tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/100454-add-option-to-attach-public-keyGPGTools: Discussion 2021-03-18T23:46:55Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/473673662019-06-19T14:05:38Z2019-06-19T14:11:48ZGPG Mail: Add option to attach public key<div><p>I would like to vote for the feature of attaching the public key to a single or all newly composed mails.</p>
<p>This has been reported already in <a href="https://gpgtools.tenderapp.com/discussions/feedback/1722-add-option-to-always-attach-public-keys">add option to always attach public key(s)</a>, however the discussion is closed and I could not comment there. The provided answer refers to an already open feature request, where people should upvote. Since this feature request is not linked and I did not find it, I opened a new discussion.</p></div>Maximilian Blochbergertag:gpgtools.tenderapp.com,2011-11-04:Comment/473673662019-06-19T14:26:06Z2019-06-19T14:26:06ZGPG Mail: Add option to attach public key<div><p>Hi Maximilian,</p>
<p>welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.</p>
<p>Thanks for taking the time to get in touch with this suggestion.</p>
<p>We already have an open feature request to add the public key to outgoing emails and I've added your comments and vote to it. The number of votes is one factor that helps us to determine what feature to add next.</p>
<p>Can you elaborate on your use case for this feature?</p>
<p>There are a few things to take into consideration here. Can you share, why you do not want to use the key servers to distribute your public key?</p>
<p>An alternative to attaching your public key would be to upload your public key to some web space, could be anything from keybase to self hosted, and link to the public key there.</p>
<p>There is a new key server service <a href="https://keys.openpgp.org/">https://keys.openpgp.org/</a> which allows for email verification. That way only verified keys will show in search results. You can already use it with GPG Keychain if you use hkps://keys.openpgp.org as key server address.</p>
<p>All the best,<br>
Steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/473673662019-06-19T14:30:20Z2019-06-19T14:30:54ZGPG Mail: Add option to attach public key<div><p>I reported a security issue and the addressee replied that he can only encrypt emails, if the public key is attached. They apparently do not use key servers. It is very likely that this reply was an automated response, hence adding a URL would be ineffective.</p></div>Maximilian Blochbergertag:gpgtools.tenderapp.com,2011-11-04:Comment/473673662019-06-19T14:35:35Z2019-06-19T14:35:35ZGPG Mail: Add option to attach public key<div><p>Hm, I don't quite understand that practice or the benefit that would bring.</p>
<p>Using the key servers (ideally with the new verify option) in combination with the auto key retireve option (System Preferences > GPG Suite) seems to be a good combination. There are obviously legit cases in which users do not want to upload their public keys at all.</p>
<p>Using the above method only verified keys (i.e. email address has been verified) would be retrieved and the retrieval would still happen automatically once a signed email is received.</p>
<p>I personally have the fingerprint of my OpenPGP key in my email signature and the OpenPGP key and or fingerprint on various parts of the web.</p>
<p>If you want to add security: This <a href="https://gpgtools.tenderapp.com/kb/how-to/trusting-keys-and-why-this-signature-is-not-to-be-trusted">KB-article</a> explains how to verify and sign a key.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/473673662019-06-19T14:50:37Z2019-06-19T14:50:57ZGPG Mail: Add option to attach public key<div><p>Neither do I see the benefit. However, I have no control on how other people design their systems and would like to be able to send my public key more easily than exporting and attaching it to the mail manually.</p>
<p>Another use case, where this would be useful, especially considering privacy concerns while distributing the public key on key servers: I often generate ephemeral public keys, which I use in combination with email aliases that are tied to specific services, e. g., <code>foo+bar(at)example.com</code> for a service "bar". I don't want to add all services I use to the primary public key, as people would not only learn my email address, but also learn which services I use. Making email addresses like this public, does not allow to trace which services send you spam, since the spammer could obtain the address from the key server directly. Same, but less likely, for uploads on a web space.</p>
<p>I think in Enigmail there was such an option, although it is quite a while, since I used Enigmail and they might have removed the feature.</p></div>Maximilian Blochbergertag:gpgtools.tenderapp.com,2011-11-04:Comment/473673662019-06-19T14:54:25Z2019-06-19T14:54:25ZGPG Mail: Add option to attach public key<div><p>Oh you can easily share your key from GPG Keychain. There is a menu option Key > Share via email (not 100% sure about the exact wording) for those occasions when requested.</p>
<p>Thanks for sharing that use-case. We are always interested in learning in what ways our software is used.</p></div>Steve