[rt-users] GPG Auto Key Retrieval

Kevin Falcone falcone at bestpractical.com
Tue Jul 30 15:36:45 EDT 2013 

On Tue, Jul 30, 2013 at 02:19:29PM -0400, Christopher Costa wrote:
>    It looks as if testing inbound email to RT might not be a simple chore in my environment so
>    for now I'm going to focus on outbound email. I do have debug logging enabled. Is there is
>    someplace else worth looking? Am I misunderstanding how auto key retrieval is supposed to work
>    with outbound mail?

RT calls gpg --list-public-keys bob at example.com which I don't think
fetches automatically.  I think that only happens during the encrypt.

Most of the time this is a non-issue because the verification when
mail enters the system *does* fetch.

In order to work around this, RT would need to add a bunch of fetch
keys logic, which unfortunately was explicitly not-in-scope when this
was implemented for RT 3.8.0.

Also, testing inbound email should be pretty trivial, even if you
can't glue all the parts together.

Take a signed email in a text file and run:

/opt/rt4/bin/rt-mailgate --queue General --url htt://foo.com --action correspond < email

-kevin

>    On Tue, Jul 30, 2013 at 12:18 PM, Christopher Costa <[1]christopher.costa at gmail.com> wrote:
> 
>      Hi Kevin,
> 
>      Thus far my focus has been on getting outgoing email to work (that's our primary need). I
>      will make every effort to test inbound email ASAP.
> 
>      On Tue, Jul 30, 2013 at 12:09 PM, Kevin Falcone <[2]falcone at bestpractical.com> wrote:
> 
>        On Tue, Jul 30, 2013 at 11:18:38AM -0400, Christopher Costa wrote:
>        > I have been able to get GPG integrated with RT using manually installed public keys, but
>        I'm
>        > now trying to get auto key retrieval to work. The RT documentation suggests (to me,
>        anyway)
>        > that this is possible. I haven't had any luck getting it working, and I'm curious if any
>        other
>        > users have, and would have any tips. I've configured RT this way in RT_SiteConfig:
> 
>        You say you've tested without outgoing emails, have you tested with an
>        incoming mail from an unknown user?
> 
>        Also, ensure that your logging is set to debug, not just error.
>        -kevin
>        > Set(%GnuPG,
>        > Enable => 1,
>        > OutgoingMessagesFormat => "RFC", # Inline
>        > AllowEncryptDataInDB => 0,
>        > RejectOnMissingPrivateKey => 1,
>        > RejectOnBadData => 1,
>        > );
>        >
>        > Set(%GnuPGOptions,
>        > homedir => q{var/data/gpg},
>        > keyserver => 'xxxx://xxx.xxx.xxx.xxx',
>        > 'always-trust' => undef,
>        > 'auto-key-locate' => 'keyserver',
>        > 'keyserver-options' => 'auto-key-retrieve',
>        > );
>        >
>        > However, when I attempt to send an email to somebody who doesn't already have a key on
>        the
>        > keyring, I get this error in the UI:
>        >
>        > User XXXXXXXXXX has a problem. There is no key suitable for encryption.
>        > Select a key you want to use for encryption: No usable keys.
>        >
>        > and in the rt.log I see this:
>        >
>        > [Tue Jul 30 13:24:51 2013] [error]: gpg: error reading key: No public key
>        > (/opt/rtdev/sbin/../lib/RT/Crypt/GnuPG.pm:2163)
>        > [Tue Jul 30 13:24:51 2013] [error]: gpg: error reading key: No public key
>        > (/opt/rtdev/sbin/../lib/RT/Crypt/GnuPG.pm:2163)
>        > [Tue Jul 30 13:24:51 2013] [error]: gpg: error reading key: No public key
>        > (/opt/rtdev/sbin/../lib/RT/Crypt/GnuPG.pm:2163)
>        >
>        > It *appears* that RT is checking the keyring, and erroring out if it doesn't find a key,
>        which
>        > is not what I expected to happened (I was expecting the key would be retrieved
>        automatically
>        > at the time of encryption).
>        > I have executed gpg from the command line with these options, and I can retrieve a user
>        key
>        > automatically and encrypt a file. So I am pretty sure the problem isn't with the
>        keyserver, or
>        > the options themselves. I'm holding out hope that I'm simply doing something wrong
>        within RT,
>        > and that there is some other setting I've overlooked.
>        >
>        > Thanks!
>        > Chris
> 
> References
> 
>    Visible links
>    1. mailto:christopher.costa at gmail.com
>    2. mailto:falcone at bestpractical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130730/3431e49a/attachment.sig>

More information about the rt-users mailing list