Annotation of wikisrc/users/wiz/mutt-smime.mdwn, revision 1.1

1.1     ! wiz         1: # Setting up mutt with S/MIME support using gpgme
        !             2: 
        !             3: When trying to set mutt up for use with S/MIME you will find guides
        !             4: like [[this one|http://equiraptor.com/smime_mutt_how-to.html]] or
        !             5: [[this other one|https://kb.wisc.edu/middleware/page.php?id=4091]]
        !             6: which tell you how to enable the openssl support and how to configure
        !             7: it.
        !             8: 
        !             9: This is what I did at first, but when my key expired and I created a
        !            10: new one, I found out that this setup only supports one secret key at a
        !            11: time; i.e., when I switched to the new key, I could not read my old
        !            12: emails any longer.
        !            13: 
        !            14: By lucky accident, I found the second supported method using
        !            15: [[gpgme|https://www.gnupg.org/related_software/swlist.html#gpgme]]
        !            16: that is much easier to set up and use, and does support multiple
        !            17: secret keys, but lacks documentation.
        !            18: 
        !            19: So here's the documentation for this setup.
        !            20: 
        !            21: # mutt
        !            22: 
        !            23: ## mutt compilation
        !            24: 
        !            25: When compiling mutt, you need to have gpgme installed and use mutt
        !            26: configure's --enable-gpgme flag.
        !            27: You also need gnupg version 2.x installed.
        !            28: 
        !            29: In pkgsrc, set
        !            30: 
        !            31:        PKG_OPTIONS.mutt=       gpgme
        !            32: 
        !            33: in your /etc/mk.conf.
        !            34: 
        !            35: ## mutt setup
        !            36: 
        !            37: Add
        !            38: 
        !            39:        set crypt_use_gpgme=yes
        !            40: 
        !            41: to your .muttrc. That's it.
        !            42: 
        !            43: (If your .muttrc "source"s smime.rc or gpg.rc, you can comment out
        !            44: these lines, you don't need them any longer.)
        !            45: 
        !            46: # gpgme
        !            47: 
        !            48: ## gpg-agent
        !            49: 
        !            50: You can use generic setup instructions for gnupg 2.x instead of this
        !            51: section; I include them for completeness. They also apply for PGP, so
        !            52: if you have that set up for gnupg 2.x already, you can skip it.
        !            53: 
        !            54: You need to have a gpg-agent running. The suggest setup (by gnugp) is
        !            55: running it from your X startup file, or from your login shell startup
        !            56: script.
        !            57: 
        !            58: Short documentation for the latter and zsh:
        !            59: 
        !            60: ### gnupg 2.0
        !            61: 
        !            62: Add to .zlogin:
        !            63: 
        !            64:        gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"
        !            65: 
        !            66: Add to .zshrc:
        !            67: 
        !            68:        export GPG_TTY=$(tty)
        !            69:        # only needed for 2.0, not for 2.1
        !            70:        if [ -f "${HOME}/.gpg-agent-info" ]; then
        !            71:        . "${HOME}/.gpg-agent-info"
        !            72:        export GPG_AGENT_INFO
        !            73:        export SSH_AUTH_SOCK
        !            74:        fi
        !            75: 
        !            76: ### gnupg 2.1
        !            77: 
        !            78: Much easier, just add to .zshrc:
        !            79: 
        !            80:        export GPG_TTY=$(tty)
        !            81: 
        !            82: ### pinentry
        !            83: 
        !            84: Choose a pinentry program in your .gnupg/gpg-agent.conf, for example:
        !            85: 
        !            86:        pinentry-program /usr/pkg/bin/pinentry-curses
        !            87: 
        !            88: ## gpgsm
        !            89: 
        !            90: Now for the actual S/MIME part of the setup.
        !            91: 
        !            92: ### Own key
        !            93: 
        !            94: Get a certificate, e.g. from CAcert or Thawte. Export the certificate
        !            95: from your browser (or the OS X keychain) with a password, you'll get a
        !            96: .p12 file.
        !            97: 
        !            98: Then just import the file:
        !            99: 
        !           100:        gpgsm --import keyfile.p12
        !           101: 
        !           102: 
        !           103: ### Other keys
        !           104: 
        !           105: The same as your own key, but the keyfile doesn't need to be encrypted.
        !           106: 
        !           107:        gpgsm --import keyfile.p12
        !           108: 
        !           109: 
        !           110: ### Intermediate Certificates
        !           111: 
        !           112: You might be missing certificates. Then you will see errors like this:
        !           113: 
        !           114:        gpgsm: issuer certificate {ADBD987A34B426F7FAC42654EF03BDE024CB541A} not found using authorityKeyIdentifier
        !           115: 
        !           116: Google the hash and you'll probably find the corresponding
        !           117: certificate, at least that's what worked for me.
        !           118: 
        !           119: ### Trust
        !           120: 
        !           121: You'll have to tell gpgsm which certificates you trust.
        !           122: 
        !           123:        gpgsm -k --with-validation
        !           124: 
        !           125: In case this doesn't happen, you'll see
        !           126: 
        !           127:        Problem signature
        !           128: 
        !           129: in mutt, or it will hang decoding a message until you interrupt it.
        !           130: 
        !           131: ### Multiple Secret Keys
        !           132: 
        !           133: In case you have multiple secret keys (e.g. some expired ones and a
        !           134: current one), you can choose the default one by adding
        !           135: 
        !           136:        local-user XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
        !           137: 
        !           138: to your .gnupg/gpgsm.conf config file, where
        !           139: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX is the
        !           140: fingerprint of your key. If you don't know it, you can find it using
        !           141: 
        !           142:        gpg -K your@email.address
        !           143: 
        !           144: or just
        !           145: 
        !           146:        gpg -K
        !           147: 
        !           148: If you don't set this, gpgsm will use the first secret key in your
        !           149: keychain.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb