[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: public key

On Sun,29.Mar.09, 09:44:33, Daniel Dalton wrote:
> Hi,
> Okay, I've created my public key with gpg, how can I get mutt to use it
> now so I can sign all messages? And how do I encrypt mail?
From my ~/.mutt/muttrc

# GPG stuff
# sign all, encrypting can be selected before sending
set crypt_autosign

# I don't want S/MIME
unset crypt_autosmime

# decrypt without asking
set pgp_auto_decode

# cache the passphrase longer than the default 300 sec.
set pgp_timeout=3600

and in .gnupg/gpg.conf

keyserver x-hkp://subkeys.pgp.net
keyserver-options auto-key-retrieve include-disabled include-revoked timeout=10

You also need to publish your *public* key to a keyserver, but I forgot 
how you do it (it's some magic incantation using gpg, see 'man gpg').

> And when I sign a file, what's stopping someone else from doing:
> cp daniel's_signedfile.extention.sign ourfilename.txt.sign

You can't mess with a signed text without breaking the signature (that's 
the whole point of it)
> How can someone verify I created the file and the signiture wasn't just
> copied and pasted?

GOOD verification is a bit more difficult. Right now I could only tell 
that the signature is *valid*, but there's no way to tell if it was you. 

Ideally you meet the other party in person and you exchange PGP 
signatures. This works for your family or close friends. On a larger 
scale (the Debian project has ~1000 developers and many of them never 
meet) you need a Web of Trust:

I never meet you, but maybe I meet with Ron and exchange signatures and 
Ron meets you and exchange signatures. If I receive a message from you 
GPG can tell me that the message was indeed signed with the same secret 
key that Ron signed.

Whether that key really belongs to you is another question. The minimum 
that should be done when signing the key is some sort of ID check.

If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

Attachment: signature.asc
Description: Digital signature

Reply to: