File:  [NetBSD Developer Wiki] / wikisrc / users / wiz / mutt-smime.mdwn
Revision 1.3: download - view: text, annotated - select for diffs
Mon Feb 22 09:31:58 2016 UTC (4 years, 10 months ago) by wiz
Branches: MAIN
CVS tags: HEAD
Fix typo.

# Setting up mutt with S/MIME support using gpgme

When trying to set mutt up for use with S/MIME you will find guides
like [[this one|http://equiraptor.com/smime_mutt_how-to.html]] or
[[this other one|https://kb.wisc.edu/middleware/page.php?id=4091]]
which tell you how to enable the openssl support and how to configure
it.

This is what I did at first, but when my key expired and I created a
new one, I found out that this setup only supports one secret key at a
time; i.e., when I switched to the new key, I could not read my old
emails any longer.

By lucky accident, I found the second supported method using
[[gpgme|https://www.gnupg.org/related_software/swlist.html#gpgme]]
that is much easier to set up and use, and does support multiple
secret keys, but lacks documentation.

So here's the documentation for this setup.

# mutt

## mutt compilation

When compiling mutt, you need to have gpgme installed and use mutt
configure's --enable-gpgme flag.
You also need gnupg version 2.x installed.

In pkgsrc, set

	PKG_OPTIONS.mutt+=       gpgme

in your /etc/mk.conf.

## mutt setup

Add

	set crypt_use_gpgme=yes

to your .muttrc. That's it.

(If your .muttrc "source"s smime.rc or gpg.rc, you can comment out
these lines, you don't need them any longer.)

# gpgme

## gpg-agent

You can use generic setup instructions for gnupg 2.x instead of this
section; I include them for completeness. They also apply for OpenPGP, so
if you have that set up for gnupg 2.x already, you can skip it.

You need to have a gpg-agent running. The suggest setup (by gnugp) is
running it from your X startup file, or from your login shell startup
script.

Short documentation for the latter and zsh:

### gnupg 2.0

Add to .zlogin:

	gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"

Add to .zshrc:

	export GPG_TTY=$(tty)
	# only needed for 2.0, not for 2.1
	if [ -f "${HOME}/.gpg-agent-info" ]; then
	. "${HOME}/.gpg-agent-info"
	export GPG_AGENT_INFO
	export SSH_AUTH_SOCK
	fi

### gnupg 2.1

Much easier, just add to .zshrc:

	export GPG_TTY=$(tty)

### pinentry

Choose a pinentry program in your .gnupg/gpg-agent.conf, for example:

	pinentry-program /usr/pkg/bin/pinentry-curses

## gpgsm

Now for the actual S/MIME part of the setup.

### Own key

Get a certificate, e.g. from CAcert or Thawte. Export the certificate
from your browser (or the OS X keychain) with a password, you'll get a
.p12 file.

Then just import the file:

	gpgsm --import keyfile.p12


### Other keys

The same as your own key, but the keyfile doesn't need to be encrypted.

	gpgsm --import keyfile.p12


### Intermediate Certificates

You might be missing certificates. Then you will see errors like this:

	gpgsm: issuer certificate {ADBD987A34B426F7FAC42654EF03BDE024CB541A} not found using authorityKeyIdentifier

Google the hash and you'll probably find the corresponding
certificate, at least that's what worked for me.

### Trust

You'll have to tell gpgsm which certificates you trust.

	gpgsm -k --with-validation

When you don't do that, you'll see

	Problem signature

in mutt, or it will hang decoding a message until you interrupt it.

### Multiple Secret Keys

In case you have multiple secret keys (e.g. some expired ones and a
current one), you can choose the default one by adding

	local-user XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

to your .gnupg/gpgsm.conf config file, where
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX is the
fingerprint of your key. If you don't know it, you can find it using

	gpgsm -K your@email.address

or just

	gpgsm -K

If you don't set this, gpgsm will use the first secret key in your
keychain.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb