1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
# -*-muttrc-*-
#
# Command formats for gpg.
#
# Version notes:
#
# GPG 2.1 introduces the option "--pinentry-mode", which requires
# the "loopback" argument in instances where "--passphrase-fd" is
# used.
#
# Some of the older commented-out versions of the commands use gpg-2comp from:
# http://70t.de/download/gpg-2comp.tar.gz
#
# %p The empty string when no passphrase is needed,
# the string "PGPPASSFD=0" if one is needed.
#
# This is mostly used in conditional % sequences.
#
# %f Most PGP commands operate on a single file or a file
# containing a message. %f expands to this file's name.
#
# %s When verifying signatures, there is another temporary file
# containing the detached signature. %s expands to this
# file's name.
#
# %a In "signing" contexts, this expands to the value of the
# configuration variable $pgp_sign_as, if set, otherwise
# $pgp_default_key. You probably need to
# use this within a conditional % sequence.
#
# %r In many contexts, neomutt passes key IDs to pgp. %r expands to
# a list of key IDs.
# Section A: Key Management
# The default key for encryption (used by $pgp_self_encrypt and
# $postpone_encrypt).
#
# It will also be used for signing unless $pgp_sign_as is set to a
# key.
#
# Unless your key does not have encryption capability, uncomment this
# line and replace the keyid with your own.
#
set crypt_use_gpgme
set crypt_autosign
set crypt_verify_sig
set crypt_replysign
set crypt_replyencrypt
set crypt_replysignencrypted
set crypt_autoencrypt
set pgp_default_key= 198466C2F5664940F73A1715B87B63C533C38A88
set pgp_check_gpg_decrypt_status_fd
set pgp_use_gpg_agent
set pgp_self_encrypt
# If you have a separate signing key, or your key _only_ has signing
# capability, uncomment this line and replace the keyid with your
# signing keyid.
#
# set pgp_sign_as="0x87654321"
# Section B: Commands
# Note that we explicitly set the comment armor header since GnuPG, when used
# in some localiaztion environments, generates 8bit data in that header, thereby
# breaking PGP/MIME.
# decode application/pgp
#
set pgp_decode_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
# Verify a signature
#
set pgp_verify_command="gpg --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f"
# Decrypt an attachment
#
set pgp_decrypt_command="gpg --status-fd=2 %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --quiet --batch --output - --decrypt %f"
# Create a PGP/MIME signed attachment
#
# set pgp_sign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"
#
set pgp_sign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --detach-sign %f"
# Create a application/pgp inline signed message. This style is obsolete but still needed for Hushmail recipients and some MUAs.
#
# set pgp_clearsign_command="gpg-2comp --comment '' --no-verbose --batch --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f"
#
set pgp_clearsign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --no-verbose --batch --quiet --output - --armor --textmode %?a?--local-user %a? --clearsign %f"
# Create an encrypted attachment (note that some users include the --always-trust option here)
#
# set pgp_encrypt_only_command="/usr/lib/neomutt/pgpewrap gpg-2comp -v --batch --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"
#
set pgp_encrypt_only_command="/usr/lib/neomutt/pgpewrap gpg --batch --quiet --no-verbose --output - --textmode --armor --encrypt -- --recipient %r -- %f"
# Create an encrypted and signed attachment (note that some users include the --always-trust option here)
#
# set pgp_encrypt_sign_command="/usr/lib/neomutt/pgpewrap gpg-2comp %?p?--passphrase-fd 0? -v --batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
#
set pgp_encrypt_sign_command="/usr/lib/neomutt/pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - %?a?--local-user %a? --armor --sign --encrypt -- --recipient %r -- %f"
# Import a key into the public key ring
#
set pgp_import_command="gpg --no-verbose --import %f"
# Export a key from the public key ring
#
set pgp_export_command="gpg --no-verbose --armor --export %r"
# Verify a key
#
set pgp_verify_key_command="gpg --verbose --batch --fingerprint --check-sigs %r"
# Read in the public key ring
# note: the second --with-fingerprint adds fingerprints to subkeys
#
set pgp_list_pubring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-keys %r"
# Read in the secret key ring
# note: the second --with-fingerprint adds fingerprints to subkeys
#
set pgp_list_secring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-secret-keys %r"
# Fetch keys
# set pgp_getkeys_command="pkspxycwrap %r"
# pattern for good signature - may need to be adapted to locale!
# OK, here's a version which uses gnupg's message catalog:
# set pgp_good_sign="^gpgv?: Good signature from"
# set pgp_good_sign="`gettext -d gnupg -s 'Good signature from "' | tr -d '"'`"
#
# Output pattern to indicate a valid signature using --status-fd messages
set pgp_good_sign="^\\[GNUPG:\\] GOODSIG"
# Output pattern to verify a decryption occurred
# This is now deprecated by pgp_check_gpg_decrypt_status_fd:
# set pgp_decryption_okay="^\\[GNUPG:\\] DECRYPTION_OKAY"
set pgp_check_gpg_decrypt_status_fd
|