Re: How to set up signing/encryption with GnuPG? Some newbie questions

[Marius Hofert <marius.hofert@math.ethz.ch>]

> > 1) What is a useful/meaningful setup in ~/.gnus.el for obtaining enabling GnusPG
> > for PGP/MIME?
> > I figured the following to be useful:
> > (setq mm-verify-option 'always); always verify signed parts
> > (setq mm-decrypt-option 'always); always decrypt encrypted parts
> > (setq gnus-message-replysign t); gnus-message-replyencrypt,
> > gnus-message-replysignencrypted are already t by default
> > I also found Gnus users who set
> > (setq gnus-treat-x-pgp-sig t)
> > but I could not find sufficient documentation of gnus-treat-x-pgp-sig to
> > determine whether this is useful.
>
> There's also these two (defaulting to nil):
>
>     mm-sign-option 'guided
>     mm-encrypt-option 'guided

Thanks, Kevin.

Do you know what gnus-treat-x-pgp-sig does? I could not find documentation on this.

>
> If set to 'guided, you'll get a menu on sending signed/encrypted
> messages asking which key you want to use.
>
> > 2) Why are gnus-message-replyencrypt and gnus-message-replysignencrypted set to
> > t by default, but gnus-message-replysign defaults to nil? Has this been
> > forgotten in the recent change (see
> > http://comments.gmane.org/gmane.emacs.gnus.general/75543)?
> >
> > 3) Is it "good practice" to always sign messages? AFAIK, this does not require
> > the recipient to deal with encryption, but he could at least check that the
> > message has the correct signature. How would one always sign messages in Gnus by
> > default?
>
> (no idea)

In the meantime, I found the solution to 3) on http://www.emacswiki.org/emacs/GnusPGG (just look for "Automatic signing/encryption of messages")

>
> > 4) Where are my private/public keys? I never saw them nor was asked to generate
> > them.
>
> You make them with GnuPG (gpg --gen-key); Emacs seems to figure out how
> to run gpg on its own.

This is strange: I already have a folder ~/.gnupg (owned by root). I found this
problem online at various places and I followed the advice to change the
ownership.

> There are some issues with gpg2 though (specifically, with pinentry).
> I've installed gpg1 alongside gpg2 for the time being and have
>
> (when (file-executable-p "/usr/bin/gpg1")
>   (setq epg-gpg-program "/usr/bin/gpg1"))
>
> More at http://www.emacswiki.org/emacs/EasyPG#toc4
>
>
> > 5) Am I correct in that signing a message simply requires C-c C-m s p? (and
> > signing + encrypting C-c C-m c p?)
>
> Yes. I find `C-c C-m C-s' faster though (pinky never leaves the caps key).

Thanks, that's indeed nice.

>
> > I tried to send a test mail to ad...@gnupp.de (mentioned on the german wiki page
> > http://de.wikipedia.org/wiki/GNU_Privacy_Guard). I used C-c C-m c p. On sending
> > via C-c C-c, I received "No public key for <ad...@gnupp.de>; skip it? (y or
> > n)". I chose 'y', since the public key will be sent by ad...@gnupp.de. I then
> > obtained "mml2015-epg-encrypt: No recipient specified". What does this mean?
>
> My German is not so good, but it seemed to me you're supposed to just
> attach your public key to Adele. So don't encrypt that e-mail. Then she
> sends back her own key, but now encrypted for your eyes only. Now you
> can save that key as a file on disk, and do
>
> $ gpg --import that-file-on-disk
>
> to import her key. _Now_ you should be able to `C-c C-m C-c' and encrypt
> your next email for Adele.
>
>
>
> Also, if you want to check my signature, do
>
> $ gpg --keyserver pgp.mit.edu  --recv-keys 0x766AC60C
>
> Then in gnus, press "g" to redisplay this email, and it should no longer
> say "No public key for …".
>
> I use the following to fetch unknown keys on `C-c k', though it's not
> particularly pretty:
>
> #+begin_src emacs-lisp
> (defun gnus-article-receive-epg-keys ()
>   "Fetch unknown keys from a signed message."
>   (interactive)
>   (with-current-buffer gnus-article-buffer
>     (save-excursion
>       (goto-char (point-min))
>       (if
>           (re-search-forward "\\[\\[PGP Signed Part:No public key for \\([A-F0-9]\\{16,16\\}\\) created at "
>                              nil 'noerror)
>         (shell-command (format "gpg --keyserver %s --recv-keys %s"
>                                "pgp.mit.edu"
>                                (match-string 1)))
>         (message "No unknown signed parts found.")))))
> (add-hook
>  'gnus-startup-hook
>  (lambda nil
>    (define-key gnus-article-mode-map (kbd "C-c k") 'gnus-article-receive-epg-keys)
>    (define-key gnus-summary-mode-map (kbd "C-c k") 'gnus-article-receive-epg-keys)))
> #+end_src
>

Great, many thanks!