Setting up mutt with S/MIME support using gpgme

When trying to set mutt up for use with S/MIME you will find guides like this one or this other one which tell you how to enable the openssl support and how to configure it.

This is what I did at first, but when my key expired and I created a new one, I found out that this setup only supports one secret key at a time; i.e., when I switched to the new key, I could not read my old emails any longer.

By lucky accident, I found the second supported method using gpgme that is much easier to set up and use, and does support multiple secret keys, but lacks documentation.

So here's the documentation for this setup.


mutt compilation

When compiling mutt, you need to have gpgme installed and use mutt configure's --enable-gpgme flag. You also need gnupg version 2.x installed.

In pkgsrc, set

PKG_OPTIONS.mutt+=       gpgme

in your /etc/mk.conf.

mutt setup


set crypt_use_gpgme=yes

to your .muttrc. That's it.

(If your .muttrc "source"s smime.rc or gpg.rc, you can comment out these lines, you don't need them any longer.)



You can use generic setup instructions for gnupg 2.x instead of this section; I include them for completeness. They also apply for OpenPGP, so if you have that set up for gnupg 2.x already, you can skip it.

You need to have a gpg-agent running. The suggest setup (by gnugp) is running it from your X startup file, or from your login shell startup script.

Short documentation for the latter and zsh:

gnupg 2.0

Add to .zlogin:

gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"

Add to .zshrc:

export GPG_TTY=$(tty)
# only needed for 2.0, not for 2.1
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"

gnupg 2.1

Much easier, just add to .zshrc:

export GPG_TTY=$(tty)


Choose a pinentry program in your .gnupg/gpg-agent.conf, for example:

pinentry-program /usr/pkg/bin/pinentry-curses


Now for the actual S/MIME part of the setup.

Own key

Get a certificate, e.g. from CAcert or Thawte. Export the certificate from your browser (or the OS X keychain) with a password, you'll get a .p12 file.

Then just import the file:

gpgsm --import keyfile.p12

Other keys

The same as your own key, but the keyfile doesn't need to be encrypted.

gpgsm --import keyfile.p12

Intermediate Certificates

You might be missing certificates. Then you will see errors like this:

gpgsm: issuer certificate {ADBD987A34B426F7FAC42654EF03BDE024CB541A} not found using authorityKeyIdentifier

Google the hash and you'll probably find the corresponding certificate, at least that's what worked for me.


You'll have to tell gpgsm which certificates you trust.

gpgsm -k --with-validation

When you don't do that, you'll see

Problem signature

in mutt, or it will hang decoding a message until you interrupt it.

Multiple Secret Keys

In case you have multiple secret keys (e.g. some expired ones and a current one), you can choose the default one by adding


to your .gnupg/gpgsm.conf config file, where XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX is the fingerprint of your key. If you don't know it, you can find it using

gpgsm -K your@email.address

or just

gpgsm -K

If you don't set this, gpgsm will use the first secret key in your keychain.