[imp] imp and GnuPG/PGP

Todd Lyons todd@mrball.net
Wed, 7 Nov 2001 20:30:12 -0800


Harry Hoffman wanted us to know:

>  On the backend on IMP I have all my user info stored in an LDAP db. I
>would like to allow users to sign their mail with either GnuPG/PGP key for
>encryption and store their public/private keys in the LDAP db. I'm
>wondering if anyone else has thought of/is currently doing this?
>  Or if anyone would know what kind of effort this would take in modifying
>IMP to do so?

I'd say to take a look at the standard mutt pgp configuration (for gpg)
and try and mold that into your forms.  As I see it, you'll need the
following:
1) A form to generate a key on the server (takes CPU horsepower though).
It's not really feasible to have someone upload their private key as
the general premise of a private key sitting on a public webserver
doesn't sit well with me.
2) An extra preference and/or button to generate the signature.
3) A form for people to upload their public key to the keyservers.
4) A form for people to download public keys from the keyservers (better
limit this on size or something though as it can get ridiculous).

All in all, I think it's more trouble than it's worth.  I personally
wouldn't trust any signature from a webmail account.

But for your viewing pleasure, here's the relevant gpg configs from my
mutt.  Some of it is mutt environment variables, but it should be
obvious which lines to ignore:

# -*-muttrc-*-
#
# Command formats for gpg.
# 
# This version uses gpg-2comp from 
#   http://muppet.faveve.uni-stuttgart.de/~gero/gpg-2comp.tar.gz
#
# $Id: gpg.rc,v 1.5.2.1 2000/05/23 08:15:02 roessler Exp $
#
# %p    The empty string when no passphrase is needed,
#       the string "PGPPASSFD=0" if one is needed.
#
#       This is mostly used in conditional % sequences.
#
# %f    Most PGP commands operate on a single file or a file
#       containing a message.  %f expands to this file's name.
#
# %s    When verifying signatures, there is another temporary file
#       containing the detached signature.  %s expands to this
#       file's name.
#
# %a    In "signing" contexts, this expands to the value of the
#       configuration variable $pgp_sign_as.  You probably need to
#       use this within a conditional % sequence.
#
# %r    In many contexts, mutt passes key IDs to pgp.  %r expands to
#       a list of key IDs.

# decode application/pgp
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"

# verify a pgp/mime signature
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"

# decrypt a pgp/mime attachment
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"

# create a pgp/mime signed attachment
# set pgp_sign_command="gpg-2comp --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"

# create a application/pgp signed (old-style) message
# set pgp_clearsign_command="gpg-2comp --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"

# create a pgp/mime encrypted attachment
# set pgp_encrypt_only_command="pgpewrap gpg-2comp -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"
set pgp_encrypt_only_command="pgpewrap gpg -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"

# create a pgp/mime encrypted and signed attachment
# set pgp_encrypt_sign_command="pgpewrap gpg-2comp --passphrase-fd 0 -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
set pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"

# import a key into the public key ring
set pgp_import_command="gpg --no-verbose --import -v %f"

# export a key from the public key ring
set pgp_export_command="gpg --no-verbose --export --armor %r"

# verify a key
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"

# read in the public key ring
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r" 

# read in the secret key ring
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r" 

# receive key from keyserver:
#set pgp_getkeys_command="wrap.sh -g %r"
set pgp_getkeys_command=""

# local options
#set pgp_ignore_subkeys
unset pgp_autosign
unset pgp_autoencrypt
set pgp_create_traditional=ask-no
set pgp_replyencrypt
set pgp_replysign
set pgp_replysignencrypted
unset pgp_retainable_sigs
set pgp_verify_sig=yes
set pgp_timeout=7200
set pgp_strict_enc
unset pgp_long_ids
set pgp_show_unusable
set pgp_sign_as="AE127015"
#set pgp_sign_micalg=pgp-md5

set pgp_entry_format="%4n %t%f %[%y/%m/%d] %rl/0x%k %-4a %2c %u"

set pgp_sort_keys=trust
-- 
Blue skies...		Todd
| Get a bigger hammer!   |  Are you feeling lucky...punk?         |
| http://www.mrball.net  |  I've had better days...               |
| http://faq.mrball.net  |  It's the end of the world as we know i|