For some strange reason, I’ve been receiving a lot of GPG-signed mail from Debian Developers and Maintainers lately. In response to each of these mails, I need to send a GPG-encrypted reply. The rate at which I’m able to send replies has been significantly hampered by the poor state in which many DD/DM’s maintain their GPG keys. Here are a few common mistakes, so you can consider correcting them.
Ensure you have a UID for the email address(es) you use
When I send an encrypted mail, I need to be sure that the recipient is legit. This means any decent mail client should refuse to send an encrypted message to email@example.com unless that email address is known somehow to GPG. In many cases, someone with a valid key for firstname.lastname@example.org would send their signed mail from email@example.com without that being a valid UID. In some cases, firstname.lastname@example.org isn’t even a valid email address anymore (i.e. the bar.com mail server says no such mailbox).
You should have a UID for each address you use.
Signatures are per-UID
You may well have a valid UID for email@example.com, firstname.lastname@example.org, and email@example.com – but the PGP trust model doesn’t automatically trust every UID as much as its peers. Each individual UID needs to be trusted (i.e. signed/uploaded) by others. What if you added firstname.lastname@example.org as a UID – should that automatically be trusted? Clearly not. Just because you have email@example.com doesn’t mean it’s trusted for encryption without some signatures.
Make sure you actually have an encrypting subkey
GPG sucks, and as a result, it reports “Skipping unusable pubkey” when the issue is a lack of valid encrypting subkeys. If you have revoked all encrypting subkeys, or allowed them to expire, then I cannot send you encrypted mail.
Exact naming matters
“Bob Bobbertson <firstname.lastname@example.org>” and “Böb Böbbërtsön <email@example.com>” are different people. Check your mail client’s “From:” setting, to ensure it matches your UID. If not, fix one of them.
Check your webmail plugin isn’t shit
Some people use third party plugins to integrate GPG into their webmail client (e.g. Hotmail or GMail). Make sure this actually works.
Don’t use Enigmail
Enigmail is a popular plugin to integrate GPG into Mozilla Thunderbird. It doesn’t work, in most cases. Almost every single BADSIG in my inbox is due to Enigmail. Thunderbird will insert spurious line wraps and escape characters into your mail after signing, resulting in invalid signatures.
It’s mostly okay if you never quote mail, and restrict messages to about 70 characters.
I know plenty of Debian Developers don’t care about GPG other than for package signing – but please, for the sanity of the rest of us, take an occasional moment to care a little.
I should note that the worst offenders for keys which don’t “just work” were Developers with 1024D keys – the best behaved were Maintainers of all stripes.