# -*-muttrc-*- # # Command formats for gpg. # # Version notes: # # GPG 2.1 introduces the option "--pinentry-mode", which requires # the "loopback" argument in instances where "--passphrase-fd" is # used. # # Some of the older commented-out versions of the commands use gpg-2comp from: # http://70t.de/download/gpg-2comp.tar.gz # # %p The empty string when no passphrase is needed, # the string "PGPPASSFD=0" if one is needed. # # This is mostly used in conditional % sequences. # # %f Most PGP commands operate on a single file or a file # containing a message. %f expands to this file's name. # # %s When verifying signatures, there is another temporary file # containing the detached signature. %s expands to this # file's name. # # %a In "signing" contexts, this expands to the value of the # configuration variable $pgp_sign_as, if set, otherwise # $pgp_default_key. You probably need to # use this within a conditional % sequence. # # %r In many contexts, neomutt passes key IDs to pgp. %r expands to # a list of key IDs. # Section A: Key Management # The default key for encryption (used by $pgp_self_encrypt and # $postpone_encrypt). # # It will also be used for signing unless $pgp_sign_as is set to a # key. # # Unless your key does not have encryption capability, uncomment this # line and replace the keyid with your own. # set crypt_use_gpgme=yes set crypt_autosign=yes set crypt_verify_sig=yes set crypt_replysign=yes set crypt_replyencrypt=yes set crypt_replysignencrypted=yes set crypt_autoencrypt = yes set pgp_default_key= BA92244CBEE0980DE926C49F57428AA6F93E4FE8 set pgp_check_gpg_decrypt_status_fd set pgp_use_gpg_agent = yes set pgp_self_encrypt = yes # If you have a separate signing key, or your key _only_ has signing # capability, uncomment this line and replace the keyid with your # signing keyid. # # set pgp_sign_as="0x87654321" # Section B: Commands # Note that we explicitly set the comment armor header since GnuPG, when used # in some localiaztion environments, generates 8bit data in that header, thereby # breaking PGP/MIME. # decode application/pgp # set pgp_decode_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - %f" # Verify a signature # set pgp_verify_command="gpg --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f" # Decrypt an attachment # set pgp_decrypt_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - --decrypt %f" # Create a PGP/MIME signed attachment # # set pgp_sign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f" # set pgp_sign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --detach-sign %f" # Create a application/pgp inline signed message. This style is obsolete but still needed for Hushmail recipients and some MUAs. # # set pgp_clearsign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f" # set pgp_clearsign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --clearsign %f" # Create an encrypted attachment (note that some users include the --always-trust option here) # # set pgp_encrypt_only_command="/usr/lib/neomutt/pgpewrap gpg-2comp -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f" # set pgp_encrypt_only_command="/usr/lib/neomutt/pgpewrap gpg --batch --quiet --no-verbose --output - --textmode --armor --encrypt -- --recipient %r -- %f" # Create an encrypted and signed attachment (note that some users include the --always-trust option here) # # set pgp_encrypt_sign_command="/usr/lib/neomutt/pgpewrap gpg-2comp %?p?--passphrase-fd 0? -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f" # set pgp_encrypt_sign_command="/usr/lib/neomutt/pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - %?a?--local-user %a? --armor --sign --encrypt -- --recipient %r -- %f" # Import a key into the public key ring # set pgp_import_command="gpg --no-verbose --import %f" # Export a key from the public key ring # set pgp_export_command="gpg --no-verbose --armor --export %r" # Verify a key # set pgp_verify_key_command="gpg --verbose --batch --fingerprint --check-sigs %r" # Read in the public key ring # note: the second --with-fingerprint adds fingerprints to subkeys # set pgp_list_pubring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-keys %r" # Read in the secret key ring # note: the second --with-fingerprint adds fingerprints to subkeys # set pgp_list_secring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-secret-keys %r" # Fetch keys # set pgp_getkeys_command="pkspxycwrap %r" # pattern for good signature - may need to be adapted to locale! # OK, here's a version which uses gnupg's message catalog: # set pgp_good_sign="^gpgv?: Good signature from" # set pgp_good_sign="`gettext -d gnupg -s 'Good signature from "' | tr -d '"'`" # # Output pattern to indicate a valid signature using --status-fd messages set pgp_good_sign="^\\[GNUPG:\\] GOODSIG" # Output pattern to verify a decryption occurred # This is now deprecated by pgp_check_gpg_decrypt_status_fd: # set pgp_decryption_okay="^\\[GNUPG:\\] DECRYPTION_OKAY" set pgp_check_gpg_decrypt_status_fd