tag:gpgtools.tenderapp.com,2011-11-04:/discussions/feedback/17250-is-it-ok-to-attach-the-public-key-to-the-emailGPGTools: Discussion 2022-04-14T16:22:30Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/506976322022-03-16T18:14:45Z2022-03-16T18:14:45ZIs it ok to attach the public key to the email?<div><p>Hi Andrei,</p>
<p>welcome to the GPGTools support platform. Sorry to hear you are having problems using GPG Suite.</p>
<p>There is one mechanism in GPG Suite that really helps simplifying key exchange: In <code>System Preferences > GPG Suite > Settings > Key Server</code> there is the setting <code>Automatically download public keys</code>. When receiving a signed email and not having the public key of the author, with this setting enabled MacGPG will search for the public key matching the signature. If the key owner has uploaded and verified their public key, the key will be downloaded and the signature verified. Sending an encrypt reply is then possible - a restart of Mail app may be needed so that it becomes aware of the new public key.</p>
<p>This is why we recommend uploading your own public key to the key server and verifying the email address(es) in the key.</p>
<p>This however may not apply to other OpenPGP implementations, but maybe a feature request can raise developers awareness for this.</p>
<p>Generally it may be a good idea to add the fingerprint to your email signature. Not sure if it is necessary though to attach your own public key to all your emails. However there is no security or privacy concern in doing so. Although some mail clients or servers may increase their spam score for the attachment.</p>
<p>Hope this helps and explains the situation a bit.</p>
<p>All the best,<br>
Steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/506976322022-03-17T09:27:29Z2022-03-17T09:27:37ZIs it ok to attach the public key to the email?<div><p>Hi Steve,</p>
<p>As you say, it's easy peasy when writing to another Mac user that uses GPG Suite and has the automatically download public keys option enabled. However, also as you correctly identify, it becomes a worse of a hassle when other PGP implementations which most probably use (or don't use at all) other key servers. As far as I am aware there are many key servers available and I'm not sure the keys are synced between each one.</p>
<p>I'm interested in the fingerprint though. How would that help with anything?</p></div>Andrei Dtag:gpgtools.tenderapp.com,2011-11-04:Comment/506976322022-03-17T15:52:58Z2022-03-17T15:52:58ZIs it ok to attach the public key to the email?<div><p>So we would have to look at the specific implementation. <a href="https://keys.openpgp.org/">https://keys.openpgp.org/</a> is probably the biggest key server currently and no it does not sync (yet) with other key servers.</p>
<p>The old key server cluster (sks key servers) is no longer in business. There is still hockeypuck however. But you could ask the other implementation to switch to <a href="https://keys.openpgp.org/">https://keys.openpgp.org/</a> as well.</p>
<p>The fingerprint would be used to lookup the public key on the key server. e.g. <a href="https://gpgtools.org/">https://gpgtools.org/</a> bottom left shows fingerprint <code>85E3 8F69 046B 44C1 EC9F B07B 76D7 8F05 00D0 26C4</code>.</p>
<p>I can open GPG Keychain press cmd + F and paste the fingerprint to search for the public key.</p>
<p>Adding the fingerprint to various locations associated with your person, like your fediverse profile page, email signature, website, ... goes to show consistency. If someone then claims to have a different fingerprint with your email but the other locations still show the old fingerprint that could be a sign of compromise.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/506976322022-03-17T16:09:33Z2022-03-17T16:09:37ZIs it ok to attach the public key to the email?<div><p>So Steve, in that case wouldn't it be better to just avoid adding the .asc file as an attachment to the email so that to avoid some spamassasin rules or whatever filters servers use, and just use the public key block in the signature directly so it gets attached default on any outgoing mail:</p>
<pre>
<code>-----BEGIN PGP PUBLIC KEY BLOCK-----
public key block
-----END PGP PUBLIC KEY BLOCK-----</code>
</pre></div>Andrei Dtag:gpgtools.tenderapp.com,2011-11-04:Comment/506976322022-03-17T17:47:02Z2022-03-17T17:47:02ZIs it ok to attach the public key to the email?<div><p>You can do that. I makes all your emails very long and may cause confusion with the recipients, which is why personally I prefer using the more human readable key fingerpring.</p></div>Steve