On Sun,29.Mar.09, 09:44:33, Daniel Dalton wrote: > Hi, > > Okay, I've created my public key with gpg, how can I get mutt to use it > now so I can sign all messages? And how do I encrypt mail? From my ~/.mutt/muttrc # GPG stuff # sign all, encrypting can be selected before sending set crypt_autosign # I don't want S/MIME unset crypt_autosmime # decrypt without asking set pgp_auto_decode # cache the passphrase longer than the default 300 sec. set pgp_timeout=3600 and in .gnupg/gpg.conf keyserver x-hkp://subkeys.pgp.net keyserver-options auto-key-retrieve include-disabled include-revoked timeout=10 use-agent You also need to publish your *public* key to a keyserver, but I forgot how you do it (it's some magic incantation using gpg, see 'man gpg'). > And when I sign a file, what's stopping someone else from doing: > cp daniel's_signedfile.extention.sign ourfilename.txt.sign You can't mess with a signed text without breaking the signature (that's the whole point of it) > How can someone verify I created the file and the signiture wasn't just > copied and pasted? GOOD verification is a bit more difficult. Right now I could only tell that the signature is *valid*, but there's no way to tell if it was you. Ideally you meet the other party in person and you exchange PGP signatures. This works for your family or close friends. On a larger scale (the Debian project has ~1000 developers and many of them never meet) you need a Web of Trust: I never meet you, but maybe I meet with Ron and exchange signatures and Ron meets you and exchange signatures. If I receive a message from you GPG can tell me that the message was indeed signed with the same secret key that Ron signed. Whether that key really belongs to you is another question. The minimum that should be done when signing the key is some sort of ID check. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein)
Attachment:
signature.asc
Description: Digital signature