Steve on 19 Jun, 2019 02:26 PM
welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.
Thanks for taking the time to get in touch with this suggestion.
We already have an open feature request to add the public key to outgoing emails and I've added your comments and vote to it. The number of votes is one factor that helps us to determine what feature to add next.
Can you elaborate on your use case for this feature?
There are a few things to take into consideration here. Can you share, why you do not want to use the key servers to distribute your public key?
An alternative to attaching your public key would be to upload your public key to some web space, could be anything from keybase to self hosted, and link to the public key there.
There is a new key server service https://keys.openpgp.org/ which allows for email verification. That way only verified keys will show in search results. You can already use it with GPG Keychain if you use hkps://keys.openpgp.org as key server address.
I reported a security issue and the addressee replied that he can only encrypt emails, if the public key is attached. They apparently do not use key servers. It is very likely that this reply was an automated response, hence adding a URL would be ineffective.
Steve on 19 Jun, 2019 02:35 PM
Hm, I don't quite understand that practice or the benefit that would bring.
Using the key servers (ideally with the new verify option) in combination with the auto key retireve option (System Preferences > GPG Suite) seems to be a good combination. There are obviously legit cases in which users do not want to upload their public keys at all.
Using the above method only verified keys (i.e. email address has been verified) would be retrieved and the retrieval would still happen automatically once a signed email is received.
I personally have the fingerprint of my OpenPGP key in my email signature and the OpenPGP key and or fingerprint on various parts of the web.
If you want to add security: This KB-article explains how to verify and sign a key.
Neither do I see the benefit. However, I have no control on how other people design their systems and would like to be able to send my public key more easily than exporting and attaching it to the mail manually.
Another use case, where this would be useful, especially considering privacy concerns while distributing the public key on key servers: I often generate ephemeral public keys, which I use in combination with email aliases that are tied to specific services, e. g., foo+bar(at)example.com for a service "bar". I don't want to add all services I use to the primary public key, as people would not only learn my email address, but also learn which services I use. Making email addresses like this public, does not allow to trace which services send you spam, since the spammer could obtain the address from the key server directly. Same, but less likely, for uploads on a web space.
I think in Enigmail there was such an option, although it is quite a while, since I used Enigmail and they might have removed the feature.