Marius Hofert writes: > Hi, > > Although I found and read (not necessarily understood :-) ) the security related > parts of the Gnus manual (e.g., C-h i Gnus -> Security), I still have the > following questions concerning signing and encryption of messages with Gnus: > > 1) What is a useful/meaningful setup in ~/.gnus.el for obtaining enabling GnusPG > for PGP/MIME? > I figured the following to be useful: > (setq mm-verify-option 'always); always verify signed parts > (setq mm-decrypt-option 'always); always decrypt encrypted parts > (setq gnus-message-replysign t); gnus-message-replyencrypt, > gnus-message-replysignencrypted are already t by default > I also found Gnus users who set > (setq gnus-treat-x-pgp-sig t) > but I could not find sufficient documentation of gnus-treat-x-pgp-sig to > determine whether this is useful. There's also these two (defaulting to nil): mm-sign-option 'guided mm-encrypt-option 'guided If set to 'guided, you'll get a menu on sending signed/encrypted messages asking which key you want to use. > 2) Why are gnus-message-replyencrypt and gnus-message-replysignencrypted set to > t by default, but gnus-message-replysign defaults to nil? Has this been > forgotten in the recent change (see > http://comments.gmane.org/gmane.emacs.gnus.general/75543)? > > 3) Is it "good practice" to always sign messages? AFAIK, this does not require > the recipient to deal with encryption, but he could at least check that the > message has the correct signature. How would one always sign messages in Gnus by > default? (no idea) > 4) Where are my private/public keys? I never saw them nor was asked to generate > them. You make them with GnuPG (gpg --gen-key); Emacs seems to figure out how to run gpg on its own. There are some issues with gpg2 though (specifically, with pinentry). I've installed gpg1 alongside gpg2 for the time being and have (when (file-executable-p "/usr/bin/gpg1") (setq epg-gpg-program "/usr/bin/gpg1")) More at http://www.emacswiki.org/emacs/EasyPG#toc4 > 5) Am I correct in that signing a message simply requires C-c C-m s p? (and > signing + encrypting C-c C-m c p?) Yes. I find `C-c C-m C-s' faster though (pinky never leaves the caps key). > I tried to send a test mail to adele@gnupp.de (mentioned on the german wiki page > http://de.wikipedia.org/wiki/GNU_Privacy_Guard). I used C-c C-m c p. On sending > via C-c C-c, I received "No public key for ; skip it? (y or > n)". I chose 'y', since the public key will be sent by adele@gnupp.de. I then > obtained "mml2015-epg-encrypt: No recipient specified". What does this mean? My German is not so good, but it seemed to me you're supposed to just attach your public key to Adele. So don't encrypt that e-mail. Then she sends back her own key, but now encrypted for your eyes only. Now you can save that key as a file on disk, and do $ gpg --import that-file-on-disk to import her key. _Now_ you should be able to `C-c C-m C-c' and encrypt your next email for Adele. Also, if you want to check my signature, do $ gpg --keyserver pgp.mit.edu --recv-keys 0x766AC60C Then in gnus, press "g" to redisplay this email, and it should no longer say "No public key for …". I use the following to fetch unknown keys on `C-c k', though it's not particularly pretty: #+begin_src emacs-lisp (defun gnus-article-receive-epg-keys () "Fetch unknown keys from a signed message." (interactive) (with-current-buffer gnus-article-buffer (save-excursion (goto-char (point-min)) (if (re-search-forward "\\[\\[PGP Signed Part:No public key for \\([A-F0-9]\\{16,16\\}\\) created at " nil 'noerror) (shell-command (format "gpg --keyserver %s --recv-keys %s" "pgp.mit.edu" (match-string 1))) (message "No unknown signed parts found."))))) (add-hook 'gnus-startup-hook (lambda nil (define-key gnus-article-mode-map (kbd "C-c k") 'gnus-article-receive-epg-keys) (define-key gnus-summary-mode-map (kbd "C-c k") 'gnus-article-receive-epg-keys))) #+end_src -- Kevin Brubeck Unhammer GPG: 0x766AC60C