GPG Mail: Add option to attach public key

Maximilian Blochberger's Avatar

Maximilian Blochberger

19 Jun, 2019 02:05 PM

I would like to vote for the feature of attaching the public key to a single or all newly composed mails.

This has been reported already in add option to always attach public key(s), however the discussion is closed and I could not comment there. The provided answer refers to an already open feature request, where people should upvote. Since this feature request is not linked and I did not find it, I opened a new discussion.

  1. Support Staff 1 Posted by Steve on 19 Jun, 2019 02:26 PM

    Steve's Avatar

    Hi Maximilian,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    Thanks for taking the time to get in touch with this suggestion.

    We already have an open feature request to add the public key to outgoing emails and I've added your comments and vote to it. The number of votes is one factor that helps us to determine what feature to add next.

    Can you elaborate on your use case for this feature?

    There are a few things to take into consideration here. Can you share, why you do not want to use the key servers to distribute your public key?

    An alternative to attaching your public key would be to upload your public key to some web space, could be anything from keybase to self hosted, and link to the public key there.

    There is a new key server service https://keys.openpgp.org/ which allows for email verification. That way only verified keys will show in search results. You can already use it with GPG Keychain if you use hkps://keys.openpgp.org as key server address.

    All the best,
    Steve

  2. 2 Posted by Maximilian Bloc... on 19 Jun, 2019 02:30 PM

    Maximilian Blochberger's Avatar

    I reported a security issue and the addressee replied that he can only encrypt emails, if the public key is attached. They apparently do not use key servers. It is very likely that this reply was an automated response, hence adding a URL would be ineffective.

  3. Support Staff 3 Posted by Steve on 19 Jun, 2019 02:35 PM

    Steve's Avatar

    Hm, I don't quite understand that practice or the benefit that would bring.

    Using the key servers (ideally with the new verify option) in combination with the auto key retireve option (System Preferences > GPG Suite) seems to be a good combination. There are obviously legit cases in which users do not want to upload their public keys at all.

    Using the above method only verified keys (i.e. email address has been verified) would be retrieved and the retrieval would still happen automatically once a signed email is received.

    I personally have the fingerprint of my OpenPGP key in my email signature and the OpenPGP key and or fingerprint on various parts of the web.

    If you want to add security: This KB-article explains how to verify and sign a key.

  4. 4 Posted by Maximilian Bloc... on 19 Jun, 2019 02:50 PM

    Maximilian Blochberger's Avatar

    Neither do I see the benefit. However, I have no control on how other people design their systems and would like to be able to send my public key more easily than exporting and attaching it to the mail manually.

    Another use case, where this would be useful, especially considering privacy concerns while distributing the public key on key servers: I often generate ephemeral public keys, which I use in combination with email aliases that are tied to specific services, e. g., foo+bar(at)example.com for a service "bar". I don't want to add all services I use to the primary public key, as people would not only learn my email address, but also learn which services I use. Making email addresses like this public, does not allow to trace which services send you spam, since the spammer could obtain the address from the key server directly. Same, but less likely, for uploads on a web space.

    I think in Enigmail there was such an option, although it is quite a while, since I used Enigmail and they might have removed the feature.

  5. Support Staff 5 Posted by Steve on 19 Jun, 2019 02:54 PM

    Steve's Avatar

    Oh you can easily share your key from GPG Keychain. There is a menu option Key > Share via email (not 100% sure about the exact wording) for those occasions when requested.

    Thanks for sharing that use-case. We are always interested in learning in what ways our software is used.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac