the original affected, to not modify absolutelly and somebody that didn't
have PGP could view the message as it was originally (only for signed
messages), without any added text in the beginning or in the end from PGP.
The actual situation is that only a few mail user agents (MUAs) are
capable to integrate PGP to use the PGP/MIME standard, and it is necesary
to send messages using the old time PGP sign when you know that the
recipient doesn't recognize PGP/MIME.
In Linux, the available mail user agents that are PGP/MIME compliant are
mutt-i and pine. In Windows, only the Eudora mail client versions 3.x and
4.x can use PGP/MIME. If you know any other mail user agent that supports
it, tell us by mail, to include it here.
<sect>Programs and versions used
<p>
To write this document we have used the next Mutt versions:
<itemize>
<item>Mutt 0.93i - you can not use GnuPG with this version.
<item>Mutt 0.95.3i - all PGP and GnuPG versions can be used.
</itemize>
And the next PGP and GnuPG versions:
<itemize>
<item>PGPi 5.0
<item>GnuPG 0.4.3
<item>GnuPG 0.9.4
</itemize>
<sect>More information
<p>
The original documentation from where this document has been obtained can
be found in the man pages from "mutt", "pgp", "pgp5", "gnupg", "procmail",
in the respectives directories in /usr/doc and in the world wide web
sites:
<itemize>
<item>Mutt Official Home Page - <htmlurl url="http://www.mutt.org"
name="http://www.mutt.org">
<item>GnuPG Main Page - <htmlurl url="http://www.gnupg.org"
name="http://www.gnupg.org">
<item>PGP International Page - <htmlurl url="http://www.pgpi.com"
name="http://www.pgpi.com">
<item>Procmail Official Home Page - <htmlurl url="http://www.procmail.org"
name="http://www.procmail.org">
</itemize>
The recommendations (request for comments, RFC) that are referenced in
this document are:
<itemize>
<item>1847 - Security Multiparts for MIME: Multipart/signed and Multipart/encripted
<item>1848 - MIME Object Security Services
<item>1991 - PGP Message Exchange Formats
<item>2015 - MIME Security with Pretty Good Privacy (PGP)
<item>2440 - OpenPGP Message Format
</itemize>
and can be found in /usr/doc/doc-rfc and in various sites in the world
wide web, like <htmlurl url="http://metalab.unc.edu"
name="http://metalab.unc.edu"> and <htmlurl url="http://nic.mil"
name="http://nic.mil">. You can get information from RFCs in <htmlurl
url="mailto:RFC-INFO@ISI.EDU" name="RFC-INFO@ISI.EDU">
</article>
View Git Blame Copy Permalink