Key Expiration / Rotation

It’s probably a good idea to check if you PGP key has expired. The easiest way to do this is in the tools that you use to manage your keys.

Another is to go to somewhere like pgp.mit.edu, and search for your mail address. Doing this lately have been an exercise in frustration as the servers always seem to be offline, slow, or out of sync.

My most recent key was old and short, so i’ve generated a new one, and expired the old one. As linking to the key servers seems to be hit-and-miss, here it is:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFwniY4BEAC1IK1bY6Rs8jDBgbFFBeSgvMcvq6qsFrRNAxZoECMh3bO+RcMi
ZSUZsaawsVWOnHzsQUFhNhzge8RKOYR+LQvKSZ0aLDVPOmDuBJQgM17UJSP0BYDv
IwORMrPeHlwC7TlNCNsVUidt8HfFFJINHg8XVolx5QM4EfioD6M2p8UmfK6UQa9h
YhRNnC0mm18hcc91rhNpHw3LzElLGqZR9e9/vyjAskh9cxNodCAMYx3bBKLq4AM5
p5e7CPgBfV6WgKdLxF6lZcMWIt/lfEDygRU1S8RJD4yGPlb08F3iePM+1CBOT3sU
oCwoeC2+FJCxzSBVRB32tMquO7DJOSjqi30yS2d5z9KYJL8A9JgBmsxD3a5Lcwgr
+wtIPW5j1nulcxlC2WFmQrmvQ01Yl5BEt8hMGwoT1ZDCgdfpeYMn1/mmjXfWrRjn
wpFOU6eY7s1uF58q9aaUmQ6EHnfO6l/UHOW1V5Ao3tMUGlW7U33GlNqU+JszDzHg
gOvWmEDZRacFhrlFP2t/kk4Bkb1hYI6fzrcDQabZcoIKVQmyURMag/QV/ehmyT4R
ps7PU7/0SKUawsFjQwe5xpwh67o8k99Kk5L/gEvPoIqiYVQkfsYG4+BqVYcBqdTt
vj/fxRAlrEIRKTB+DtCuetgVX9iT0hetP7LazU9ScOhXpygMu3lWyMCNmQARAQAB
tDRKb24gRWxsaXMgKFJlcGxhY2VzIDdENjlFRTkxKSA8am9uQHBsYW5ldC1lbGxp
cy5uZXQ+iQJUBBMBCAA+FiEEKJCjresbzn2uFRZukmftqRJz8R8FAlwniY4CGwMF
CQeGH4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQkmftqRJz8R/hqBAAkpO8
eo53bGogtgOR6VcPlqGnAgRU/KVXU5jFDkFqEUcWM0/AlJ19S2+ORZ9N8QheQHFP
ii8HPwiZx57YCHvwFVbI117D6q4TY8u6kwRzfNwQKVNhCTns+xcdGk1g9q6lSbUE
qB2PqylNKNLa73b89syPk9YQ2sxL/WSeaVi3iNFHSVR7HaQGOD9V+81Ez9SS5se0
GrxktxCJJ5/LI+OmlOqdkk+R5QG33LmQM8sBB2myBqMXAluxO0HeVFRo3jGongnm
BomUTYBxrR852rR9AEBisL8AAhJw2/79tSyCLjlhTD1zVZhziIH6UVLpiJPq2JEa
rOjTU2hVFj4P59VcZCqAQ7Vd/XA/ny0JfSZhJLc2rQK6Ix1dN2c3PvLqGvL/F+86
VWIC+K1QTmCTcJutW2aIjgFbFcd5+zaPgWud0Ccczv/HdmORIbg8jsqIVZmmL7K3
NF70jZf59hNUkS93GUnPDyxwd7KgCfl+xZQohgqYifrT/s3W0fJl/1eHat4wPFcu
2vEQBpNJpAQVXYLKXnrLUwtosFOWTQDVAXSFyYmiYhIhQXEeHsAVCDWeIsPY1DJu
xoGDOtwnz87xfzKKsb9iW1MTWsvFOVBofhPoOpbC67S0FKyV1sxEFkb80RnNDaoU
Pxa8IGBQDCkfbpv494z8Y9sbwqgM4i7IMBQXbrGJATMEEAEIAB0WIQRmhOHrleZy
5zv6GydA1RUbfWnukQUCXCeMiAAKCRBA1RUbfWnukcwnB/93Py95PFZ0w7mhGYoR
40GqxPyG5ADZ3W9d007eijn4uJ9XCZ8TSQeyZjexPfyPtHi4ouLDnAHz2iisvvk9
egNdnyOMBIA/JoTskT79Ny3yaCBdX1AObCyTrxKX0hcfI/K+T3FlfIwTZAK4riJ8
SGsSzGmglVI5df9H61hpSex9ua4W1EczWXyD3tI37qQXc4XhJLPfdqtO+ABEfL6h
uRF53cLDvGcJp6KSVcJJhP9yE+kD40J1ynoaTWH0znG54Xq8c1RWqKzQV8jNC3Ip
uI4Si/9uG09ti0CyvsvPeR/GFNzb17CBZoXAhOhcyAlBeHQngjP1UnrqytTfE9HC
QIQFuQINBFwniY4BEACfcZ6tRsBV1dDTjfl6V9f/joWpvx2fvJqKll+EAL0jKTfA
n+VpXvUmlG//voN8fT+QbRhg8HA1QeTrxYqbsr/JDILd3wg+hzWrUlXt6ynQnDKr
p6m04EzE8P+Cl4pol79Y+Ew1TjLO2sUifoo8BOlLPgp2S5PH1T2uuWa74+pjTqsv
NLpot3aLZZ8MMss13ZZL8hpokJnExqT1QjY3YNhE4u6vvmK5jfK7gd05nL9UhCdZ
A28qxcisztAD2O0QOSvNPLJfyJ1Hj+7xynDv72BlMCk6YDqZB3bFwUX06YpOuDa1
piaQ51uty/RQw97cn046h2KYssP2SHDBQgnMhNUzqC3MnR1qSVHDvFwSlqXpjTJc
aH4z5/XH7FDR+okK2qlLRC0JjbICfBTpKNk355RfCTUneExVvkGXp8pOZQsj6f/5
67x87nDKqzTL0p1ThSBKwhPwQT2rpJ+jzV8OHya4zyKgXMnXKTiGh3+IdJxMOLNe
Hw3yg5smL+4w6bBiUXR/tNr6D3E5k5hPP8b4wIMYvbZGwEXHNY4Owq0hAwm6gJgx
Ew3ruSszSLdzyQHFVLBMck8L1dt0r7G3BLSl8LC3cUQOZtSQJAfSrwmCOEqwlI6Q
utSpubrLkR94t92uW9Ln1FtQWOyF5eUUJRpr6rx9vPuf/zO/B61ApXgMYE35LQAR
AQABiQI8BBgBCAAmFiEEKJCjresbzn2uFRZukmftqRJz8R8FAlwniY4CGwwFCQeG
H4AACgkQkmftqRJz8R/nKw//Wj59vryVXeaeJoit/zRDhh9tkSeE8nBqnSjcpJX9
C0eZ5LxXDXoY52yj1QZ5Ro0damh6WqzwgZGni7Z8CgbRwVwObK4oid2DVsYYyt8+
vvOIlI0QddF8dyVI/YHp4iV9busCGF2N9LZ9A5KBnhY+QEh6y5yp7hFwh/5yjbAl
tfHUkgSgZHU+2AeKmU37hJeUI1Y8e0eHQZkteKe5t3k5VzmnYLJZO9Ss6s1oKeuq
PSneTuYUk6WpXh09sW/XqmO/LXPfgS4bwEEJ2QlvmvYkjJQkKit3T/hXhUF3vgoX
lhmfAR+7f9tVBQcghkDaXirfbp5U37WTNJLWWzgul+0foU29YK8OoRG0VPNAQ3tl
64ToS5I4zf3A69AZqVyVTT72rpmrNxvG6isf8m98wLQ8qOJ0PJALIj93tSlyXWxN
G8UZNdoIQnNb/+WnDCyTrIczN/Dg5+rtEla3kAt66rJtiQrdTHuswEIeEF4goblA
BIArf2y21OEAt9QjhsSixPbEAnJKhS0KJ9ISQnNUW09c9CqViWotznBzw9SdIf8F
EKGeYJiMfIsafHShu89k7OAiQVsQk38ldfBLPLeik8eCrI2/ul2MfsCDhjHmmbUR
sGrnTuyPg1rf55P+ofV9cH0d7Dij4Skk22FSw1YWcwk5m56FbXwJU8cyrfEa8uW3
INU=
=hsAZ
-----END PGP PUBLIC KEY BLOCK-----

This (0x1273F11F) replaces my previous key (0x7D69EE91), and you should now get warnings when using the old one… assuming that you can update keys from the key servers at some point in the future.

On macOS i’ve been using GPG Tools, and had considered giving them money to continue to use it. However, having watched a 35c3 talk titled, “Attacking end-to-end email encryption” which covers all the ways that PGP is broken in mail clients (“except mutt!”) i’m more convinced than ever that secure mail with PGP is essentially a disaster waiting to happen.

Signal, despite its lack of UI / UE polish, remains a much better option if you can get the other party to agree to use it. If you have to send and receive PGP mail of any import, do as the experts suggest and compose it outside of a mail client. And, for the love of gub, don’t do it anywhere near a browser!

 

Building the GPGTools Mail Bundle

 

The usual dance. You upgrade an OS X release and your Mail.app plugins get disabled. As they are working with unpublished APIs this isn’t in the least bit surprising. Apple really should get their act together and make Mail.app easily extensible – if they can’t include PGP support by default, at least make it easy for the good people that do. Changing the API between beta and GA is a dick move.

If you followed the link above you’ll know that the GPGTools mail bundle is moving to a paid model. That seems like a sensible decision to me. When they get that system setup i’ll pay. In the meantime i wanted to see how easy it was to build from the source. It’s not bad, but it doesn’t get you a working mail bundle.

IMPORTANT: the below won’t give you working GPGMail in Mail.app!! It just shows you how to build and install the currently broken version.

That said, if you’re interested here are the steps:

  • install XCode
  • clone the git project, In a terminal:
$ mkdir src ; cd src
$ git clone https://github.com/GPGTools/GPGMail.git
$ git checkout yosemite
$ cd GPGMail
$ make
  • the above will build everything but fail to create the actually bundles due to an issue with signing. To fix that open the Xcode project:
$ open ./GPGMail.xcodeproj
  • in ‘Navigate’ menu, select ‘Reveal in Project Navigator’. Open the GPGMail project in the left most pane, and select the ‘GPGMail_Updater.xcodeproj’ target. In the centre pane, in the ‘Identity’ section, change the ‘Signing’ to ‘None’. The project seems to auto-save on close… no idea, i’m not an Xcode user.
  • Now go back to the terminal and reexecute the ‘make’ command.
  • To manually install the bundle, close Mail.app, and copy execute the following:
$ cp -r ./build/Release/GPGMail.mailbundle ~/Library/Mail/Bundles/

And restart Mail.app. It should tell you that the bundle is incompatible and is being disabled. This is the part that the GPGTools developers are working on fixing.