GnuPG sending mail from terminal

gary8588 · 2023-03-25 14:01:02

Hello!

I hope somebody can clear me up on this.

I have created a couple of GPG keypairs and imported them into Thunderbird. I can now send encrypted emails between those emailaccounts and Thunderbird (as it should) shows me this message indicating all is fine.

Now I'd like to send encrypted emails from the terminal (same computer). So I do this:

gpg -eas --local-user 0x123456789 -r 0x123456789 test.txt

this will prompt me to enter the passphrase and then produce a file test.txt.asc which I can then send using this command:

cat test.txt.asc | mailx -s "subject" -S smtp-use-starttls -S smtp-auth=login -S smtp=smtp://$smtp -S from=$sender -S smtp-auth-user=$sender -S smtp-auth-password=$password $recipient

I receive the mail in Thunderbird but and the encryption part is fine. However Thunderbird shows me this warning message

Why is that? Is this some limitation of Thunderbird perhaps or am I doing something wrong on the terminal?

mpan · 2023-03-25 16:58:32

It seems you did not mark sender’s key as verified in Thunderbird’s key manager. Go to the manager, open key properties for sender’s public key, mark it as verified.

While this particular case seems like your mistake, in general using PGP in Thunderbird became pain after Enigmail’s demise. So expect a lot more bumps ahead.

gary8588 · 2023-03-25 18:00:35

Thanks for the tip!

However I do not see any option to mark my keys (I have both secret and public key since they were imported by me) as verified. Basically I see this window

This shouldn't even be the case since any email sent from Thunderbird correctly marks it already on the receiving part as verified. I feel like it is either some sort of bug or I am missing some option on the terminal.

Hopefully I am not asking for too much but are you (or anyone else) in the position to reproduce the steps I took?

Situation 1 (Thunderbird only):

Create 2 email accounts in Thunderbird
Create 2 sets of GPG keys
Import GPG keys in Thunderbird for both accounts via Tools -> OpenGPG Key Manager
Send a encrypted and signed email from one account to the other account
Result: Thunderbird should show 2 green checkmarks indicating that both encryption and signature is verified

Situation 2 (Terminal only)

Create file text.txt with some text as content
Run the following command to sign and encrypt the previously created text.txt file and substitute appropriate values. The first command helps identifying they keyid for both GPG keys (0x1234567, ...)
```
gpg --keyid-format 0xLONG -k
gpg -eas --local-user $key-id-sender -r $key-id-receiver test.txt
```

Send email via

cat test.txt.asc | mailx -s "subject" -S smtp-use-starttls -S smtp-auth=login -S smtp=smtp://$smtp -S from=$sender -S smtp-auth-user=$sender -S smtp-auth-password=$password $recipient

Result: Thunderbird shows for some reason that the signature has not yet been verified

Expected Result: Email sent via terminal should already be shown as verified in Thunderbird but it is not as Situation 2 shows.

Thank you

Last edited by gary8588 (2023-03-25 20:16:40)

mpan · 2023-03-26 16:50:13

gary8588 wrote:

However I do not see any option to mark my keys (I have both secret and public key since they were imported by me) as verified. Basically I see this window

This is a window for your own key. For other people’s key properties window looks like this.

gary8588 · 2023-03-26 17:37:16

mpan wrote:

This is a window for your own key. For other people’s key properties window looks like this.

Yes exactly, both keys (private/public) on both accounts are my own. I can't mark them as verified since the key properties window does not offer the option to do this.
I start to believe this might be a bug/limitation in Thunderbird.

mpan · 2023-03-26 23:38:06

I did not know that. If that’s the case: I can’t confirm with 100% certainity. But — given my experience with Thunderbird’s approach to the subject — I would say it is very likely its limitation.

Remember you do not need to use your actual key for tests. You may create a separate one in GnuPG just for testing.

At this point the obligatory reminder about having backups of your keys, as the chance of removing the real private key is higher during testing. :)

gary8588 · 2023-03-27 16:43:18

mpan wrote:

I did not know that. If that’s the case: I can’t confirm with 100% certainity. But — given my experience with Thunderbird’s approach to the subject — I would say it is very likely its limitation.

Alright thanks, I'll just gloss over it then, no big deal.

mpan wrote:

Remember you do not need to use your actual key for tests. You may create a separate one in GnuPG just for testing.

Agreed, I now did create another pair of keys without importing them into Thunderbird, just importing and accepting the publickey from a email sent from terminal does give me the option to correctly verify my publickey and all is fine. However once I also import my private key into Thunderbird it will state "accepted, not verified" again. Strange but I'll not bother with this any longer.

mpan wrote:

At this point the obligatory reminder about having backups of your keys, as the chance of removing the real private key is higher during testing.

Thanks for the reminder! I do have all keys backed up in my keepassxc database file and this is replicated onto several computers as well as a backup in "the cloud".

Arch Linux

#1 2023-03-25 14:01:02