K-9: Makes PGP sign-only mails very difficult

The dialog should only be displayed three times (or maybe four?) total. Does this bit work?

Anyways signing mails without encrypting is no longer an encouraged workflow, see https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html

I've sent more than four signed emails, so not entirely. It works if I don't force-stop K-9 mail (and if my phone doesn't restart). Since my Nexus 5X will reboot itself randomly and I don't send _that_ many messages on my phone, making the count per-invocation of K-9 doesn't meet my needs.

I appreciate that you don't think this is a valuable feature, but as I said, I disagree. When I send a work email to a mailing list in which I ask someone to perform a risky or privileged operation, that mail should be signed for authenticity, but not encrypted.

The setting nor sticking through force kills is a bug, we'll get that fixed.

I understand your situation, but there are currently no plans to change the sign only flow. I still don't want to have "sign by default", however I might consider a per recipient rule to cover mailing lists or special scenarios like yours. I don't have a good ux for that in mind though and it's not high priority for me, so unless someone wants to work out a concept and submit a PR it might be a while until that happens.

I would appreciate a per-account or -identity setting for default behavior:

S1. Sign always
S2. Sign never
E1. Encrypt always
E2. Encrypt if possible (recipient public key found)
E3. Encrypt never

I get frustrated that I have to disable encryption every time I want to send an email to someone for whom I have a public key. I also get frustrated having to enable signing every time I want to send an email from an account/identity that needs a signature.

Cheers--thanks for all your work!

@lucasreddinger i agree with you - but maybe per-identity not per-account #942
Then i will love the PGP handling in k-9 again.

i get frustrated that i have to disable encryption every time i want to send an email to someone for whom i have a public key

This behavior is changed in the current beta release, encryption no longer happens implicitly. This will be in the next stable release.

The UI also changed in a way that makes future inclusion of sign-only by default per identity feasible more easily. I won't promise anything, but this feature might make it into some future version. However I have little personal motivation to work on it, if you want to see this I suggest you discuss an implementation strategy and make a PR based on that :)

version 5.403

K9 mail does no longer support signing or am I wrong? I have reset K9 mail and OpenKeyChain, look under every option available and I can only encrypt.

global settings > encryption > show unencrypted signatures = 1 ?

I'm on the same version, and disabling this setting removes the ability to sign-only.

LR

On March 30, 2018 11:26:09 PM PDT, "Cédric M. Campos" notifications@github.com wrote:

version 5.403

K9 mail does no longer support signing or am I wrong? I have reset K9
mail and OpenKeyChain, look under every option available and I can only
encrypt.

--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/k9mail/k-9/issues/2375#issuecomment-377670214

Thx! I've seen this option many times and always ignored it 'cause it doesn't describe what I was looking for and therefore what is does. I would feel bad if it wasn't so I'll written. Thx, mate!

Yeah the wording sucked, it'll change soon enough (#3276)

Following up on an above post: Setting keys per identity as mentioned earlier turned out to be very difficult without making the 98% case (one key and identity in an account) too cumbersome, so I scrapped that idea for now.

In current F-Droid release of K9 Material (probably also regular K9 which it's based upon) the app also crashes when selecting PGP sign-only.

Steps to reproduce:

• add account for your email
• go to account settings, select OpenKeychain provider and your key
• check the checkbox saying "support signing of unencrypted email"
• write a new email.
• in the composer, tap hamburger icon and select "Enable PGP sign-only"

Expected behavior would be to sign the mail through OpenKeychain and change email headers appropriately. Thanks in advance for looking into this 🙂

Edit: after testing in the original K9 client, it became apparent that this is only an issue in the K9 Material client.

@toloveru This is different from the issue discussed here. If you can reproduce it with K-9 Mail please create a new issue and don't forget to specify the exact version number. Please note that we won't investigate bugs in K-9 Mail forks.

@cketti Thanks for the quick reply. I'll see if it also persists in the original K9 client, and create a new issue.

Has any progress been made on this issue? I get that it is not a recommended workflow, but it seems odd to support it implicitly like this instead of exposing an option directly to the user.

I'm still facing this issue as well. Most of my emails are signed only, because barely any of my correspondents use PGP. It is however great to be able to use PGP for additional authenticity.. that's what I'm signing all my emails for at least. So when one or more of my mail servers get hacked and used for illicit emails, I can plausibly deny responsibility for them, because they lack my signature. How well that holds up in discussions with its recipients (or worse, in a court case) remains to be seen, but who knows, right. So signed emails definitely are useful for some things. Unfortunately the requirement to painstakingly enable sign-only for each outbound email makes me forget it sometimes.. having an option that just enables it by default for certain accounts would be really useful.

Met vriendelijke groet / Best regards,
Michael De Roover

• My outbound email is usually signed with my private key. If not, please don't hesitate to ask me about it through a different communication platform.

On October 18, 2018 9:40:40 PM GMT+02:00, Gabe Appleton notifications@github.com wrote:

Has any progress been made on this issue? I get that it is not a
recommended workflow, but it seems odd to support it implicitly like
this instead of exposing an option directly to the user.

--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/k9mail/k-9/issues/2375#issuecomment-431134719

I would like to say that I need to have a signature on all of the emails that I send to authenticate me as the sender, but not encrypt them. Often these messages are going back into bug tracking systems or mailing lists, and manually signing each email is a bad solution. I will need to allow a opt-in sign by default option.

On February 4, 2019 8:07:33 AM AKST, Citizen Kepler notifications@github.com wrote:

I would like to say that I need to have a signature on all of the
emails that I send to authenticate me as the sender, but not encrypt
them. Often these messages are going back into bug tracking systems or
mailing lists, and manually signing each email is a bad solution. I
will need to allow a opt-in sign by default option.

[[[Date: Tuesday, February 5, 2019, 12:45 PM AKST]]]
PGP signatures do have a couple of rather severe and vicious limitations.

THE DATE PROBLEM. Only the body of the email is signed, not the envelope headers, namely the subject and intended recipients, and probably most importantly, the date. It would be nice to have an option to automatically include some of these headers in the body of the signed message when composing a signed email message.

THE STRIPPING PROBLEM. Currently, each attachment is signed separately and independently by the PGP-MIME standard. It would be preferable to digitally sign SHA hashes of the main message and all attachments in a single additional attachment. This would leave an indication of any attachments that may have been "stripped" from the email message, but without breaking the signatures of remaining attachments in such cases.

Bust that 55+ EFF nightclub and do it right, folks, unless it's the youth wing spouting the exact same old fogies' party line. ....

Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/contacto.php

Hi Justina,

On Tue, Feb 5, 2019, at 1:46 PM, justina colmena wrote:

On February 4, 2019 8:07:33 AM AKST, Citizen Kepler notifications@github.com wrote:

I would like to say that I need to have a signature on all of the
emails that I send to authenticate me as the sender, but not encrypt
them. Often these messages are going back into bug tracking systems or
mailing lists, and manually signing each email is a bad solution. I
will need to allow a opt-in sign by default option.

[[[Date: Tuesday, February 5, 2019, 12:45 PM AKST]]]
PGP signatures do have a couple of rather severe and vicious limitations.

THE DATE PROBLEM. Only the body of the email is signed, not the envelope headers, namely the subject and intended recipients, and probably most importantly, the date.

Seems like an issue with the PGP standard.

It would be nice to have an option to automatically include some of these headers in the body of the signed message when composing a signed email message.

So your workaround is to include date, subject, and recipients in the body so that it's signed. And you'd like if k9-mail had an option to automatically prepend/append these headers into the body so that they would also be signed. Perhaps you should fork this into a separate feature request?

THE STRIPPING PROBLEM. Currently, each attachment is signed separately and independently by the PGP-MIME standard. It would be preferable to digitally sign SHA hashes of the main message and all attachments in a single additional attachment. This would leave an indication of any attachments that may have been "stripped" from the email message, but without breaking the signatures of remaining attachments in such cases.

Yeah, I agree that a signature on the entire envelope would be more meaningful, and the DIY workaround is a pain (or perhaps virtually impossible on Android). Another feature request fork here, perhaps?

Bust that 55+ EFF nightclub and do it right, folks, unless it's the youth wing spouting the exact same old fogies' party line. ....

With all that said, in case you haven't read the back-story, the k9-mail implementation has been deprecating/minimizing sign-only. But your feature requests would make sense for sign+encrypt use.

c.f. https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html

Best,
LR

I don't usually add "ME TOO" comments, but as this is both important and seemingly controversial:

Whether or not signed-only emails are to be "considered harmful" seems to be a philosophical argument. I'm not going to take sides on that. As a practical matter, signed-only emails are, and are considered, useful in real-life environments, some of which require signatures on every, or the vast majority of e-mails. Whether those who set the requirements are right or wrong makes for an interesting discussion, but doesn't change the reality that they get to decide on, and enforce those requirements.

Please find a way to support a setting that enables sending signed e-mail by default - if necessary, behind a(nother) user confirmation that we understand the limitations & your concerns.

By policy, all my e-mails from work identities must be signed - or they are rejected at the outgoing SMTP server. Traceability is important to us. And authentication is used by automated services - where confidentiality is neither important nor helpful. (e.g. they publish a cleartext log)

However, it is not uncommon to correspond with people who do not have encryption - and requiring the encryption keys to access long-term archives of received (or sent) messages creates logistical issues. Thus, replacing sign-only with encryption is not practical.

I support the previous suggestion of a per-identity sign/encrypt by default option discussed earlier. If it's easier to implement, I would also be satisfied with just a "sign by default" - either global or per-identity. (Which should be ignored if there is no corresponding key.)

Since this is a one-time setup, it really doesn't matter if the UI is a bit awkward for the one id/one key case. Or any case. (I have about a dozen identities/keys, so intitial setp was alreadly non-trivial.) Just having the capability is important to me - and it seems, other users. Polish/optimizations of the UI can always be done later - though it would seem that more frequently used operations should have higher priority.

I do empathize with pain involved in bending a principle to meet users' realities. But they are realities, and ensuring that software is used and appreciated does require accomodating them.

Thanks for your consideration, and for all the other great work that goes into K-9 Mail.

Same problem here. In short, the signature is primary used inside my organisation to verify that an outgoing email was sent from a specific person/identity. The receiver side usually never heard about PGP.