From c6d61873f998e8eda3d09e98fb5a2f80f3336de9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Fri, 3 Aug 2018 15:35:14 +0200 Subject: Update mutt's gpg configuration --- mutt/gpg.rc | 111 +++++++++++++++++++++++++++++++++++++++++------------------- mutt/muttrc | 5 +-- private | 2 +- 3 files changed, 81 insertions(+), 37 deletions(-) diff --git a/mutt/gpg.rc b/mutt/gpg.rc index 20e7fc4..29a4ac4 100644 --- a/mutt/gpg.rc +++ b/mutt/gpg.rc @@ -1,11 +1,15 @@ # vim: set ft=muttrc: # # Command formats for gpg. -# -# This version uses gpg-2comp from -# http://70t.de/download/gpg-2comp.tar.gz # -# $Id$ +# Version notes: +# +# GPG 2.1 introduces the option "--pinentry-mode", which requires +# the "loopback" argument in instances where "--passphrase-fd" is +# used. +# +# Some of the older commented-out versions of the commands use gpg-2comp from: +# http://70t.de/download/gpg-2comp.tar.gz # # %p The empty string when no passphrase is needed, # the string "PGPPASSFD=0" if one is needed. @@ -20,69 +24,108 @@ # file's name. # # %a In "signing" contexts, this expands to the value of the -# configuration variable $pgp_sign_as. You probably need to +# configuration variable $pgp_sign_as, if set, otherwise +# $pgp_default_key. You probably need to # use this within a conditional % sequence. # -# %r In many contexts, mutt passes key IDs to pgp. %r expands to +# %r In many contexts, neomutt passes key IDs to pgp. %r expands to # a list of key IDs. +# Section A: Key Management + +# The default key for encryption (used by $pgp_self_encrypt and +# $postpone_encrypt). +# +# It will also be used for signing unless $pgp_sign_as is set to a +# key. +# +# Unless your key does not have encryption capability, uncomment this +# line and replace the keyid with your own. +# +# set pgp_default_key="0x12345678" + +# If you have a separate signing key, or your key _only_ has signing +# capability, uncomment this line and replace the keyid with your +# signing keyid. +# +# set pgp_sign_as="0x87654321" + + +# Section B: Commands + # Note that we explicitly set the comment armor header since GnuPG, when used # in some localiaztion environments, generates 8bit data in that header, thereby # breaking PGP/MIME. # decode application/pgp -set pgp_decode_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f" +# +set pgp_decode_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - %f" -# verify a pgp/mime signature +# Verify a signature +# set pgp_verify_command="gpg --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f" -# decrypt a pgp/mime attachment -set pgp_decrypt_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f" +# Decrypt an attachment +# +set pgp_decrypt_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - --decrypt %f" -# create a pgp/mime signed attachment +# Create a PGP/MIME signed attachment +# # set pgp_sign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f" -set pgp_sign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f" +# +set pgp_sign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --detach-sign %f" -# create a application/pgp signed (old-style) message +# Create a application/pgp inline signed message. This style is obsolete but still needed for Hushmail recipients and some MUAs. +# # set pgp_clearsign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f" -set pgp_clearsign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f" +# +set pgp_clearsign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --clearsign %f" -# create a pgp/mime encrypted attachment -# set pgp_encrypt_only_command="pgpewrap gpg-2comp -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f" -set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f" +# Create an encrypted attachment (note that some users include the --always-trust option here) +# +# set pgp_encrypt_only_command="/usr/lib/neomutt/pgpewrap gpg-2comp -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f" +# +set pgp_encrypt_only_command="/usr/lib/neomutt/pgpewrap gpg --batch --quiet --no-verbose --output - --textmode --armor --encrypt -- --recipient %r -- %f" -# create a pgp/mime encrypted and signed attachment -# set pgp_encrypt_sign_command="pgpewrap gpg-2comp %?p?--passphrase-fd 0? -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f" -set pgp_encrypt_sign_command="pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f" +# Create an encrypted and signed attachment (note that some users include the --always-trust option here) +# +# set pgp_encrypt_sign_command="/usr/lib/neomutt/pgpewrap gpg-2comp %?p?--passphrase-fd 0? -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f" +# +set pgp_encrypt_sign_command="/usr/lib/neomutt/pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - %?a?--local-user %a? --armor --sign --encrypt -- --recipient %r -- %f" -# import a key into the public key ring +# Import a key into the public key ring +# set pgp_import_command="gpg --no-verbose --import %f" -# export a key from the public key ring -set pgp_export_command="gpg --no-verbose --export --armor %r" +# Export a key from the public key ring +# +set pgp_export_command="gpg --no-verbose --armor --export %r" -# verify a key +# Verify a key +# set pgp_verify_key_command="gpg --verbose --batch --fingerprint --check-sigs %r" -# read in the public key ring +# Read in the public key ring +# set pgp_list_pubring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-keys %r" -# read in the secret key ring +# Read in the secret key ring +# set pgp_list_secring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-secret-keys %r" -# fetch keys +# Fetch keys # set pgp_getkeys_command="pkspxycwrap %r" # pattern for good signature - may need to be adapted to locale! - -# set pgp_good_sign="^gpgv?: Good signature from " - # OK, here's a version which uses gnupg's message catalog: +# set pgp_good_sign="^gpgv?: Good signature from" # set pgp_good_sign="`gettext -d gnupg -s 'Good signature from "' | tr -d '"'`" - -# This version uses --status-fd messages +# +# Output pattern to indicate a valid signature using --status-fd messages set pgp_good_sign="^\\[GNUPG:\\] GOODSIG" -# pattern to verify a decryption occurred -set pgp_decryption_okay="^\\[GNUPG:\\] DECRYPTION_OKAY" +# Output pattern to verify a decryption occurred +# This is now deprecated by pgp_check_gpg_decrypt_status_fd: +# set pgp_decryption_okay="^\\[GNUPG:\\] DECRYPTION_OKAY" +set pgp_check_gpg_decrypt_status_fd diff --git a/mutt/muttrc b/mutt/muttrc index 31be104..03d62ea 100644 --- a/mutt/muttrc +++ b/mutt/muttrc @@ -17,12 +17,13 @@ auto_view text/html alternative_order text/enriched text/plain text/html macro attach 'V' "cat >~/.cache/mutt/mail.html && ( surf ~/.cache/mutt/mail.html >/dev/null & )" +set crypt_autosign = yes +set crypt_replyencrypt = yes +set crypt_use_gpgme = yes source ~/.mutt/gpg.rc set pgp_use_gpg_agent = yes set pgp_sign_as = 0xA6BC8B8CEB31659B set pgp_timeout = 3600 -set crypt_autosign = yes -set crypt_replyencrypt = yes set sendmail="/usr/bin/msmtp --read-envelope-from" set query_command= "khard email --parsable '%s'" diff --git a/private b/private index f41197f..fce668c 160000 --- a/private +++ b/private @@ -1 +1 @@ -Subproject commit f41197f3140e22c1abd902d4b8be30c297a6f22a +Subproject commit fce668c6112d8e50771684d20cf95689788ce5a0 -- cgit v1.2.3