EasyPG for signing and en/decrypting Email

EasyPG for signing and en/decrypting Email

[Suno Ano]

[-- Attachment #1.1: Type: text/plain, Size: 3716 bytes --]

Hi folks,

I hope it is okay that I put few names into CC which I found out (by
looking at the mail archive) shared an interest into this subject during
the last two years or so ...

Due to the lack of documentation on the matter I am trying to
summarize/clarify a few things and when done, put it onto
http://www.emacswiki.org/emacs/EasyPG so others will have an easier path
to gettings things done with regards to signing and en/decrypting
emails.



There are at least 5 threads started by folks, starting with 2007, which
run into the same obstacles as I did

 - what do I use i.e. pgg? epg? mailcrypt?
 - how do I verify a signature?
 - how do I switch key IDs for signing (manually)
 - how do I switch key IDs for signing automatically based on what
   group I send mail from


Here is what I learned during the past few days:

 - pgg and mailcrypt are obsolete. One should use EasyPG now.
 - EasyPG ships with current Emacs versions like for example 23.0.91.1,
   the one I use
 - one can switch among his key IDs signing and/or en/decryption if
   needed (lines 9 to 18) below



The other day we had another thread which contained this message of
Thierry

 Thierry> if you call `epa-mail-sign' with a prefix arg, you will have
 Thierry> an interface to choose your key.

I set (setq mml2015-verbose t) so I get asked which key ID (I have two)
I want to use for both of the following cases: mml-secure-message-sign
as well as epa-mail-sign. Hmmm ... About that ...

 - there is the Attachment menu providing us with C-c RET C-s (which for
   example invokes mml-secure-message-sign) and friends, but then
 - there also is the epa-* set of commands to do the whole signing and
   encryption/decryption thing.

So what do I use? The mml-* commands or the epa-* ones?


Below is my current setup


 1  (require 'epa)
 2
 3  (setq mml2015-use 'epg)
 4  (setq mml2015-encrypt-to-self t)
 5  (setq mml2015-verbose t)
 6  (setq mml2015-always-trust nil)
 7  (setq mml2015-passphrase-cache-expiry '7200)
 8
 9  (add-hook 'message-setup-hook
10            (lambda ()
11              (if gnus-newsgroup-name
12                  (let ((signers (gnus-group-get-parameter
13                                  gnus-newsgroup-name
14                                  'mml2015-signers
15                                  t)))
16                    (if signers
17                        (set (make-local-variable 'mml2015-signers)
18                             signers))))))
19
20
21  (setq gnus-message-replysign t
22        gnus-message-replyencrypt t
23        gnus-message-replysignencrypted t
24        gnus-treat-x-pgp-sig t
25        mm-verify-option 'always
26        mm-decrypt-option 'always
27  )
28
29  (setq gnus-buttonized-mime-types
30        '("multipart/alternative"
31          "multipart/encrypted"
32          "multipart/signed"))
33
34  (setq mm-coding-system-priorities
35        '(iso-latin-1 iso-latin-9 mule-utf-8))


My question is, signing and choosing a key ID now seems to work because
of line 5.

However, even if I use my own key ID and send mail to myself, verifying
the signature does not seem to work because I see no "[[PGP Signed Part:
Good Signature ...]]" line but just the usual "[[PGP Signed Part:]]"
line i.e. no indication whatsoever Gnus could successfully verify that
(my own) signature.

On the other hand, if I use epa-mail-sign (without a prefix argument)
and then C-c RET P (preview, see Attachment menu), I get the "[[PGP
Signed Part: Good Signature ...]]" line in the preview. Oddly enough,
when I send that mail, the version I receive again only shows "[[PGP
Signed Part:]]".

What is wrong here?


Note: for this post I used C-c RET C-s to sign it with one of my two
keys.

[-- Attachment #1.2: Type: application/pgp-signature, Size: 196 bytes --]

[-- Attachment #2: Type: text/plain, Size: 161 bytes --]

_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
http://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: EasyPG for signing and en/decrypting Email

[Daiki Ueno]

>>>>> In <87prfr2unh.fsf@sunoano.org> 
>>>>>	Suno Ano <suno.ano@sunoano.org> wrote:
> Due to the lack of documentation on the matter I am trying to
> summarize/clarify a few things and when done, put it onto
> http://www.emacswiki.org/emacs/EasyPG so others will have an easier path
> to gettings things done with regards to signing and en/decrypting
> emails.

I'd appreciate someone could do that (though I don't like EmacsWiki).

Anyway, I'd suggest that you should know at least the overall concept
i.e. what is PGP/MIME, what is OpenPGP, and how Gnus handles them.

- PGP/MIME is a standard, which mml2015* implements using ep[ag]-*.

- OpenPGP is a standard, which ep[ag]-* implements.

Please note that PGP/MIME is a higher level concept of OpenPGP.

Also, you should know that "inline PGP" (which epa-mail-* implements) is
a different format from PGP/MIME:
http://josefsson.org/inline-openpgp-considered-harmful.html

> The other day we had another thread which contained this message of
> Thierry

>  Thierry> if you call `epa-mail-sign' with a prefix arg, you will have
>  Thierry> an interface to choose your key.

This is not appropriate if you use PGP/MIME because epa-mail-* commands
are for "inline PGP".

Regards,
-- 
Daiki Ueno

Re: EasyPG for signing and en/decrypting Email

[Richard Riley]

Daiki Ueno <ueno@unixuser.org> writes:

>>>>>> In <87prfr2unh.fsf@sunoano.org> 
>>>>>>	Suno Ano <suno.ano@sunoano.org> wrote:
>> Due to the lack of documentation on the matter I am trying to
>> summarize/clarify a few things and when done, put it onto
>> http://www.emacswiki.org/emacs/EasyPG so others will have an easier path
>> to gettings things done with regards to signing and en/decrypting
>> emails.
>
> I'd appreciate someone could do that (though I don't like EmacsWiki).
>
> Anyway, I'd suggest that you should know at least the overall concept
> i.e. what is PGP/MIME, what is OpenPGP, and how Gnus handles them.
>
> - PGP/MIME is a standard, which mml2015* implements using ep[ag]-*.
>
> - OpenPGP is a standard, which ep[ag]-* implements.
>
> Please note that PGP/MIME is a higher level concept of OpenPGP.
>
> Also, you should know that "inline PGP" (which epa-mail-* implements) is
> a different format from PGP/MIME:
> http://josefsson.org/inline-openpgp-considered-harmful.html
>
>> The other day we had another thread which contained this message of
>> Thierry
>
>>  Thierry> if you call `epa-mail-sign' with a prefix arg, you will have
>>  Thierry> an interface to choose your key.
>
> This is not appropriate if you use PGP/MIME because epa-mail-* commands
> are for "inline PGP".
>
> Regards,

This was a confusion to me too because it seemed epa is a wrapper to all
things pgp. At the very least maybe the pgp/mime docs in gnus need
marking to show egp is now standard too : currently there are no
meaningful comments about epg in the gnus manual (emacs snapshot in debian).

Re: EasyPG for signing and en/decrypting Email

[Daiki Ueno]

>>>>> In <grab4u$gbm$3@news.motzarella.org> 
>>>>>	Richard Riley <rileyrgdev@googlemail.com> wrote:
> This was a confusion to me too because it seemed epa is a wrapper to all
> things pgp. At the very least maybe the pgp/mime docs in gnus need
> marking to show egp is now standard too : currently there are no
> meaningful comments about epg in the gnus manual (emacs snapshot in
> debian).

I'm really curious about how people learn the usage of pgg through the
mml2015 interface.  Just a guess, or from EmacsWiki?

IIUC, even the Gnus manual doesn't mention it.  The only thing it tells
about the PGP/MIME backend is the following:

`mml2015-use'
     Symbol indicating elisp interface to OpenPGP implementation for
     PGP/MIME messages.  The default is `pgg', but `mailcrypt' and
     `gpg' are also supported although deprecated.
-- 
Daiki Ueno

Re: EasyPG for signing and en/decrypting Email

[Richard Riley]

Daiki Ueno <ueno@unixuser.org> writes:

>>>>>> In <grab4u$gbm$3@news.motzarella.org> 
>>>>>>	Richard Riley <rileyrgdev@googlemail.com> wrote:
>> This was a confusion to me too because it seemed epa is a wrapper to all
>> things pgp. At the very least maybe the pgp/mime docs in gnus need
>> marking to show egp is now standard too : currently there are no
>> meaningful comments about epg in the gnus manual (emacs snapshot in
>> debian).
>
> I'm really curious about how people learn the usage of pgg through the
> mml2015 interface.  Just a guess, or from EmacsWiki?

I didnt even know that "mml2015" was. I'm not sure I do now. There is a
huge chance I am confused about the whole thing. I only know I used the
gnus manual and wiki resources before and set up pgg without any
trouble. The whole epa/epg/mml2015 set seems, at first glance,  to be
poorly documented for a defacto default.

>
> IIUC, even the Gnus manual doesn't mention it.  The only thing it tells
> about the PGP/MIME backend is the following:
>
> `mml2015-use'
>      Symbol indicating elisp interface to OpenPGP implementation for
>      PGP/MIME messages.  The default is `pgg', but `mailcrypt' and
>      `gpg' are also supported although deprecated.

Yes, this was my point. There is next to no documentation.

Re: EasyPG for signing and en/decrypting Email

[Suno Ano]

[-- Attachment #1.1: Type: text/plain, Size: 1838 bytes --]


 Daiki> I'd appreciate someone could do that (though I don't like
 Daiki> EmacsWiki).

Sure, no problem. This will happen until the end of April 2009 -- I want
to get a decent understanding of the matter first. Talking with you guys
here is going to do just that :-)


 Daiki> Anyway, I'd suggest that you should know at least the overall
 Daiki> concept i.e. What is PGP/MIME, what is OpenPGP, and how Gnus
 Daiki> handles them.

I agree. I known OpenPGP fairly well (in particular one of its
implementations namely GPG (GNU Privacy Guard)). I am going to read a
bit more about PGP/MIME starting with (Info-goto-node "(emacs-mime)
Top") though.



Ok, now about the block below ... you tell me if I got it right:

    Daiki> - Pgp/MIME is a standard, which mml2015* implements using
    Daiki>   ep[ag]-*.

    Daiki> - Openpgp is a standard, which ep[ag]-* implements.

    Daiki> Please note that PGP/MIME is a higher level concept of
    Daiki> OpenPGP.

    Daiki> Also, you should know that "inline PGP" (which epa-mail-*
    Daiki> implements) is a different format from PGP/MIME:
    Daiki> http://josefsson.org/inline-openpgp-considered-harmful.html

        >> The other day we had another thread which contained this
        >> message of Thierry

        Thierry> if you call `epa-mail-sign' with a prefix arg, you will
        Thierry> have an interface to choose your key.

    Daiki> This is not appropriate if you use PGP/MIME because
    Daiki> epa-mail-* commands are for "inline PGP".


In case is with up-to-date versions of Emacs as well as GPG (GNU Privacy
Guard), he should use the mml-* set of commands? Those, at a lower
level, use the ep[ag]-* commands anyways? Did I get this right?


At last but not least, about my former question, might anyone know why
verifying my signature does not work out as expected?

[-- Attachment #1.2: Type: application/pgp-signature, Size: 196 bytes --]

[-- Attachment #2: Type: text/plain, Size: 161 bytes --]

_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
http://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: EasyPG for signing and en/decrypting Email

[Reiner Steib]

On Sun, Apr 05 2009, Daiki Ueno wrote:

>>>>>>	Suno Ano <suno.ano@sunoano.org> wrote:
>> Due to the lack of documentation on the matter I am trying to
>> summarize/clarify a few things and when done, put it onto
>> http://www.emacswiki.org/emacs/EasyPG so others will have an easier path
>> to gettings things done with regards to signing and en/decrypting
>> emails.
>
> I'd appreciate someone could do that (though I don't like EmacsWiki).

This should be documented the corresponding manuals, not on EmacsWiki.

On Sun, Apr 05 2009, Daiki Ueno wrote:
>>>>>>	Richard Riley <rileyrgdev@googlemail.com> wrote:
>> This was a confusion to me too because it seemed epa is a wrapper to all
>> things pgp. At the very least maybe the pgp/mime docs in gnus need
>> marking to show egp is now standard too : currently there are no
>> meaningful comments about epg in the gnus manual (emacs snapshot in
>> debian).
>
> I'm really curious about how people learn the usage of pgg through the
> mml2015 interface.  Just a guess, or from EmacsWiki?

I've not uses EasyPG in Gnus yet.  But I always thought it is just
used without any configuration as a drop-in replacement for PGG.

> IIUC, even the Gnus manual doesn't mention it.  The only thing it tells
> about the PGP/MIME backend is the following:
>
> `mml2015-use'
>      Symbol indicating elisp interface to OpenPGP implementation for
>      PGP/MIME messages.  The default is `pgg', but `mailcrypt' and
>      `gpg' are also supported although deprecated.

Could you add epg where appropriate, please?

Bye, Reiner.
-- 
       ,,,
      (o o)
---ooO-(_)-Ooo---  |  PGP key available  |  http://rsteib.home.pages.de/

Re: EasyPG for signing and en/decrypting Email

[Daiki Ueno]

>>>>> In <87y6ufnfgn.fsf@marauder.physik.uni-ulm.de> 
>>>>>	Reiner Steib <reinersteib+gmane@imap.cc> wrote:
> > I'm really curious about how people learn the usage of pgg through the
> > mml2015 interface.  Just a guess, or from EmacsWiki?

> I've not uses EasyPG in Gnus yet.  But I always thought it is just
> used without any configuration as a drop-in replacement for PGG.

You are missing the point.  We are talking about how PGG interacts with
mml2015, not the usage of PGG itself.  Please do not propagate more
confusion.
-- 
Daiki Ueno

Re: EasyPG for signing and en/decrypting Email

[Daiki Ueno]

>>>>> In <599d0910-d6b3-46c9-917c-7f3265080872@broken.deisui.org> 
>>>>>	Daiki Ueno <ueno@unixuser.org> wrote:
> >>>>> In <87y6ufnfgn.fsf@marauder.physik.uni-ulm.de> 
> >>>>>	Reiner Steib <reinersteib+gmane@imap.cc> wrote:
> > > I'm really curious about how people learn the usage of pgg through the
> > > mml2015 interface.  Just a guess, or from EmacsWiki?

> > I've not uses EasyPG in Gnus yet.  But I always thought it is just
> > used without any configuration as a drop-in replacement for PGG.

> You are missing the point.  We are talking about how PGG interacts with
> mml2015, not the usage of PGG itself.  Please do not propagate more
> confusion.

Sorry, I misread your sentence, which has nothing to do with the above
sentence I wrote.  I just meant: in the Internet era, if EmacsWiki is
the first source of information to use Gnus, should we Gnus developers
pay more attension to improve that site?

There still PGG is mentioned as the default backend:
http://www.emacswiki.org/emacs/GnusPGG

and there is even no link to:
http://www.emacswiki.org/emacs/EasyPG
-- 
Daiki Ueno

Re: EasyPG for signing and en/decrypting Email

[Richard Riley]

Daiki Ueno <ueno@unixuser.org> writes:

>>>>>> In <87y6ufnfgn.fsf@marauder.physik.uni-ulm.de> 
>>>>>>	Reiner Steib <reinersteib+gmane@imap.cc> wrote:
>> > I'm really curious about how people learn the usage of pgg through the
>> > mml2015 interface.  Just a guess, or from EmacsWiki?
>
>> I've not uses EasyPG in Gnus yet.  But I always thought it is just
>> used without any configuration as a drop-in replacement for PGG.
>
> You are missing the point.  We are talking about how PGG interacts with
> mml2015, not the usage of PGG itself.  Please do not propagate more
> confusion.

I think this is the problem - there is confusion. And there is,
currently, little if any information to help clarify it. I thought the
same. Then I realised its a "wrapper" which uses one of epg/pgg etc. I
think. And then I wondered how epa fit it into it. Sorry Daiki, but
there is clearly an information shortfall here. It went from reasonably
clear in emacs 22 to confusing now - and the lack of updates to the
gnus/emacs manual don't help.

Re: EasyPG for signing and en/decrypting Email

[Daiki Ueno]

>>>>> In <87prfr2unh.fsf@sunoano.org> 
>>>>>	Suno Ano <suno.ano@sunoano.org> wrote:
> However, even if I use my own key ID and send mail to myself, verifying
> the signature does not seem to work because I see no "[[PGP Signed Part:
> Good Signature ...]]" line but just the usual "[[PGP Signed Part:]]"
> line i.e. no indication whatsoever Gnus could successfully verify that
> (my own) signature.
[...]
> What is wrong here?

> Note: for this post I used C-c RET C-s to sign it with one of my two
> keys.

I can't reproduce it, but it might be a bug.  Could you please try:

(setq epg-debug t)

and show me the contents of " *epg-debug*" buffer (note the first
character is a space) when "[[PGP Signed Part:]]" shows up.
-- 
Daiki Ueno

Re: EasyPG for signing and en/decrypting Email

[Suno Ano]

 >>>>>> In <87prfr2unh.fsf@sunoano.org>
 >>>>>> Suno Ano <suno.ano@sunoano.org> wrote:
 >> However, even if I use my own key ID and send mail to myself,
 >> verifying the signature does not seem to work because I see no
 >> "[[PGP Signed Part: Good Signature ...]]" Line but just the usual
 >> "[[PGP Signed Part:]]" line i.e. No indication whatsoever Gnus could
 >> successfully verify that (my own) signature.
 >> What is wrong here?

 Daiki> I can't reproduce it, but it might be a bug. Could you please
 Daiki> try: (Setq epg-debug t)
 Daiki> And show me the contents of " *epg-debug*" buffer (note the
 Daiki> first character is a space) when "[[PGP Signed Part:]]" shows
 Daiki> up. -- Daiki Ueno


Here it is http://sunoano.pastebin.com/m19ac8b81

Re: EasyPG for signing and en/decrypting Email

[Giorgos Keramidas]

On Tue, 07 Apr 2009 06:22:17 +0200, Richard Riley <rileyrgdev@googlemail.com> wrote:
>Giorgos Keramidas <keramida@ceid.upatras.gr> writes:
>> Apparently, this requires setting a list of mml2015-signers as
>> a group property.  Is there any way to avoid the prompt for
>> selecting a key when this property does not exist in the
>> current group, or to use a default value?
>
> Look for mml2015-verbose
>
> It might be what you need.

Excellent, thank you! :)

Re: EasyPG for signing and en/decrypting Email

[Richard Riley]

Giorgos Keramidas <keramida@ceid.upatras.gr> writes:

> On Sun, 05 Apr 2009 13:43:14 +0200, Suno Ano <suno.ano@sunoano.org> wrote:
>> Below is my current setup
>>
>>  1  (require 'epa)
>>  2
>>  3  (setq mml2015-use 'epg)
>>  4  (setq mml2015-encrypt-to-self t)
>>  5  (setq mml2015-verbose t)
>>  6  (setq mml2015-always-trust nil)
>>  7  (setq mml2015-passphrase-cache-expiry '7200)
>>  8
>>  9  (add-hook 'message-setup-hook
>> 10            (lambda ()
>> 11              (if gnus-newsgroup-name
>> 12                  (let ((signers (gnus-group-get-parameter
>> 13                                  gnus-newsgroup-name
>> 14                                  'mml2015-signers
>> 15                                  t)))
>> 16                    (if signers
>> 17                        (set (make-local-variable 'mml2015-signers)
>> 18                             signers))))))
>> 19
>> 20
>> 21  (setq gnus-message-replysign t
>> 22        gnus-message-replyencrypt t
>> 23        gnus-message-replysignencrypted t
>> 24        gnus-treat-x-pgp-sig t
>> 25        mm-verify-option 'always
>> 26        mm-decrypt-option 'always
>> 27  )
>> 28
>> 29  (setq gnus-buttonized-mime-types
>> 30        '("multipart/alternative"
>> 31          "multipart/encrypted"
>> 32          "multipart/signed"))
>> 33
>> 34  (setq mm-coding-system-priorities
>> 35        '(iso-latin-1 iso-latin-9 mule-utf-8))
>
> Thanks for posting this!
>
> Apparently, this requires setting a list of mml2015-signers as a group
> property.  Is there any way to avoid the prompt for selecting a key when
> this property does not exist in the current group, or to use a default
> value?

Look for mml2015-verbose

It might be what you need.

Re: EasyPG for signing and en/decrypting Email

[Giorgos Keramidas]

On Sun, 05 Apr 2009 13:43:14 +0200, Suno Ano <suno.ano@sunoano.org> wrote:
> Below is my current setup
>
>  1  (require 'epa)
>  2
>  3  (setq mml2015-use 'epg)
>  4  (setq mml2015-encrypt-to-self t)
>  5  (setq mml2015-verbose t)
>  6  (setq mml2015-always-trust nil)
>  7  (setq mml2015-passphrase-cache-expiry '7200)
>  8
>  9  (add-hook 'message-setup-hook
> 10            (lambda ()
> 11              (if gnus-newsgroup-name
> 12                  (let ((signers (gnus-group-get-parameter
> 13                                  gnus-newsgroup-name
> 14                                  'mml2015-signers
> 15                                  t)))
> 16                    (if signers
> 17                        (set (make-local-variable 'mml2015-signers)
> 18                             signers))))))
> 19
> 20
> 21  (setq gnus-message-replysign t
> 22        gnus-message-replyencrypt t
> 23        gnus-message-replysignencrypted t
> 24        gnus-treat-x-pgp-sig t
> 25        mm-verify-option 'always
> 26        mm-decrypt-option 'always
> 27  )
> 28
> 29  (setq gnus-buttonized-mime-types
> 30        '("multipart/alternative"
> 31          "multipart/encrypted"
> 32          "multipart/signed"))
> 33
> 34  (setq mm-coding-system-priorities
> 35        '(iso-latin-1 iso-latin-9 mule-utf-8))

Thanks for posting this!

Apparently, this requires setting a list of mml2015-signers as a group
property.  Is there any way to avoid the prompt for selecting a key when
this property does not exist in the current group, or to use a default
value?

I am considering a slightly different variation of the hook function
added to `message-setup-hook' above; one that does something like:

    (lambda ()
      (when gnus-newsgroup-name
        (let ((group-signers (gnus-group-get-parameter gnus-newsgroup-name
                               'mml2015-signers t))
              (default-signers (if (boundp 'mml2015-default-signers)
                                   mml2015-default-signers)))
          (let ((signers (or group-signers default-signers)))
            (when signers
              (set (make-local-variable 'mml2015-signers) signers))))))

Does this make sense?  Will it avoid the prompt buffer?