No email encrypted/signed with AnnouncerEmailEncryption

[Alexis de BRUYN]

I am trying to set up the ​Announcer cryptographic capabilities with Trac 0.12.1 on Debian Squeeze.

My AnnouncerPlugin is working fine with :

[announcer]
admit_domains = 
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
ignore_domains = 
mime_encoding = base64
smtp_always_bcc = 
smtp_always_cc = 
smtp_default_domain = 
smtp_enabled = true
smtp_from = trac@localhost
smtp_from_name = 
smtp_password = 
smtp_port = 25
smtp_replyto = 
smtp_server = localhost
smtp_subject_prefix = __default__
smtp_user = 
ticket_subject_template = $prefix #$ticket.id: $summary
use_public_cc = false
use_short_addr = false
use_tls = false

Which was my previous [notification] configuration.

I have followed the ​steps for the install of AnnouncerEmailEncryption :

1. gnupg & python-gnupg have been installed ;
2. The AnnouncerEmailEncryption configuration has been added in my trac.ini :

   [announcer]
   email_crypto = sign,encrypt
   gpg_home = /var/trac/project/test/gnupg
   gpg_signing_key = 7AA4861C
   smtp_replyto = trac@localhost
   

3. I have created and exported a gpg public key in /var/trac/project/test/gnupg (which gpg_signing_key was previously set) ;
4. And copy all my user gpg public keys.

Received emails are not signed/encrypted and I do not see any errors in my debug trac log file.

What did I missed in my pgp/announcerplugin configuration ?

[Steffen Hoffmann]

Thanks for testing this development code, and please recognize, this is still WiP, so impossible to be a blocker issue for the plugin in general.

If it is a bug, we'll see. In general discussion of local installation/configuration issues shouldn't go into tickets but to the mailing-list. Or did I miss you posting there?

Anyway, I'll check and compare with my local settings here. Just some more thoughts:

• Are you sure, that you've put not only a public key but both, private and public key part of your signing key 7AA4861C into the specified gnupg working dir?
• Until now we can sign with a password-less key only, but a private key is required anyway. However I don't see the corresponding gpg_signing_key set anywhere.?
• I don't see the regexp's for allowed and local email addresses. Did you leave them out intentionally, especially rcpt_allow_regexp?
• And did you try both operations, signing and encryption separately before?

[Alexis de BRUYN]

Replying to hasienda:

Thanks for testing this development code, and please recognize, this is still WiP, so impossible to be a blocker issue for the plugin in general.

Ok I understand.

If it is a bug, we'll see. In general discussion of local installation/configuration issues shouldn't go into tickets but to the mailing-list. Or did I miss you posting there?

Well sorry for the trac ticket system flooding, I have naively created a ticket for my issue as suggested in the AnnouncerPlugin wiki page.

Anyway, I'll check and compare with my local settings here. Just some more thoughts:

• Are you sure, that you've put not only a public key but both, private and public key part of your signing key 7AA4861C into the specified gnupg working dir?

Yes I have copied both private and public keys in my gpg_home directory.

Here are my steps, maybe I have done something wrong :

1. Generated private gpg keys and answered the questions :

   gpg --gen-key
   

2. Then get the 8 chars of keyid (the "sec" one) in order to set up the gpg_signing_key variable :

   gpg --list-secret-keys
   

3. Exported the public key :

   gpg --armor --output pubkey.asc --export "server_name"
   

4. Then exported the private one :

   gpg --export-secret-key -a > privkey.key
   

5. And finally copied both keys in the gpg_home directory.

• Until now we can sign with a password-less key only, but a private key is required anyway. However I don't see the corresponding gpg_signing_key set anywhere.?

Sorry, but I don't see what you mean exactly by "gpg_signing_key set anywhere" because I have already set it in my trac.ini file :

gpg_signing_key = 7AA4861C

Where am I mistaken ?

• I don't see the regexp's for allowed and local email addresses. Did you leave them out intentionally, especially rcpt_allow_regexp?

Yes I have intentionally left them blank because I want that all recipients receive encrypted emails only. Perharps I did not use these vars correctly despite their meanings given in the AnnouncerPlugin wiki page and admin/tracini/announcer page.

• And did you try both operations, signing and encryption separately before?

Yes I have try that too but I have still the same issue.

Finally, I have looked in other log files, but I did not see anything relevant.

[Steffen Hoffmann]

Replying to adebruyn:

Replying to hasienda: [...]

If it is a bug, we'll see. In general discussion of local installation/configuration issues shouldn't go into tickets but to the mailing-list. Or did I miss you posting there?

Well sorry for the trac ticket system flooding, I have naively created a ticket for my issue as suggested in the AnnouncerPlugin wiki page.

Well, then we really need to fix documentation, thanks for the hint. What I suggested is expected use of this ticket system, as it is meant for development, not general support. The mailing-list is a better place, thinking of recurring questions, etc.

Anyway, I'll check and compare with my local settings here. Just some more thoughts:

• Are you sure, that you've put not only a public key but both, private and public key part of your signing key 7AA4861C into the specified gnupg working dir?

Yes I have copied both private and public keys in my gpg_home directory.

Here are my steps, maybe I have done something wrong : ![...] Where am I mistaken ?

You copied the armored key files, while we actually utilize a gpg and so use a regular gpg working dir with the keyring files.

• I don't see the regexp's for allowed and local email addresses. Did you leave them out intentionally, especially rcpt_allow_regexp?

Yes I have intentionally left them blank because I want that all recipients receive encrypted emails only. Perharps I did not use these vars correctly despite their meanings given in the AnnouncerPlugin wiki page and admin/tracini/announcer page.

No you're fine, if this is, what you want.

• And did you try both operations, signing and encryption separately before?

Yes I have try that too but I have still the same issue.

Finally, I have looked in other log files, but I did not see anything relevant.

There really should be more debugging info. I'll try to fix this soon to finally close this ticket then.

[Alexis de BRUYN]

Replying to hasienda:

• Are you sure, that you've put not only a public key but both, private and public key part of your signing key 7AA4861C into the specified gnupg working dir?

Yes I have copied both private and public keys in my gpg_home directory.

Here are my steps, maybe I have done something wrong : ![...] Where am I mistaken ?

You copied the armored key files, while we actually utilize a gpg and so use a regular gpg working dir with the keyring files.

I have exported and then imported my user gpg public key files in Trac server GNUPG database (I have also tested with all key files copied in my gpg_dir), but my notifications are still unencrypted.

I have some doubts about this whole key settings, could you provide me more precisely the steps needed please ?

[Steffen Hoffmann]

Replying to adebruyn:

Replying to hasienda:

You copied the armored key files, while we actually utilize a gpg and so use a regular gpg working dir with the keyring files.

I have exported and then imported my user gpg public key files in Trac server GNUPG database (I have also tested with all key files copied in my gpg_dir), but my notifications are still unencrypted.

I have some doubts about this whole key settings, could you provide me more precisely the steps needed please ?

All this led to starting a clear framework for key management in Trac by CryptoPlugin, that will step in and provide all needed features to make the setup as simple as it could be. Once it is get into a usable state, I'll re-factor all crypto methods to use methods from CryptoPlugin instead too.

This is not a trivial topic at all, so please bear with me for the really slow progress on the issue.