File:  [NetBSD Developer Wiki] / wikisrc / users / wiz / mutt-smime.mdwn
Revision 1.3: download - view: text, annotated - select for diffs
Mon Feb 22 09:31:58 2016 UTC (6 years, 4 months ago) by wiz
Branches: MAIN
CVS tags: HEAD
Fix typo.

# Setting up mutt with S/MIME support using gpgme

When trying to set mutt up for use with S/MIME you will find guides
like [[this one|]] or
[[this other one|]]
which tell you how to enable the openssl support and how to configure

This is what I did at first, but when my key expired and I created a
new one, I found out that this setup only supports one secret key at a
time; i.e., when I switched to the new key, I could not read my old
emails any longer.

By lucky accident, I found the second supported method using
that is much easier to set up and use, and does support multiple
secret keys, but lacks documentation.

So here's the documentation for this setup.

# mutt

## mutt compilation

When compiling mutt, you need to have gpgme installed and use mutt
configure's --enable-gpgme flag.
You also need gnupg version 2.x installed.

In pkgsrc, set

	PKG_OPTIONS.mutt+=       gpgme

in your /etc/mk.conf.

## mutt setup


	set crypt_use_gpgme=yes

to your .muttrc. That's it.

(If your .muttrc "source"s smime.rc or gpg.rc, you can comment out
these lines, you don't need them any longer.)

# gpgme

## gpg-agent

You can use generic setup instructions for gnupg 2.x instead of this
section; I include them for completeness. They also apply for OpenPGP, so
if you have that set up for gnupg 2.x already, you can skip it.

You need to have a gpg-agent running. The suggest setup (by gnugp) is
running it from your X startup file, or from your login shell startup

Short documentation for the latter and zsh:

### gnupg 2.0

Add to .zlogin:

	gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"

Add to .zshrc:

	export GPG_TTY=$(tty)
	# only needed for 2.0, not for 2.1
	if [ -f "${HOME}/.gpg-agent-info" ]; then
	. "${HOME}/.gpg-agent-info"

### gnupg 2.1

Much easier, just add to .zshrc:

	export GPG_TTY=$(tty)

### pinentry

Choose a pinentry program in your .gnupg/gpg-agent.conf, for example:

	pinentry-program /usr/pkg/bin/pinentry-curses

## gpgsm

Now for the actual S/MIME part of the setup.

### Own key

Get a certificate, e.g. from CAcert or Thawte. Export the certificate
from your browser (or the OS X keychain) with a password, you'll get a
.p12 file.

Then just import the file:

	gpgsm --import keyfile.p12

### Other keys

The same as your own key, but the keyfile doesn't need to be encrypted.

	gpgsm --import keyfile.p12

### Intermediate Certificates

You might be missing certificates. Then you will see errors like this:

	gpgsm: issuer certificate {ADBD987A34B426F7FAC42654EF03BDE024CB541A} not found using authorityKeyIdentifier

Google the hash and you'll probably find the corresponding
certificate, at least that's what worked for me.

### Trust

You'll have to tell gpgsm which certificates you trust.

	gpgsm -k --with-validation

When you don't do that, you'll see

	Problem signature

in mutt, or it will hang decoding a message until you interrupt it.

### Multiple Secret Keys

In case you have multiple secret keys (e.g. some expired ones and a
current one), you can choose the default one by adding


to your .gnupg/gpgsm.conf config file, where
fingerprint of your key. If you don't know it, you can find it using

	gpgsm -K your@email.address

or just

	gpgsm -K

If you don't set this, gpgsm will use the first secret key in your

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb