Browse Source

Add neomutt gpg integration

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
master
Shawn Webb 2 years ago
parent
commit
dafe028aa0
No known key found for this signature in database GPG Key ID: 6A84658F52456EEE
3 changed files with 131 additions and 57 deletions
  1. +1
    -57
      muttrc
  2. +129
    -0
      neomutt-gpg.rc
  3. +1
    -0
      setup.zsh

+ 1
- 57
muttrc View File

@@ -52,63 +52,7 @@ set pgp_replysignencrypted = yes
set pgp_replysign = yes
set pgp_sign_as = 40B3406E

# Note that we explicitly set the comment armor header since GnuPG, when used
# in some localiaztion environments, generates 8bit data in that header, thereby
# breaking PGP/MIME.

# decode application/pgp
set pgp_decode_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"

# verify a pgp/mime signature
set pgp_verify_command="gpg --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f"

# decrypt a pgp/mime attachment
set pgp_decrypt_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"

# create a pgp/mime signed attachment
# set pgp_sign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_sign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"

# create a application/pgp signed (old-style) message
# set pgp_clearsign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f"

# create a pgp/mime encrypted attachment
# set pgp_encrypt_only_command="pgpewrap gpg-2comp -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"
set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"

# create a pgp/mime encrypted and signed attachment
# set pgp_encrypt_sign_command="pgpewrap gpg-2comp %?p?--passphrase-fd 0? -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
set pgp_encrypt_sign_command="pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"

# import a key into the public key ring
set pgp_import_command="gpg --no-verbose --import %f"

# export a key from the public key ring
set pgp_export_command="gpg --no-verbose --export --armor %r"

# verify a key
set pgp_verify_key_command="gpg --verbose --batch --fingerprint --check-sigs %r"

# read in the public key ring
set pgp_list_pubring_command="gpg --no-verbose --batch --quiet --with-colons --list-keys %r"

# read in the secret key ring
set pgp_list_secring_command="gpg --no-verbose --batch --quiet --with-colons --list-secret-keys %r"

# fetch keys
# set pgp_getkeys_command="pkspxycwrap %r"

# pattern for good signature - may need to be adapted to locale!

# set pgp_good_sign="^gpgv?: Good signature from "

# OK, here's a version which uses gnupg's message catalog:
# set pgp_good_sign="`gettext -d gnupg -s 'Good signature from "' | tr -d '"'`"

# This version uses --status-fd messages
set pgp_good_sign="^\\[GNUPG:\\] GOODSIG"

bind editor <space> noop
source ~/.mutt/folders
source ~/.mutt/aliases
source ~/.mutt/gpg.rc

+ 129
- 0
neomutt-gpg.rc View File

@@ -0,0 +1,129 @@
# -*-muttrc-*-
#
# Command formats for gpg.
#
# Version notes:
#
# GPG 2.1 introduces the option "--pinentry-mode", which requires
# the "loopback" argument in instances where "--passphrase-fd" is
# used.
#
# Some of the older commented-out versions of the commands use gpg-2comp from:
# http://70t.de/download/gpg-2comp.tar.gz
#
# %p The empty string when no passphrase is needed,
# the string "PGPPASSFD=0" if one is needed.
#
# This is mostly used in conditional % sequences.
#
# %f Most PGP commands operate on a single file or a file
# containing a message. %f expands to this file's name.
#
# %s When verifying signatures, there is another temporary file
# containing the detached signature. %s expands to this
# file's name.
#
# %a In "signing" contexts, this expands to the value of the
# configuration variable $pgp_sign_as, if set, otherwise
# $pgp_default_key. You probably need to
# use this within a conditional % sequence.
#
# %r In many contexts, neomutt passes key IDs to pgp. %r expands to
# a list of key IDs.

# Section A: Key Management

# The default key for encryption (used by $pgp_self_encrypt and
# $postpone_encrypt).
#
# It will also be used for signing unless $pgp_sign_as is set to a
# key.
#
# Unless your key does not have encryption capability, uncomment this
# line and replace the keyid with your own.
#
# set pgp_default_key="0x12345678"

# If you have a separate signing key, or your key _only_ has signing
# capability, uncomment this line and replace the keyid with your
# signing keyid.
#
# set pgp_sign_as="0x87654321"


# Section B: Commands

# Note that we explicitly set the comment armor header since GnuPG, when used
# in some localiaztion environments, generates 8bit data in that header, thereby
# breaking PGP/MIME.

# decode application/pgp
#
set pgp_decode_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - %f"

# Verify a signature
#
set pgp_verify_command="gpg --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f"

# Decrypt an attachment
#
set pgp_decrypt_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - --decrypt %f"

# Create a PGP/MIME signed attachment
#
# set pgp_sign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"
#
set pgp_sign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --detach-sign %f"

# Create a application/pgp inline signed message. This style is obsolete but still needed for Hushmail recipients and some MUAs.
#
# set pgp_clearsign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f"
#
set pgp_clearsign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --clearsign %f"

# Create an encrypted attachment (note that some users include the --always-trust option here)
#
# set pgp_encrypt_only_command="/usr/local/libexec/neomutt/pgpewrap gpg-2comp -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"
#
set pgp_encrypt_only_command="/usr/local/libexec/neomutt/pgpewrap gpg --batch --quiet --no-verbose --output - --textmode --armor --encrypt -- --recipient %r -- %f"

# Create an encrypted and signed attachment (note that some users include the --always-trust option here)
#
# set pgp_encrypt_sign_command="/usr/local/libexec/neomutt/pgpewrap gpg-2comp %?p?--passphrase-fd 0? -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
#
set pgp_encrypt_sign_command="/usr/local/libexec/neomutt/pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - %?a?--local-user %a? --armor --sign --encrypt -- --recipient %r -- %f"

# Import a key into the public key ring
#
set pgp_import_command="gpg --no-verbose --import %f"

# Export a key from the public key ring
#
set pgp_export_command="gpg --no-verbose --armor --export %r"

# Verify a key
#
set pgp_verify_key_command="gpg --verbose --batch --fingerprint --check-sigs %r"

# Read in the public key ring
#
set pgp_list_pubring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-keys %r"

# Read in the secret key ring
#
set pgp_list_secring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-secret-keys %r"

# Fetch keys
# set pgp_getkeys_command="pkspxycwrap %r"

# pattern for good signature - may need to be adapted to locale!
# OK, here's a version which uses gnupg's message catalog:
# set pgp_good_sign="^gpgv?: Good signature from"
# set pgp_good_sign="`gettext -d gnupg -s 'Good signature from "' | tr -d '"'`"
#
# Output pattern to indicate a valid signature using --status-fd messages
set pgp_good_sign="^\\[GNUPG:\\] GOODSIG"

# Output pattern to verify a decryption occurred
set pgp_decryption_okay="^\\[GNUPG:\\] DECRYPTION_OKAY"


+ 1
- 0
setup.zsh View File

@@ -56,6 +56,7 @@ ln -s ~/dotfiles/.tmux.conf .tmux.conf
ln -s ~/dotfiles/zshrc .zshrc
ln -s ~/dotfiles/muttrc .muttrc
ln -s ~/dotfiles/.vimrc .vimrc
ln -s ~/dotfiles/neomutt-gpg.rc .mutt/gpg.rc

if [ ! -d tmux/logs ]; then
mkdir -p tmux/logs


Loading…
Cancel
Save