![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to pgpemacs.doc CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [PGP] / pgp / contrib / emacs|
Return to pgpemacs.doc CVS log | Up to [PGP] / pgp / contrib / emacs |
1.1 ! root 1: Subject: Using PGP with Emacs Rmail ! 2: Date: 9 Oct 1992 14:39:10 GMT ! 3: From: [email protected] (Robert Anderson) ! 4: Lines: 319 ! 5: ! 6: ! 7: PGP with GNU Emacs Rmail Revision 1 ! 8: ------------------------ October 2, 1992 ! 9: ! 10: Here are some notes on using PGP 2.0 on a Unix platform, using ! 11: the Gnu Emacs "rmail" package to send and receive mail. ! 12: ! 13: First, it is inherently insecure to use PGP, or any encryption ! 14: program, on a multi-user system. There are just too many ways ! 15: for the system operators, or even ordinary users, to spy on what ! 16: you are doing. However, many people are only able to send and ! 17: receive mail on such machines, and it still may be useful for ! 18: them to be able to use PGP. The security is nowhere near as ! 19: great as it would be on a laptop PC which you keep chained to ! 20: your wrist at all times, but it should be good enough for casual ! 21: privacy. ! 22: ! 23: ! 24: FILTERING ! 25: ! 26: ! 27: PGP 2.0 has a "filter" mode invoked with the "-f" switch. Many ! 28: Unix mail reading tools have the ability to pass messages, or ! 29: portions of messages, through filter programs, returning the ! 30: result to the editing buffer. This general approach is what I ! 31: will discuss, as it applies specifically to Gnu Emacs. (I use ! 32: Gnu Emacs version 18.55.3, of Friday, July 26, 1991. But most of ! 33: the features discussed here should apply to almost any current ! 34: Gnu Emacs.) ! 35: ! 36: The Emacs command to pass a portion of a buffer through a filter ! 37: is "shell-command-on-region". On my machine, it is mapped to the ! 38: key M-|, which I activate by typing the escape key and then the ! 39: vertical bar key. By giving a prefix argument to this function, ! 40: which I do by typing control-U just before the M-|, the function ! 41: replaces the text in the buffer with the output of the filter. ! 42: ! 43: ! 44: ENCRYPTION ! 45: ! 46: ! 47: To encrypt a message, then, I first compose the message using the ! 48: "mail" function of Emacs. Then I set the Emacs "region" to ! 49: contain the message text (but not the headers at the top of the ! 50: message). This I do by the function "mark-whole-buffer", which ! 51: is mapped to control-X H on my system, then advancing the "point" ! 52: (cursor) down from the top of the page using control-N until I am ! 53: at the first line of the message I am sending. (This is the line ! 54: just beyond the separator line which Emacs creates called "--text ! 55: follows this line--".) This is how a sample message buffer will ! 56: look at this point: ! 57: ! 58: To: [email protected] ! 59: Subject: Test of PGP with Emacs ! 60: --text follows this line-- ! 61: Dear XYZ: ! 62: I hope you enjoy this encrypted PGP message. ! 63: Love, ABC. ! 64: ! 65: (The cursor is on the "D" of "Dear", and the "mark", which you ! 66: can't see, is at the end of the buffer.) ! 67: ! 68: With the region properly set to enclose the message text, I now ! 69: want to filter the message through PGP. The general idea is to ! 70: use control-U followed by M-|, but a problem arises if I do this. ! 71: ! 72: PGP, when run in filter mode, produces encrypted or decrypted ! 73: output based on its input. But in addition, it also produces a ! 74: few informational messages, such as the version information that ! 75: is printed for every run. PGP goes to some trouble to separate ! 76: these two kinds of output, putting the encrypted output to ! 77: "standard out", and the informational messages to "standard ! 78: error". Unfortunately, Emacs undoes PGP's efforts, combining ! 79: standard out and standard error into one stream. The result is ! 80: that using this Emacs filter function brings back not just the ! 81: encrypted message, but also the PGP informational messages. This ! 82: is what the output looks like: ! 83: ! 84: To: [email protected] ! 85: Subject: Test of PGP with Emacs ! 86: --text follows this line-- ! 87: Pretty Good Privacy 2.0 - Public-key encryption for the masses. ! 88: (c) 1990-1992 Philip Zimmermann, Phil's Pretty Good Software. 2 Sep 92 ! 89: Date: 1992/10/02 22:10 GMT ! 90: ! 91: ! 92: Recipient's public key will be used to encrypt. ! 93: Key for user ID: XYZ ! 94: 382-bit key, Key ID 5E7ADD, created 1992/09/27 ! 95: .-----BEGIN PGP MESSAGE----- ! 96: Version: 2.0 ! 97: ! 98: hDwC2RA+W2deet0BAX4iI1FcS9qz57OA2pd3T/tr7wcwzW5mHocwvlND+Un0aYac ! 99: Kq4qwjxpxr5rY/ABEAymAAAAWnZfbPeqdeXZGkFqCUny9tnVuew9JfSkzaGVIbpS ! 100: aTOxzNcWP7hgHVCW4FUyFgCUmGGBgIbbSUwisrQsMo0lUH4UxUjjKLYav+RGs8Z6 ! 101: 9SG3RzAnnpEdAhSSbQ== ! 102: =zAPP ! 103: -----END PGP MESSAGE----- ! 104: ! 105: This can be cleaned up manually by deleting all the characters ! 106: from the "Pretty Good Privacy" header down to the "." just before ! 107: "-----BEGIN PGP MESSAGE-----". But this is tedious. To avoid ! 108: this problem, I created a very simple shell script which I use to ! 109: run PGP. It looks like this: ! 110: ! 111: : ! 112: exec pgp $* 2>/dev/null ! 113: ! 114: I call this script "pgpq". The first line is just a colon, and ! 115: the second line just remaps standard error to /dev/null, causing ! 116: it to disappear, and passes all arguments along to PGP. The ! 117: result is that PGP's informational messages do not appear back in ! 118: the Emacs buffer when I run it as "pgpq". ! 119: ! 120: With this script, I can encrypt messages to be sent to other ! 121: people within Emacs. First I set the region with control-X H ! 122: followed by a few control-N's. Then I type control-U M-|. Emacs ! 123: prompts with the query "Shell command on region:". For ! 124: encryption of a message to user XYZ, I type: ! 125: ! 126: pgpq -fea XYZ ! 127: ! 128: The command is given as "pgpq" to get a cleaner output as ! 129: described above. The option letter "f" means to use filter mode; ! 130: "e" means to encrypt, and "a" means to get ASCII output. The ! 131: user name comes next. (For information on how to also sign a ! 132: message, see below.) The output of this command, for the example ! 133: above, looks like: ! 134: ! 135: To: [email protected] ! 136: Subject: Test of PGP with Emacs ! 137: --text follows this line-- ! 138: -----BEGIN PGP MESSAGE----- ! 139: Version: 2.0 ! 140: ! 141: hDwC2RA+W2deet0BAX4omw4gByFkFaHFko7qPBVq1Yh7EpgHnbZ5EebqFiQjr61I ! 142: Bz6t1tQZSloNJ4KhTYOmAAAAWi2Ja/oM0LvEi9fumi4IdKDQJ44ihatrM0AEYUi5 ! 143: CVJjj5YCuQUl5XT/s5cG+Gu6R5fTPtmQ94iBmIMUjOw+yEcCkIa5B87PmJJDusMC ! 144: f1K8VWsc2A2oAJIWqg== ! 145: =uvLF ! 146: -----END PGP MESSAGE----- ! 147: ! 148: Assuming user XYZ is on my key ring, the text of the message in ! 149: my buffer has been replaced by the encrypted form of the text. I ! 150: can then send the message on its way as usual. ! 151: ! 152: ! 153: DECRYPTION ! 154: ! 155: ! 156: I decrypt my incoming mail "in place", substituting the decrypted ! 157: text in place of the encrypted message. To do this using the ! 158: Emacs rmail package, the incoming mail message must be made ! 159: writable, using the "rmail-edit-current-message" function, mapped ! 160: to the letter "w" on my system. Then the steps below can be used ! 161: to decrypt the message. Afterwards, the "rmail-cease-edit" ! 162: function, mapped to "control-C control-C" on my system, is used ! 163: to "write back" the decrypted message. (If you like, after ! 164: reading the decrypted message but before writing it back you can ! 165: use "rmail-abort-edit", "control-C control-]" on my system, to ! 166: discard your changes and leave the encrypted message in place.) ! 167: ! 168: Decrypting an incoming message can be done in a similar manner to ! 169: encryption. First I set the Emacs "region" to enclose the PGP ! 170: portion of the message. Then it is piped through the "pgpq" ! 171: filter to get the decrypted result. ! 172: ! 173: However, the new element in the case of decryption is the need to ! 174: enter a pass phrase to activate your secret key. I solve this by ! 175: using the "PGPPASS" environment variable. If PGP is trying to ! 176: read your secret key and this environment variable exists, it ! 177: will try to use the value of this variable as your pass phrase. ! 178: ! 179: So, to do decryption, it is necessary to set this environment ! 180: variable before running the filter. This could be done by ! 181: setting the variable before Emacs is started, so it will inherit ! 182: the value from the shell. However, I use the Emacs variable ! 183: "process-environment", which contains the environment variables ! 184: and their values which are passed to sub-shells and filter ! 185: processes. I wrote a few small Emacs functions to make it easier ! 186: to set and clear PGPPASS from the "process-environment" variable. ! 187: They are: ! 188: ! 189: ! 190: ; PGP support ! 191: ; Strip from list-of-strings l, any string which matches str ! 192: (defun stripstrlist (l str) ! 193: (cond (l (cond ((string-match str (car l)) ! 194: (stripstrlist (cdr l) str)) ! 195: (t (cons (car l) (stripstrlist (cdr l) str))))))) ! 196: ! 197: ; Set PGPPASS environment variable from argument ! 198: (defun pgp-passphrase (arg) ! 199: (interactive "sPGP pass phrase: ") ! 200: (setq process-environment ! 201: (cons (concat "PGPPASS=" arg) ! 202: (stripstrlist process-environment "^PGPPASS=")))) ! 203: ! 204: ; Clear PGPPASS environment variable ! 205: (defun clear-pgp-passphrase () ! 206: (interactive) ! 207: (setq process-environment (stripstrlist process-environment "^PGPPASS="))) ! 208: ! 209: ! 210: I put this code in my Emacs startup file, ".emacs". To use it, I ! 211: do "M-X pgp-passphrase" to set the pass phrase. It prompts me, ! 212: and I enter the pass phrase I use. Generally, I set it once and ! 213: leave it set for the duration of an Emacs session, but I also can ! 214: use "M-X clear-pgp-passphrase" to clear the pass phrase from the ! 215: process-environment variable. ! 216: ! 217: Having set the pass phrase, decryption of incoming messages is ! 218: straightforward. I set the region, do control-U M-X, and when ! 219: Emacs prompts with "Shell command on region:" I reply: ! 220: ! 221: pgpq -f ! 222: ! 223: This causes the message to be decrypted, and the output to be put ! 224: back in the buffer, overwriting the encrypted data. Here is the ! 225: buffer before decryption: ! 226: ! 227: To: [email protected] ! 228: Subject: Test of PGP with Emacs ! 229: --text follows this line-- ! 230: -----BEGIN PGP MESSAGE----- ! 231: Version: 2.0 ! 232: ! 233: hDwC2RA+W2deet0BAX4omw4gByFkFaHFko7qPBVq1Yh7EpgHnbZ5EebqFiQjr61I ! 234: Bz6t1tQZSloNJ4KhTYOmAAAAWi2Ja/oM0LvEi9fumi4IdKDQJ44ihatrM0AEYUi5 ! 235: CVJjj5YCuQUl5XT/s5cG+Gu6R5fTPtmQ94iBmIMUjOw+yEcCkIa5B87PmJJDusMC ! 236: f1K8VWsc2A2oAJIWqg== ! 237: =uvLF ! 238: -----END PGP MESSAGE----- ! 239: ! 240: And here it is after setting the PGP pass phrase, putting the ! 241: region around the "PGP MESSAGE" part, and running "pgpq -f": ! 242: ! 243: To: [email protected] ! 244: Subject: Test of PGP with Emacs ! 245: --text follows this line-- ! 246: Dear XYZ: ! 247: I hope you enjoy this encrypted PGP message. ! 248: Love, ABC. ! 249: ! 250: ! 251: SIGNING AND ENCRYPTING ! 252: ! 253: ! 254: The technique of setting the PGPPASS environment variable also ! 255: allows you to sign your outgoing messages along with encrypting ! 256: them. Use the "M-X pgp-passphrase" command to set your PGP pass ! 257: phrase, then encrypt the outgoing message with the command: ! 258: ! 259: pgpq -safe XYZ ! 260: ! 261: This tells PGP to sign, ascii-encode, use filter mode, and ! 262: encrypt the output for user XYZ. ! 263: ! 264: ! 265: WHEN THINGS GO WRONG ! 266: ! 267: ! 268: Once in a while, you will pass a message through PGP for ! 269: encryption or decryption, and instead of getting replacement ! 270: text, your message simply vanishes. Don't panic. The Emacs ! 271: "undo" function, mapped to control-X U on my system, can be used ! 272: to recover your message. ! 273: ! 274: Probably what happened was that PGP had some problem in either ! 275: encrypting or decrypting the message. Maybe you misspelled the ! 276: User ID so that it wasn't found on the keyring. Or maybe an ! 277: incoming message was mistakenly encrypted in someone else's key, ! 278: or was in a mode which PGP can't handle when used as a filter ! 279: (see below). ! 280: ! 281: The best way to diagnose the problem is to first bring the ! 282: message back with "undo" as just described, then to re-run the ! 283: filter command, but to use "pgp" rather than "pgpq". This will ! 284: cause the PGP informational messages to be put into your buffer. ! 285: Usually these will make clear what the problem is. Give another ! 286: "undo" to get back to the original message after reading this ! 287: output. ! 288: ! 289: ! 290: PROBLEMS AND LIMITATIONS ! 291: ! 292: ! 293: There are some problems associated with using PGP in this mode. ! 294: Probably the biggest is that in decrypting, the informational ! 295: messages are thrown away. This means that you lose information ! 296: about any incoming signed messages as far as whether the ! 297: signatures are valid or not. In fact, you won't even know that ! 298: the messages are signed. ! 299: ! 300: The pgpq script could be enhanced to pipe standard error to some ! 301: filter program that could look at the informational output from ! 302: PGP and print a warning message (which would appear back in the ! 303: buffer along with the decrypted message) if, say, an invalid ! 304: signature was found. More work is needed in this area. ! 305: ! 306: Another problem arises if PGP is used with conventional ! 307: encryption (using the -c flag). Conventional encryption prompts ! 308: for a pass phrase, but it does not check the PGPPASS environment ! 309: variable, or any other such variable. At present, conventional ! 310: encryption and decryption cannot be done in filter mode under ! 311: Emacs. ! 312: ! 313: Any other features of PGP which would require interaction with ! 314: the user, such as decrypting a key and trying to add it to the ! 315: key ring, will also not work in this filter mode. The test cases ! 316: which I have tried work about as well as they can (e.g. when ! 317: decrypting a key in filter mode, PGP shows the contents of the ! 318: key but doesn't ask if it should be added to your key ring), but ! 319: for some of these functions you will have to fire up PGP outside ! 320: of Emacs. ! 321: -- ! 322: ------------ ! 323: Bob Anderson ! 324: [email protected] ! 325:
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.