# Setting up mutt with S/MIME support using gpgme When trying to set mutt up for use with S/MIME you will find guides like [[this one|http://equiraptor.com/smime_mutt_how-to.html]] or [[this other one|https://kb.wisc.edu/middleware/page.php?id=4091]] which tell you how to enable the openssl support and how to configure it. This is what I did at first, but when my key expired and I created a new one, I found out that this setup only supports one secret key at a time; i.e., when I switched to the new key, I could not read my old emails any longer. By lucky accident, I found the second supported method using [[gpgme|https://www.gnupg.org/related_software/swlist.html#gpgme]] that is much easier to set up and use, and does support multiple secret keys, but lacks documentation. So here's the documentation for this setup. # mutt ## mutt compilation When compiling mutt, you need to have gpgme installed and use mutt configure's --enable-gpgme flag. You also need gnupg version 2.x installed. In pkgsrc, set PKG_OPTIONS.mutt+= gpgme in your /etc/mk.conf. ## mutt setup Add set crypt_use_gpgme=yes to your .muttrc. That's it. (If your .muttrc "source"s smime.rc or gpg.rc, you can comment out these lines, you don't need them any longer.) # gpgme ## gpg-agent You can use generic setup instructions for gnupg 2.x instead of this section; I include them for completeness. They also apply for OpenPGP, so if you have that set up for gnupg 2.x already, you can skip it. You need to have a gpg-agent running. The suggest setup (by gnugp) is running it from your X startup file, or from your login shell startup script. Short documentation for the latter and zsh: ### gnupg 2.0 Add to .zlogin: gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info" Add to .zshrc: export GPG_TTY=$(tty) # only needed for 2.0, not for 2.1 if [ -f "${HOME}/.gpg-agent-info" ]; then . "${HOME}/.gpg-agent-info" export GPG_AGENT_INFO export SSH_AUTH_SOCK fi ### gnupg 2.1 Much easier, just add to .zshrc: export GPG_TTY=$(tty) ### pinentry Choose a pinentry program in your .gnupg/gpg-agent.conf, for example: pinentry-program /usr/pkg/bin/pinentry-curses ## gpgsm Now for the actual S/MIME part of the setup. ### Own key Get a certificate, e.g. from CAcert or Thawte. Export the certificate from your browser (or the OS X keychain) with a password, you'll get a .p12 file. Then just import the file: gpgsm --import keyfile.p12 ### Other keys The same as your own key, but the keyfile doesn't need to be encrypted. gpgsm --import keyfile.p12 ### Intermediate Certificates You might be missing certificates. Then you will see errors like this: gpgsm: issuer certificate {ADBD987A34B426F7FAC42654EF03BDE024CB541A} not found using authorityKeyIdentifier Google the hash and you'll probably find the corresponding certificate, at least that's what worked for me. ### Trust You'll have to tell gpgsm which certificates you trust. gpgsm -k --with-validation When you don't do that, you'll see Problem signature in mutt, or it will hang decoding a message until you interrupt it. ### Multiple Secret Keys In case you have multiple secret keys (e.g. some expired ones and a current one), you can choose the default one by adding local-user XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX to your .gnupg/gpgsm.conf config file, where XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX is the fingerprint of your key. If you don't know it, you can find it using gpgsm -K your@email.address or just gpgsm -K If you don't set this, gpgsm will use the first secret key in your keychain.