Update mutt's gpg configuration

3 files changed, 80 insertions, 36 deletions

diff --git a/mutt/gpg.rc b/mutt/gpg.rc
index 20e7fc4..29a4ac4 100644
--- a/mutt/gpg.rc
+++ b/mutt/gpg.rc
@@ -1,11 +1,15 @@
 # vim: set ft=muttrc:
 #
 # Command formats for gpg.
-# 
-# This version uses gpg-2comp from 
-#   http://70t.de/download/gpg-2comp.tar.gz
 #
-# $Id$
+# Version notes:
+#
+#   GPG 2.1 introduces the option "--pinentry-mode", which requires
+#   the "loopback" argument in instances where "--passphrase-fd" is
+#   used.
+#
+# Some of the older commented-out versions of the commands use gpg-2comp from:
+#   http://70t.de/download/gpg-2comp.tar.gz
 #
 # %p    The empty string when no passphrase is needed,
 #       the string "PGPPASSFD=0" if one is needed.
@@ -20,69 +24,108 @@
 #       file's name.
 #
 # %a    In "signing" contexts, this expands to the value of the
-#       configuration variable $pgp_sign_as.  You probably need to
+#       configuration variable $pgp_sign_as, if set, otherwise
+#       $pgp_default_key.  You probably need to
 #       use this within a conditional % sequence.
 #
-# %r    In many contexts, mutt passes key IDs to pgp.  %r expands to
+# %r    In many contexts, neomutt passes key IDs to pgp.  %r expands to
 #       a list of key IDs.
 
+# Section A: Key Management
+
+# The default key for encryption (used by $pgp_self_encrypt and
+# $postpone_encrypt).
+#
+# It will also be used for signing unless $pgp_sign_as is set to a
+# key.
+#
+# Unless your key does not have encryption capability, uncomment this
+# line and replace the keyid with your own.
+#
+# set pgp_default_key="0x12345678"
+
+# If you have a separate signing key, or your key _only_ has signing
+# capability, uncomment this line and replace the keyid with your
+# signing keyid.
+#
+# set pgp_sign_as="0x87654321"
+
+
+# Section B: Commands
+
 # Note that we explicitly set the comment armor header since GnuPG, when used
 # in some localiaztion environments, generates 8bit data in that header, thereby
 # breaking PGP/MIME.
 
 # decode application/pgp
-set pgp_decode_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
+#
+set pgp_decode_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
 
-# verify a pgp/mime signature
+# Verify a signature
+#
 set pgp_verify_command="gpg --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f"
 
-# decrypt a pgp/mime attachment
-set pgp_decrypt_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
+# Decrypt an attachment
+#
+set pgp_decrypt_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - --decrypt %f"
 
-# create a pgp/mime signed attachment
+# Create a PGP/MIME signed attachment
+#
 # set pgp_sign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"
-set pgp_sign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"
+#
+set pgp_sign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --detach-sign %f"
 
-# create a application/pgp signed (old-style) message
+# Create a application/pgp inline signed message.  This style is obsolete but still needed for Hushmail recipients and some MUAs.
+#
 # set pgp_clearsign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f"
-set pgp_clearsign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f"
+#
+set pgp_clearsign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --clearsign %f"
 
-# create a pgp/mime encrypted attachment
-# set pgp_encrypt_only_command="pgpewrap gpg-2comp -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"
-set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"
+# Create an encrypted attachment (note that some users include the --always-trust option here)
+#
+# set pgp_encrypt_only_command="/usr/lib/neomutt/pgpewrap gpg-2comp -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"
+#
+set pgp_encrypt_only_command="/usr/lib/neomutt/pgpewrap gpg --batch --quiet --no-verbose --output - --textmode --armor --encrypt -- --recipient %r -- %f"
 
-# create a pgp/mime encrypted and signed attachment
-# set pgp_encrypt_sign_command="pgpewrap gpg-2comp %?p?--passphrase-fd 0? -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
-set pgp_encrypt_sign_command="pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
+# Create an encrypted and signed attachment (note that some users include the --always-trust option here)
+#
+# set pgp_encrypt_sign_command="/usr/lib/neomutt/pgpewrap gpg-2comp %?p?--passphrase-fd 0? -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
+#
+set pgp_encrypt_sign_command="/usr/lib/neomutt/pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - %?a?--local-user %a? --armor --sign --encrypt -- --recipient %r -- %f"
 
-# import a key into the public key ring
+# Import a key into the public key ring
+#
 set pgp_import_command="gpg --no-verbose --import %f"
 
-# export a key from the public key ring
-set pgp_export_command="gpg --no-verbose --export --armor %r"
+# Export a key from the public key ring
+#
+set pgp_export_command="gpg --no-verbose --armor --export %r"
 
-# verify a key
+# Verify a key
+#
 set pgp_verify_key_command="gpg --verbose --batch --fingerprint --check-sigs %r"
 
-# read in the public key ring
+# Read in the public key ring
+#
 set pgp_list_pubring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-keys %r"
 
-# read in the secret key ring
+# Read in the secret key ring
+#
 set pgp_list_secring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-secret-keys %r"
 
-# fetch keys
+# Fetch keys
 # set pgp_getkeys_command="pkspxycwrap %r"
 
 # pattern for good signature - may need to be adapted to locale!
-
-# set pgp_good_sign="^gpgv?: Good signature from "
-
 # OK, here's a version which uses gnupg's message catalog:
+# set pgp_good_sign="^gpgv?: Good signature from"
 # set pgp_good_sign="`gettext -d gnupg -s 'Good signature from "' | tr -d '"'`"
-
-# This version uses --status-fd messages
+#
+# Output pattern to indicate a valid signature using --status-fd messages
 set pgp_good_sign="^\\[GNUPG:\\] GOODSIG"
 
-# pattern to verify a decryption occurred
-set pgp_decryption_okay="^\\[GNUPG:\\] DECRYPTION_OKAY"
+# Output pattern to verify a decryption occurred
+# This is now deprecated by pgp_check_gpg_decrypt_status_fd:
+# set pgp_decryption_okay="^\\[GNUPG:\\] DECRYPTION_OKAY"
+set pgp_check_gpg_decrypt_status_fd
 
diff --git a/mutt/muttrc b/mutt/muttrc
index 31be104..03d62ea 100644
--- a/mutt/muttrc
+++ b/mutt/muttrc
@@ -17,12 +17,13 @@ auto_view text/html
 alternative_order text/enriched text/plain text/html 
 macro attach 'V' "<pipe-entry>cat >~/.cache/mutt/mail.html && ( surf ~/.cache/mutt/mail.html >/dev/null & )<enter>"
 
+set crypt_autosign = yes
+set crypt_replyencrypt = yes
+set crypt_use_gpgme = yes
 source ~/.mutt/gpg.rc
 set pgp_use_gpg_agent = yes
 set pgp_sign_as = 0xA6BC8B8CEB31659B
 set pgp_timeout = 3600
-set crypt_autosign = yes
-set crypt_replyencrypt = yes
 set sendmail="/usr/bin/msmtp --read-envelope-from"
 
 set query_command= "khard email --parsable '%s'"
diff --git a/private b/private
-Subproject f41197f3140e22c1abd902d4b8be30c297a6f22
+Subproject fce668c6112d8e50771684d20cf95689788ce5a