# Setting up mutt with S/MIME support using gpgme
When trying to set mutt up for use with S/MIME you will find guides
like [[this one|http://equiraptor.com/smime_mutt_how-to.html]] or
[[this other one|https://kb.wisc.edu/middleware/page.php?id=4091]]
which tell you how to enable the openssl support and how to configure
it.
This is what I did at first, but when my key expired and I created a
new one, I found out that this setup only supports one secret key at a
time; i.e., when I switched to the new key, I could not read my old
emails any longer.
By lucky accident, I found the second supported method using
[[gpgme|https://www.gnupg.org/related_software/swlist.html#gpgme]]
that is much easier to set up and use, and does support multiple
secret keys, but lacks documentation.
So here's the documentation for this setup.
# mutt
## mutt compilation
When compiling mutt, you need to have gpgme installed and use mutt
configure's --enable-gpgme flag.
You also need gnupg version 2.x installed.
In pkgsrc, set
PKG_OPTIONS.mutt+= gpgme
in your /etc/mk.conf.
## mutt setup
Add
set crypt_use_gpgme=yes
to your .muttrc. That's it.
(If your .muttrc "source"s smime.rc or gpg.rc, you can comment out
these lines, you don't need them any longer.)
# gpgme
## gpg-agent
You can use generic setup instructions for gnupg 2.x instead of this
section; I include them for completeness. They also apply for OpenPGP, so
if you have that set up for gnupg 2.x already, you can skip it.
You need to have a gpg-agent running. The suggest setup (by gnugp) is
running it from your X startup file, or from your login shell startup
script.
Short documentation for the latter and zsh:
### gnupg 2.0
Add to .zlogin:
gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"
Add to .zshrc:
export GPG_TTY=$(tty)
# only needed for 2.0, not for 2.1
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
fi
### gnupg 2.1
Much easier, just add to .zshrc:
export GPG_TTY=$(tty)
### pinentry
Choose a pinentry program in your .gnupg/gpg-agent.conf, for example:
pinentry-program /usr/pkg/bin/pinentry-curses
## gpgsm
Now for the actual S/MIME part of the setup.
### Own key
Get a certificate, e.g. from CAcert or Thawte. Export the certificate
from your browser (or the OS X keychain) with a password, you'll get a
.p12 file.
Then just import the file:
gpgsm --import keyfile.p12
### Other keys
The same as your own key, but the keyfile doesn't need to be encrypted.
gpgsm --import keyfile.p12
### Intermediate Certificates
You might be missing certificates. Then you will see errors like this:
gpgsm: issuer certificate {ADBD987A34B426F7FAC42654EF03BDE024CB541A} not found using authorityKeyIdentifier
Google the hash and you'll probably find the corresponding
certificate, at least that's what worked for me.
### Trust
You'll have to tell gpgsm which certificates you trust.
gpgsm -k --with-validation
When you don't do that, you'll see
Problem signature
in mutt, or it will hang decoding a message until you interrupt it.
### Multiple Secret Keys
In case you have multiple secret keys (e.g. some expired ones and a
current one), you can choose the default one by adding
local-user XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
to your .gnupg/gpgsm.conf config file, where
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX is the
fingerprint of your key. If you don't know it, you can find it using
gpgsm -K your@email.address
or just
gpgsm -K
If you don't set this, gpgsm will use the first secret key in your
keychain.
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to mutt-smime.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / users / wiz