<div dir="ltr"><div>Thanks for that explanation of what's going on behind the scenes. I will try to test the inbound email shortly.<br><br></div><div>In any case, it sounds like I'll have to think up some other ideas. Our users occasionally need to communicate (via RT) with people who aren't themselves users of RT, and who didn't initiate the communication with an inbound email, so I don't think we would be able to rely 100% on the inbound fetching of keys.<br>
<br></div><div>Would there be any interest in considering that extra functionality for a future release if I were to submit a feature request?<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 30, 2013 at 3:36 PM, Kevin Falcone <span dir="ltr"><<a href="mailto:falcone@bestpractical.com" target="_blank">falcone@bestpractical.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Tue, Jul 30, 2013 at 02:19:29PM -0400, Christopher Costa wrote:<br>
> It looks as if testing inbound email to RT might not be a simple chore in my environment so<br>
> for now I'm going to focus on outbound email. I do have debug logging enabled. Is there is<br>
> someplace else worth looking? Am I misunderstanding how auto key retrieval is supposed to work<br>
> with outbound mail?<br>
<br>
</div>RT calls gpg --list-public-keys <a href="mailto:bob@example.com">bob@example.com</a> which I don't think<br>
fetches automatically. I think that only happens during the encrypt.<br>
<br>
Most of the time this is a non-issue because the verification when<br>
mail enters the system *does* fetch.<br>
<br>
In order to work around this, RT would need to add a bunch of fetch<br>
keys logic, which unfortunately was explicitly not-in-scope when this<br>
was implemented for RT 3.8.0.<br>
<br>
Also, testing inbound email should be pretty trivial, even if you<br>
can't glue all the parts together.<br>
<br>
Take a signed email in a text file and run:<br>
<br>
/opt/rt4/bin/rt-mailgate --queue General --url htt://<a href="http://foo.com" target="_blank">foo.com</a> --action correspond < email<br>
<br>
-kevin<br>
<div class="im"><br>
> On Tue, Jul 30, 2013 at 12:18 PM, Christopher Costa <[1]<a href="mailto:christopher.costa@gmail.com">christopher.costa@gmail.com</a>> wrote:<br>
><br>
> Hi Kevin,<br>
><br>
> Thus far my focus has been on getting outgoing email to work (that's our primary need). I<br>
> will make every effort to test inbound email ASAP.<br>
><br>
</div><div><div class="h5">> On Tue, Jul 30, 2013 at 12:09 PM, Kevin Falcone <[2]<a href="mailto:falcone@bestpractical.com">falcone@bestpractical.com</a>> wrote:<br>
><br>
> On Tue, Jul 30, 2013 at 11:18:38AM -0400, Christopher Costa wrote:<br>
> > I have been able to get GPG integrated with RT using manually installed public keys, but<br>
> I'm<br>
> > now trying to get auto key retrieval to work. The RT documentation suggests (to me,<br>
> anyway)<br>
> > that this is possible. I haven't had any luck getting it working, and I'm curious if any<br>
> other<br>
> > users have, and would have any tips. I've configured RT this way in RT_SiteConfig:<br>
><br>
> You say you've tested without outgoing emails, have you tested with an<br>
> incoming mail from an unknown user?<br>
><br>
> Also, ensure that your logging is set to debug, not just error.<br>
> -kevin<br>
> > Set(%GnuPG,<br>
> > Enable => 1,<br>
> > OutgoingMessagesFormat => "RFC", # Inline<br>
> > AllowEncryptDataInDB => 0,<br>
> > RejectOnMissingPrivateKey => 1,<br>
> > RejectOnBadData => 1,<br>
> > );<br>
> ><br>
> > Set(%GnuPGOptions,<br>
> > homedir => q{var/data/gpg},<br>
> > keyserver => 'xxxx://xxx.xxx.xxx.xxx',<br>
> > 'always-trust' => undef,<br>
> > 'auto-key-locate' => 'keyserver',<br>
> > 'keyserver-options' => 'auto-key-retrieve',<br>
> > );<br>
> ><br>
> > However, when I attempt to send an email to somebody who doesn't already have a key on<br>
> the<br>
> > keyring, I get this error in the UI:<br>
> ><br>
> > User XXXXXXXXXX has a problem. There is no key suitable for encryption.<br>
> > Select a key you want to use for encryption: No usable keys.<br>
> ><br>
> > and in the rt.log I see this:<br>
> ><br>
> > [Tue Jul 30 13:24:51 2013] [error]: gpg: error reading key: No public key<br>
> > (/opt/rtdev/sbin/../lib/RT/Crypt/GnuPG.pm:2163)<br>
> > [Tue Jul 30 13:24:51 2013] [error]: gpg: error reading key: No public key<br>
> > (/opt/rtdev/sbin/../lib/RT/Crypt/GnuPG.pm:2163)<br>
> > [Tue Jul 30 13:24:51 2013] [error]: gpg: error reading key: No public key<br>
> > (/opt/rtdev/sbin/../lib/RT/Crypt/GnuPG.pm:2163)<br>
> ><br>
> > It *appears* that RT is checking the keyring, and erroring out if it doesn't find a key,<br>
> which<br>
> > is not what I expected to happened (I was expecting the key would be retrieved<br>
> automatically<br>
> > at the time of encryption).<br>
> > I have executed gpg from the command line with these options, and I can retrieve a user<br>
> key<br>
> > automatically and encrypt a file. So I am pretty sure the problem isn't with the<br>
> keyserver, or<br>
> > the options themselves. I'm holding out hope that I'm simply doing something wrong<br>
> within RT,<br>
> > and that there is some other setting I've overlooked.<br>
> ><br>
> > Thanks!<br>
> > Chris<br>
><br>
</div></div>> References<br>
><br>
> Visible links<br>
> 1. mailto:<a href="mailto:christopher.costa@gmail.com">christopher.costa@gmail.com</a><br>
> 2. mailto:<a href="mailto:falcone@bestpractical.com">falcone@bestpractical.com</a><br>
</blockquote></div><br></div>