YANGHONG

Use GPG to sign/encrypt emails

This is one thing I always wanted to set up but was too lazy to put into practice. It's a sad story that Werner Koch who wrote this software is in financial trouble. Anyway this is a great software that benefits numerous people.

Setup Keys

The HOWTO manual provided by GnuPG is sufficient to set up the keys and have a general idea of how GPG works. There are some discussions on the algorithms choices. Personally, I chose the default RSA, choice 1. Another article, GPG HowTo, also provides some good examples on how to use gpg.

Plugin for Mail.app

GPGTools is a plugin for Mail.app on OS X. I tried to build one from their sources but it turns out some files. I recommend use the release packages from their websites. After installing the plugin, modify the GPG configuration file in case GPGTools modifies it by default. Note the comments, auto-key-locate options in .gnupg/gpg.conf.

Testing

One GPG key is associated with one email address which is specified while creating the key. GPGTools will identify whether the From field corresponds to an address with a valid key. if so, the Mail.app composer will show the green icon on the top-right corner.

valid_key.jpg

Figure 1: valid

If the address does not have a key, then the icon will be gray and no GPG signature will be added.

Since GPGTools will verify the signature for me, most of the time I do not have to check it manually. But to understand how it actually works, it's better to have a try.

After receiving an email, get the raw content and save it to a file mailcontent.txt. Use the clearmime python script to transform the mail into a file acceptable by the GPG command.

clearmime < mailcontent.txt | gpg --verify

The content of raw mail looks like:

DKIM-Signature: ...................................
From: ................
X-Pgp-Agent: GPGMail 2.5b6
Content-Type: application/octet
Subject: .......
Date: ...
Message-Id: ...
To: ...
X-Mailer: Apple Mail (2.2098)

--Apple-Mail=_0B75F097-8AC1-4124-835B-A8E34AAB33F9
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
        charset=us-ascii

this is signed
--Apple-Mail=_0B75F097-8AC1-4124-835B-A8E34AAB33F9
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
    filename=signature.asc
Content-Type: application/pgp-signature;
    name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: xxx

<Signature string>
-----END PGP SIGNATURE-----

The content of transformed file is some thing like

DKIM-Signature: ...................................
From: ................
X-Pgp-Agent: GPGMail 2.5b6
Content-Type: application/octet
Subject: .......
Date: ...
Message-Id: ...
To: ...
X-Mailer: Apple Mail (2.2098)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
NotDashEscaped: You need GnuPG to verify this message

Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
        charset=us-ascii

this is signed
-----BEGIN PGP SIGNATURE-----
Comment: xxx

<Signature string>
-----END PGP SIGNATURE-----

References:

comments powered by Disqus