How to set up signing/encryption with GnuPG? Some newbie questions

How to set up signing/encryption with GnuPG? Some newbie questions

[Marius Hofert]

Hi,

Although I found and read (not necessarily understood :-) ) the security related
parts of the Gnus manual (e.g., C-h i Gnus -> Security), I still have the
following questions concerning signing and encryption of messages with Gnus:

1) What is a useful/meaningful setup in ~/.gnus.el for obtaining enabling GnusPG
for PGP/MIME?
I figured the following to be useful:
(setq mm-verify-option 'always); always verify signed parts
(setq mm-decrypt-option 'always); always decrypt encrypted parts
(setq gnus-message-replysign t); gnus-message-replyencrypt, gnus-message-replysignencrypted are already t by default
I also found Gnus users who set
(setq gnus-treat-x-pgp-sig t)
but I could not find sufficient documentation of gnus-treat-x-pgp-sig to
determine whether this is useful.

2) Why are gnus-message-replyencrypt and gnus-message-replysignencrypted set to
t by default, but gnus-message-replysign defaults to nil? Has this been
forgotten in the recent change (see http://comments.gmane.org/gmane.emacs.gnus.general/75543)?

3) Is it "good practice" to always sign messages? AFAIK, this does not require
the recipient to deal with encryption, but he could at least check that the
message has the correct signature. How would one always sign messages in Gnus by
default?

4) Where are my private/public keys? I never saw them nor was asked to generate
them. 

5) Am I correct in that signing a message simply requires C-c C-m s p? (and
signing + encrypting C-c C-m c p?)

I tried to send a test mail to adele@gnupp.de (mentioned on the german wiki page
http://de.wikipedia.org/wiki/GNU_Privacy_Guard). I used C-c C-m c p. On sending
via C-c C-c, I received "No public key for <adele@gnupp.de>; skip it? (y or
n)". I chose 'y', since the public key will be sent by adele@gnupp.de. I then
obtained "mml2015-epg-encrypt: No recipient specified". What does this mean?

Cheers,

Marius

PS: I am working with Emacs 24 under Ubuntu 12.04 with Gnus v5.13.

Re: How to set up signing/encryption with GnuPG? Some newbie questions

[Kevin Brubeck Unhammer]

[-- Attachment #1.1: Type: text/plain, Size: 4243 bytes --]

Marius Hofert <marius.hofert@math.ethz.ch> writes:

> Hi,
>
> Although I found and read (not necessarily understood :-) ) the security related
> parts of the Gnus manual (e.g., C-h i Gnus -> Security), I still have the
> following questions concerning signing and encryption of messages with Gnus:
>
> 1) What is a useful/meaningful setup in ~/.gnus.el for obtaining enabling GnusPG
> for PGP/MIME?
> I figured the following to be useful:
> (setq mm-verify-option 'always); always verify signed parts
> (setq mm-decrypt-option 'always); always decrypt encrypted parts
> (setq gnus-message-replysign t); gnus-message-replyencrypt,
> gnus-message-replysignencrypted are already t by default
> I also found Gnus users who set
> (setq gnus-treat-x-pgp-sig t)
> but I could not find sufficient documentation of gnus-treat-x-pgp-sig to
> determine whether this is useful.

There's also these two (defaulting to nil):

    mm-sign-option 'guided
    mm-encrypt-option 'guided

If set to 'guided, you'll get a menu on sending signed/encrypted
messages asking which key you want to use.

> 2) Why are gnus-message-replyencrypt and gnus-message-replysignencrypted set to
> t by default, but gnus-message-replysign defaults to nil? Has this been
> forgotten in the recent change (see
> http://comments.gmane.org/gmane.emacs.gnus.general/75543)?
>
> 3) Is it "good practice" to always sign messages? AFAIK, this does not require
> the recipient to deal with encryption, but he could at least check that the
> message has the correct signature. How would one always sign messages in Gnus by
> default?

(no idea)

> 4) Where are my private/public keys? I never saw them nor was asked to generate
> them. 

You make them with GnuPG (gpg --gen-key); Emacs seems to figure out how
to run gpg on its own.

There are some issues with gpg2 though (specifically, with pinentry).
I've installed gpg1 alongside gpg2 for the time being and have

(when (file-executable-p "/usr/bin/gpg1")
  (setq epg-gpg-program "/usr/bin/gpg1"))

More at http://www.emacswiki.org/emacs/EasyPG#toc4


> 5) Am I correct in that signing a message simply requires C-c C-m s p? (and
> signing + encrypting C-c C-m c p?)

Yes. I find `C-c C-m C-s' faster though (pinky never leaves the caps key).

> I tried to send a test mail to adele@gnupp.de (mentioned on the german wiki page
> http://de.wikipedia.org/wiki/GNU_Privacy_Guard). I used C-c C-m c p. On sending
> via C-c C-c, I received "No public key for <adele@gnupp.de>; skip it? (y or
> n)". I chose 'y', since the public key will be sent by adele@gnupp.de. I then
> obtained "mml2015-epg-encrypt: No recipient specified". What does this mean?

My German is not so good, but it seemed to me you're supposed to just
attach your public key to Adele. So don't encrypt that e-mail. Then she
sends back her own key, but now encrypted for your eyes only. Now you
can save that key as a file on disk, and do 

$ gpg --import that-file-on-disk

to import her key. _Now_ you should be able to `C-c C-m C-c' and encrypt
your next email for Adele.



Also, if you want to check my signature, do

$ gpg --keyserver pgp.mit.edu  --recv-keys 0x766AC60C

Then in gnus, press "g" to redisplay this email, and it should no longer
say "No public key for …". 

I use the following to fetch unknown keys on `C-c k', though it's not
particularly pretty:

#+begin_src emacs-lisp
(defun gnus-article-receive-epg-keys ()
  "Fetch unknown keys from a signed message."
  (interactive)
  (with-current-buffer gnus-article-buffer
    (save-excursion
      (goto-char (point-min))
      (if
	  (re-search-forward "\\[\\[PGP Signed Part:No public key for \\([A-F0-9]\\{16,16\\}\\) created at "
			     nil 'noerror)
	(shell-command (format "gpg --keyserver %s --recv-keys %s"
			       "pgp.mit.edu"
			       (match-string 1)))
	(message "No unknown signed parts found.")))))
(add-hook
 'gnus-startup-hook
 (lambda nil
   (define-key gnus-article-mode-map (kbd "C-c k") 'gnus-article-receive-epg-keys)
   (define-key gnus-summary-mode-map (kbd "C-c k") 'gnus-article-receive-epg-keys)))
#+end_src


-- 
Kevin Brubeck Unhammer

GPG: 0x766AC60C


[-- Attachment #1.2: Type: application/pgp-signature, Size: 489 bytes --]

[-- Attachment #2: Type: text/plain, Size: 162 bytes --]

_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: How to set up signing/encryption with GnuPG? Some newbie questions

[Marius Hofert]

> > 1) What is a useful/meaningful setup in ~/.gnus.el for obtaining enabling GnusPG
> > for PGP/MIME?
> > I figured the following to be useful:
> > (setq mm-verify-option 'always); always verify signed parts
> > (setq mm-decrypt-option 'always); always decrypt encrypted parts
> > (setq gnus-message-replysign t); gnus-message-replyencrypt,
> > gnus-message-replysignencrypted are already t by default
> > I also found Gnus users who set
> > (setq gnus-treat-x-pgp-sig t)
> > but I could not find sufficient documentation of gnus-treat-x-pgp-sig to
> > determine whether this is useful.
>
> There's also these two (defaulting to nil):
>
>     mm-sign-option 'guided
>     mm-encrypt-option 'guided

Thanks, Kevin.

Do you know what gnus-treat-x-pgp-sig does? I could not find documentation on this.

>
> If set to 'guided, you'll get a menu on sending signed/encrypted
> messages asking which key you want to use.
>
> > 2) Why are gnus-message-replyencrypt and gnus-message-replysignencrypted set to
> > t by default, but gnus-message-replysign defaults to nil? Has this been
> > forgotten in the recent change (see
> > http://comments.gmane.org/gmane.emacs.gnus.general/75543)?
> >
> > 3) Is it "good practice" to always sign messages? AFAIK, this does not require
> > the recipient to deal with encryption, but he could at least check that the
> > message has the correct signature. How would one always sign messages in Gnus by
> > default?
>
> (no idea)

In the meantime, I found the solution to 3) on http://www.emacswiki.org/emacs/GnusPGG (just look for "Automatic signing/encryption of messages")

>
> > 4) Where are my private/public keys? I never saw them nor was asked to generate
> > them.
>
> You make them with GnuPG (gpg --gen-key); Emacs seems to figure out how
> to run gpg on its own.

This is strange: I already have a folder ~/.gnupg (owned by root). I found this
problem online at various places and I followed the advice to change the
ownership.

> There are some issues with gpg2 though (specifically, with pinentry).
> I've installed gpg1 alongside gpg2 for the time being and have
>
> (when (file-executable-p "/usr/bin/gpg1")
>   (setq epg-gpg-program "/usr/bin/gpg1"))
>
> More at http://www.emacswiki.org/emacs/EasyPG#toc4
>
>
> > 5) Am I correct in that signing a message simply requires C-c C-m s p? (and
> > signing + encrypting C-c C-m c p?)
>
> Yes. I find `C-c C-m C-s' faster though (pinky never leaves the caps key).

Thanks, that's indeed nice.

>
> > I tried to send a test mail to ad...@gnupp.de (mentioned on the german wiki page
> > http://de.wikipedia.org/wiki/GNU_Privacy_Guard). I used C-c C-m c p. On sending
> > via C-c C-c, I received "No public key for <ad...@gnupp.de>; skip it? (y or
> > n)". I chose 'y', since the public key will be sent by ad...@gnupp.de. I then
> > obtained "mml2015-epg-encrypt: No recipient specified". What does this mean?
>
> My German is not so good, but it seemed to me you're supposed to just
> attach your public key to Adele. So don't encrypt that e-mail. Then she
> sends back her own key, but now encrypted for your eyes only. Now you
> can save that key as a file on disk, and do
>
> $ gpg --import that-file-on-disk
>
> to import her key. _Now_ you should be able to `C-c C-m C-c' and encrypt
> your next email for Adele.
>
>
>
> Also, if you want to check my signature, do
>
> $ gpg --keyserver pgp.mit.edu  --recv-keys 0x766AC60C
>
> Then in gnus, press "g" to redisplay this email, and it should no longer
> say "No public key for …".
>
> I use the following to fetch unknown keys on `C-c k', though it's not
> particularly pretty:
>
> #+begin_src emacs-lisp
> (defun gnus-article-receive-epg-keys ()
>   "Fetch unknown keys from a signed message."
>   (interactive)
>   (with-current-buffer gnus-article-buffer
>     (save-excursion
>       (goto-char (point-min))
>       (if
>           (re-search-forward "\\[\\[PGP Signed Part:No public key for \\([A-F0-9]\\{16,16\\}\\) created at "
>                              nil 'noerror)
>         (shell-command (format "gpg --keyserver %s --recv-keys %s"
>                                "pgp.mit.edu"
>                                (match-string 1)))
>         (message "No unknown signed parts found.")))))
> (add-hook
>  'gnus-startup-hook
>  (lambda nil
>    (define-key gnus-article-mode-map (kbd "C-c k") 'gnus-article-receive-epg-keys)
>    (define-key gnus-summary-mode-map (kbd "C-c k") 'gnus-article-receive-epg-keys)))
> #+end_src
>

Great, many thanks!

Re: How to set up signing/encryption with GnuPG? Some newbie questions

[Kevin Brubeck Unhammer]

Marius Hofert <marius.hofert@math.ethz.ch> writes:

>> > 1) What is a useful/meaningful setup in ~/.gnus.el for obtaining enabling GnusPG
>> > for PGP/MIME?
>> > I figured the following to be useful:
>> > (setq mm-verify-option 'always); always verify signed parts
>> > (setq mm-decrypt-option 'always); always decrypt encrypted parts
>> > (setq gnus-message-replysign t); gnus-message-replyencrypt,
>> > gnus-message-replysignencrypted are already t by default
>> > I also found Gnus users who set
>> > (setq gnus-treat-x-pgp-sig t)
>> > but I could not find sufficient documentation of gnus-treat-x-pgp-sig to
>> > determine whether this is useful.
>>
>> There's also these two (defaulting to nil):
>>
>>     mm-sign-option 'guided
>>     mm-encrypt-option 'guided
>
> Thanks, Kevin.
>
> Do you know what gnus-treat-x-pgp-sig does? I could not find documentation on this.

`C-h v gnus-treat-x-pgp-sig RET' lead me to the info files, whence I
found this:

`W p'
     Verify a signed control message (`gnus-article-verify-x-pgp-sig').
     Control messages such as `newgroup' and `checkgroups' are usually
     signed by the hierarchy maintainer.  You need to add the PGP
     public key of the maintainer to your keyring to verify the
     message.(1)



-- 
Kevin Brubeck Unhammer

GPG: 0x766AC60C

Re: How to set up signing/encryption with GnuPG? Some newbie questions

[Peter Münster]

On Tue, Oct 16 2012, Kevin Brubeck Unhammer wrote:

> (defun gnus-article-receive-epg-keys ()

Hi,

Is this still needed or is there a similar function now in latest Gnus?


> 	(shell-command (format "gpg --keyserver %s --recv-keys %s"
> 			       "pgp.mit.edu"
> 			       (match-string 1)))

This is possible too:
(epg-import-keys-from-server (epg-make-context 'OpenPGP) (list (match-string 1)))

-- 
           Peter