Import public keys

[ghost]

I would like to be able to import public keys attached to a message into a given keyring.

[pazz]

i have decided to use gnupg directly for these things instead of using mime (until s/o convinces me otherwise). so: you can help by collecting the appropriate shell-commands :)

[pazz]

Actually, isn't there a nice interactive terminal tool that eats .asc files and does what you want? You could set up your mail cap accordingly and just open the attached file...

[foobacca]

Just browsing around and looked into this. It looks like the relevant line for mailcap is:

application/pgp-keys; gpg --import --interactive --verbose;needsterminal

[lucc]

Has somebody of you tried this? If it works I would move it to the docs (or the wiki). Sadly people seldom send me gpg keys.

[pazz]

ftr: https://github.com/pazz/alot/wiki/Contrib-Hooks#import-gpg-keys

[varac]

I would be nice to have a native implementaion in alot since the import-gpg-keys example doesn't work for me.

[teythoon]

FTR, instead of doing this I would love to see alot adopt Autocrypt instead once notmuch gains support for that.

[varac]

s/instead of/besides/

[teythoon]

No. Importing keys attached to mails is a bit dangerous, because you can feed people arbitrary keys, and depending on their trust model and understanding of the situation that can lead to people using them.

Encouraging this by providing first class support is not a feature in my book.

[varac]

@teythoon I agree that you can maliciously attach bad keys, but I don't understand how autocrypt would help in this case ? I mean, you can as easily forge a mail with a malicious key using autocrypt headers.

Also, your argument would lead to disable attachment handling in genereal in alot, because it's easy to attach malicious attachments (viruses etc). I'd like if alot don't step in between here and let users import gpg key attachments as easily as open a PDF etc.

[dcbaker]

What exactly are you trying to do @varac? I have gpg --import in my mailcap for gpg keys (at least the way caff attaches them), so that I can get all of the keys easily gathered up after signing.

[varac]

@dcbaker I have a mail with an attached gpg key (application/pgp-keys:0x12345678.asc (3KiB)) and want an easy way to import it from alot. I added application/pgp-keys; gpg --import --interactive --verbose;needsterminal to my ~/.mailcap but selecting the gpg key attachment I get gpg: no valid OpenPGP data found. gpg: Total number processed: 0

From the debug log:

DEBUG:ui:Got key (['enter'], [10])
DEBUG:ui:cmdline: 'select'
DEBUG:ui:thread command string: "select"
DEBUG:__init__:mode:thread got commandline "select"
DEBUG:__init__:ARGS: [u'select']
DEBUG:__init__:cmd parms {}
INFO:thread:open attachment
INFO:thread:open attachment
DEBUG:globals:{'spawn': False}
DEBUG:globals:cmdlist: ['gpg', '--import', '--interactive', '--verbose']
INFO:globals:calling external command: ['gpg', '--import', '--interactive', '--verbose']

[dcbaker]

I think that should be: application/pgp-keys; gpg --import --interactive --verbose %s; needsterminal;

Without that %s you're not actually passing anything to gpg

[varac]

@dcbaker: Awesome, problem solved :D Thanks!

[varac]

Well at least for application/pgp-keys mime type keys. I have another mail with a text/plain:01234567.asc gpg key attachment and don't know how to handle this, because I don't want to pipe all text/plain attachments through gpg --import. Here a alot gpg-key-import could help if I understand this issue correctly.

[dcbaker]

I added the mailcap entry to the wiki.

Whoever sent an attachment with the wrong mime type needs to knock that off. I'm very skeptical of code trying to handle pgp keys attached as the wrong mime types, and would push back hard against that.

[teythoon]

@varac it is true that autocrypt level 1 does not try to protect against active attackers, but at least they don't blindly import everything into ones keyring (though --interactive indeed helps). What they do instead is to associate key data with the senders address.