Dear Debian Developers, lrn2gpg

For some strange reason, I’ve been receiving a lot of GPG-signed mail from Debian Developers and Maintainers lately. In response to each of these mails, I need to send a GPG-encrypted reply. The rate at which I’m able to send replies has been significantly hampered by the poor state in which many DD/DM’s maintain their GPG keys. Here are a few common mistakes, so you can consider correcting them.

Ensure you have a UID for the email address(es) you use

When I send an encrypted mail, I need to be sure that the recipient is legit. This means any decent mail client should refuse to send an encrypted message to foo@bar.com unless that email address is known somehow to GPG. In many cases, someone with a valid key for foo@bar.com would send their signed mail from foobar@gmail.com without that being a valid UID. In some cases, foo@bar.com isn’t even a valid email address anymore (i.e. the bar.com mail server says no such mailbox).

You should have a UID for each address you use.

Signatures are per-UID

You may well have a valid UID for foo@debian.org, foo@bar.com, and foobar@gmail.com – but the PGP trust model doesn’t automatically trust every UID as much as its peers. Each individual UID needs to be trusted (i.e. signed/uploaded) by others. What if you added billg@microsoft.com as a UID – should that automatically be trusted? Clearly not. Just because you have foo@debian.org doesn’t mean it’s trusted for encryption without some signatures.

Make sure you actually have an encrypting subkey

GPG sucks, and as a result, it reports “Skipping unusable pubkey” when the issue is a lack of valid encrypting subkeys. If you have revoked all encrypting subkeys, or allowed them to expire, then I cannot send you encrypted mail.

Exact naming matters

“Bob Bobbertson <foo@bar.com>” and “Böb Böbbërtsön <foo@bar.com>” are different people. Check your mail client’s “From:” setting, to ensure it matches your UID. If not, fix one of them.

Check your webmail plugin isn’t shit

Some people use third party plugins to integrate GPG into their webmail client (e.g. Hotmail or GMail). Make sure this actually works.

Don’t use Enigmail

Enigmail is a popular plugin to integrate GPG into Mozilla Thunderbird. It doesn’t work, in most cases. Almost every single BADSIG in my inbox is due to Enigmail. Thunderbird will insert spurious line wraps and escape characters into your mail after signing, resulting in invalid signatures.

It’s mostly okay if you never quote mail, and restrict messages to about 70 characters.

I know plenty of Debian Developers don’t care about GPG other than for package signing – but please, for the sanity of the rest of us, take an occasional moment to care a little.

I should note that the worst offenders for keys which don’t “just work” were Developers with 1024D keys – the best behaved were Maintainers of all stripes.

11 Responses to “Dear Debian Developers, lrn2gpg”

  1. Ouch. If not Thunderbird + Enigmail, what other desktop client + plugin would you recommend?

  2. Evolution is almost entirely terrible, but GPG is one area it gets right consistently.

  3. @Swaroop C H, claws-mail + PGP/Mime plugin works well for me.

  4. According to Enigmail’s bugtracker at Sourceforge, some bugs that cause bad signatures will be fixed in the next release. Not sure if the bug you mention is part of the fixed ones, though.

  5. Thanks for this enlightening critique. Most likely it will be included in next Debian newsletter.

    You write that “In response to each of these mails, I need to send a GPG-encrypted reply.”

    Why do you feel the need to encrypt such replies? Seems to me that you are confusing identifiability and confidentiality here.

    Also, do you have suggestions for alternatives to users of Thunderbird? (I don’t use that myself, but my thought goes to non-techies – e.g. members of the European Parliament whom I am currently helping to start use PGP at all)

    – Jonas

  6. @Jonas Smedegaard, I absolutely don’t want to allow these keys (which are worth a fair bit of money) to fall into the hands of those who have no entitlement to one – use of encryption is a simple mechanism to force only Debian-keyring residents to have access.

    And I have no bright ideas for Thunderbird users – I’ve used Enigmail for years on Windows, and never seen it send a good key, so I gave up.

  7. @directhex, I regularly use enigmail+icedove w/ inline pgp and have never had problems w/ broken signatures. I wonder why your experiences are so different. Could HTML mail be the problem? Enigmail warns about that.

  8. @Jonas Smedegaard, I agree, when I receive a signed email, usually reply with a signed email (unless I am adding sensitive info into the reply)

  9. fwiw, using enigmail with PGP/MIME (instead of Inline PGP) tends to avoid the problem of creating broken message signatures.

    I use enigmail 1.6 regularly with icedove (and i’m helping to maintain enigmail in debian) and it does not create broken signatures for me.

  10. I have no problems with broken signs with Enigmail and Icedove. Maybe this needs further investigation (on Debian, not on Windows) before making this an advice.

  11. mutt seems to work well with GnuPG

Leave a Reply