Add email address to existing public key / Domain mapping / Group feature

Add email address to existing public key

In rare cases, it can become necessary to add an email address to an existing public key. When you have a public key of a friend and they now use a new email address but you still want to send an encrypted message, you can map the new email to the existing key.

  1. open Terminal
  2. copy / paste the following command:
    defaults write org.gpgtools.common KeyMapping -dict-add 'email' fingerprint
  3. replace email with the new email you want to map to the existing key
  4. replace fingerprint with the fingerprint of the key you want to change the mapping for - make sure there are no spaces in the fingerprint
  5. to verify if the key mapping did work enter use the following command:
    defaults read org.gpgtools.common KeyMapping

Domain Mapping

Some companies share one public key with their employees so that it can be helpful to map an entire domain to use a certain key. To do that use the following command

defaults write org.gpgtools.common KeyMapping -dict-add '*@domain.com' fingerprint

Replace email and fingerprint with the appropriate values (fingerprint must not contain any spaces)

Restart Mail app to ensure the changes will be reflected. Note: this change will not be visible in GPG Keychain, nonetheless you are now able to encrypt to the new email address using the existing key.

Remove mapping

Execute the following command in terminal app:

 defaults delete org.gpgtools.common KeyMapping

Group feature

The group feature is relevant to companies or groups looking to encrypt content to various public keys of the group members while using a single email address as recipient.

To use the group feature:

  1. close all gpg applications and Mail.app
  2. open finder, press ⇧⌘G
  3. paste '~/.gnupg/gpg.conf' without the ' and click Go
  4. open gpg.conf with TextEdit
  5. add the following line at the end of the file
    group staff@mywork.com = fingerprint1 fingerprint2 fingerprints

Whenever you now write to staff@mywork.com the message will be encrypted to all public keys you added the fingerprints of. Note that no valid key must exist for staff@mywork.com for the group feature to work as expected.