Simpler GnuPG & Mutt configuration with GPGME

I was consulting the Mutt documentation recently when the intriguingly-named crypt_use_gpgme variable caught my eye. I set up GnuPG with Mutt years ago and haven’t touched it since, but I remember it being a surprisingly complex procedure. Lots of config lines defining commands like gpg --no-verbose --batch --output - --verify %s %f for mutt to fork separate gpg processes for each operation.

GPGME provides a standardised API for applications to use instead of all the esoteric manual config. The official intro has this to say:

Because the direct use of GnuPG from an application can be a complicated programming task, it is suggested that all software should try to use GPGME instead. This way bug fixes or improvements can be done at a central place and every application benefits from this.

This sounded sensible and I wanted to learn more: perhaps this was a way to simplify my config files and improve integration with gpg-agent and KWallet.

I was surprised by just how simple it turned out to be, but I was also surprised that there isn’t more written about this.

Most guides online (such as Jason Ryan’s) reference the venerable (and still well worth reading) Everything You Need To Know To Start Using GnuPG with Mutt by Justin Miller from September 2001.

Indeed the official Mutt wiki section on GnuPG makes no mention of GPGME. The GnuPG FAQ itself has only this to say regarding Mutt, with no explanation:

For best experience make sure to put “set crypt_use_gpgme” in your ~/.muttrc file.

The entire Mutt documentation for the crypt_use_gpgme variable is as follows:

This variable controls the use of the GPGME-enabled crypto backends. If it is set and Mutt was built with gpgme support, the gpgme code for S/MIME and PGP will be used instead of the classic code. Note that you need to set this option in .muttrc; it won’t have any effect when used interactively.

Every guide I found online to setting up Mutt to use GnuPG refers to very old versions of both applications, with no mention of the much simpler method of configuration which has been available for approximately 10 years now.

These notes are a small attempt to help move things in the right direction.

Assumptions

  1. Mutt ≥ 1.5. It’s been available since June 2004 so there’s no excuse for still using 1.4.

  2. You have GPGME installed. It’s packaged for just about every known distro: as gpgme in Fedora/RHEL/CentOS, libgpgme11 in Debian, gpgme in Homebrew etc. It had its 1.0 release in September 2004 so it’s pretty well tested by now.

  3. Mutt compiled with GPGME support. This is pretty standard, confirm it with mutt -v | grep -i gpgme.

  4. You have GnuPG installed & configured. This is obviously a huge topic in itself, one which I won’t cover here as it’s far beyond the scope of this small writeup. If you need help with this, I suggest the GnuPG Handbook and/or the Arch Linux wiki page.

Configuration

Given the above, you can replace your entire existing GnuPG/Mutt config with the following single line…

set crypt_use_gpgme=yes

…and it will probably “just work”.

However, there’s a little more to it, and it’s worth going over some of the other options. With just that line, the standard p menu in Mutt should now allow you to manually sign/verify/encrypt etc. as if you’d explicitly configured everything with pgp_verify_command etc.

To enable automatic signing of all messages, and verification of all sigs upon opening messages you can add the following:

set crypt_autosign=yes
set crypt_verify_sig=yes

To enable the common practice of automatically signing replies to signed messages, and signing & encrypting replies to encrypted messages, add these lines:

set crypt_replysign=yes
set crypt_replyencrypt=yes
set crypt_replysignencrypted=yes

Interestingly, the Mutt docs also mention a crypt_use_pka variable which enables PKA: a new and rather rare means of key verification via DNS. The main documentation for this is a PDF paper written by Werner Koch, a primary GnuPG developer. Unfortunately for me it’s written in German. I was however able to find this post from Werner to the gnupg-devel mailing list explaining it in English. It’s rather fascinating, hopefully it will take off as DNSSEC becomes more widespread.

Lastly, when I’m configuring Mutt for GnuPG I like to add a custom header with a public key link to all my outgoing mail:

my_hdr OpenPGP: url=http://henrytodd.org/0xBE0E47FC.asc\; id=BE0E47FC

I’ve uploaded my new gpg.rc file as a gist, in case you’d like to copy/paste the whole thing.